Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
5
Replies

ASA 5510 Management port

eyalhezi77
Level 1
Level 1

‎12-29-2014 06:26 AM - edited ‎03-11-2019 10:16 PM

Hi all,

 

I'm encountering CPU-hog issue (packet drops) each time our monitor system monitor the ASA (via SNMP) due to 1 core CPU.

The ASA is monitored via non management interface (all others),which is a production interface, my question is, if we move to the dedicated  management port will solve the CPU-hog issue or it's using the same CPU as all other interfaces?

 

10x

Eyal

 

 

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎12-29-2014 12:17 PM

Hello Eyal-

I am not saying that it is not possible and that it is not the cause of the issue here but I don't think the problem is the interface. Most of the ASAs that I have managed/configured in the past were managed via the "Inside" interface vs a dedicated management port. 

My guess is that the issue is with either high throughput running through the ASA or the monitoring software itself. Can you tell us:

1. What is the average throughput running through the ASA

2. What services are you using (IPSec tunnels, remote access VPN, how many DMZs, etc)

3. What type of SNMP solution are you trying to implement and what are its configs (polling intervals)

4. Post your ASA SNMP configs

 

Thank you for rating helpful posts! 

0 Helpful

eyalhezi77
Level 1
Level 1
In response to nspasov

‎12-29-2014 11:48 PM

Hi Neno,

1. in & out - MAX 203.648 kbit/s

2.IPSEC tunnels - ~ 20 tunnels / DMZ - 5 sub interfaces for DMZ

3.PRTG with SNMP interval 30 sec

4. Please note that many of the hosts are not active (working on eliminate them).

5.attached is 'sh int | i overrun'
        1927529 input errors, 0 CRC, 0 frame, 1927529 overrun, 0 ignored, 0 abort
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        4389 input errors, 0 CRC, 0 frame, 4389 overrun, 0 ignored, 0 abort
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

Preview file
2 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to eyalhezi77

‎12-30-2014 05:46 AM

If you are just going by the input errors and interface overruns I would not think this is a CPU issue. Most likely there is more traffic passing through the interface than it can handle, or perhaps the packets are too large.  Do you see the jumbo frame counter tick upward?  Do the input errors and overruns steadily tick upward or does it only increase slowly?  When was the last time you cleard the interface counters?

It would not hurt to move management traffic to the dedicated management port.  This way you can monitor the ports for the overruns and input errors, as well as keep an eye on the CPU Hog output.

if you issue the commands show cpu usage and show processes cpu-hog.  When viewing the CPU usage do you see any CPU spikes up to 80%-100% that last more than a few seconds?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

eyalhezi77
Level 1
Level 1
In response to Marius Gunnerud

‎12-30-2014 11:11 PM

by this Cisco link, it looks like that is a CPU-HOG issue specially with 1 Core FWs:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-30-2014 02:05 AM

Hi,

Seeing CPU-HOGS on the ASA device is not harmful on most of the cases.

How much is the duration of the hogs which you see on the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card