04-16-2020 03:25 PM
Hi
Today i found out that ASA5545 CPU went to 60% and it was all consumed by the DATAPATH-0-2326 process. I could lower it to 30% by removing a capture process that wasnt removed by ASDM after the program close.
The average CPU usage three days ago was 10% so i want to track what is the source of that 20% increment. In another discusions that were about DATAPATH the problem was related to diferent ASP Drops but i couldnt find the 2326 code.
Does anyone knows what is the DATAPATH-0-2326 related? Is the number 2326 specific to certain code or it just different in other devices?
This is the output of the processess cpu-usage
show processes cpu-usage non-zero sorted
Hardware: ASA5545
Cisco Adaptive Security Appliance Software Version 9.8(4)
ASLR enabled, text region 7fa26c777000-7fa270adf254
PC Thread 5Sec 1Min 5Min Process
- - 29.4% 26.5% 27.0% DATAPATH-0-2326
And asp drop, in the last two hours, the most frame drops were because ACL Deny, Can that make such a difference?
show asp drop
Frame drop:
NAT-T keepalive message (natt-keepalive) 1588
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 12
SVC Module does not have a session (mp-svc-no-session) 16
SVC Module is in flow control (mp-svc-flow-control) 462
Unexpected packet (unexpected-packet) 508
No route to host (no-route) 745
Reverse-path verify failed (rpf-violated) 4717
Flow is denied by configured rule (acl-drop) 84841
First TCP packet not SYN (tcp-not-syn) 13731
TCP failed 3 way handshake (tcp-3whs-failed) 314
TCP RST/FIN out of order (tcp-rstfin-ooo) 7644
TCP packet SEQ past window (tcp-seq-past-win) 1829
TCP invalid ACK (tcp-invalid-ack) 5
TCP RST/SYN in window (tcp-rst-syn-in-win) 72
TCP packet failed PAWS test (tcp-paws-fail) 5848
Early security checks failed (security-failed) 441
Slowpath security checks failed (sp-security-failed) 29993
IP option drop (invalid-ip-option) 3
DNS Inspect id not matched (inspect-dns-id-not-matched) 1
FP L2 rule drop (l2_acl) 11619
Interface is down (interface-down) 9738
Dropped pending packets in a closed socket (np-socket-closed) 32
Last clearing: 17:00:09 ART Apr 16 2020 by XXXX
Flow drop:
Flow is denied by access rule (acl-drop) 1512
Inspection failure (inspect-fail) 3054
SSL handshake failed (ssl-handshake-failed) 35
DTLS hello processed and closed (dtls-hello-close) 1
Regards
04-16-2020 08:04 PM
04-16-2020 09:03 PM
Hi Francesco, thanks for your time. No, it's not using the Firepower Feature.
This is somehow related to a marketing campaign because this started three days ago. In december we had a more agressive campaign with lots of connections and the CPU usage difference wasnt that much.
I did clear the asp drops counters and i'm starting mitigate the cases, Most of them are because ACL Drops and Slowpath verify for Netbios broadcast packets, i'm worried that those, which i think are common cases, are increasing the CPU Usage and reducing the device capabilities when the bussiness get bigger.
Now, at night with less traffic i get the usual 10% CPU usage.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide