Today i found out that ASA5545 CPU went to 60% and it was all consumed by the DATAPATH-0-2326 process. I could lower it to 30% by removing a capture process that wasnt removed by ASDM after the program close.
The average CPU usage three days ago was 10% so i want to track what is the source of that 20% increment. In another discusions that were about DATAPATH the problem was related to diferent ASP Drops but i couldnt find the 2326 code.
Does anyone knows what is the DATAPATH-0-2326 related? Is the number 2326 specific to certain code or it just different in other devices?
This is the output of the processess cpu-usage
show processes cpu-usage non-zero sorted
Hardware: ASA5545 Cisco Adaptive Security Appliance Software Version 9.8(4) ASLR enabled, text region 7fa26c777000-7fa270adf254 PC Thread 5Sec 1Min 5Min Process - - 29.4% 26.5% 27.0% DATAPATH-0-2326
And asp drop, in the last two hours, the most frame drops were because ACL Deny, Can that make such a difference?
show asp drop
Frame drop: NAT-T keepalive message (natt-keepalive) 1588 SVC Module does not have a channel for reinjection (mp-svc-no-channel) 12 SVC Module does not have a session (mp-svc-no-session) 16 SVC Module is in flow control (mp-svc-flow-control) 462 Unexpected packet (unexpected-packet) 508 No route to host (no-route) 745 Reverse-path verify failed (rpf-violated) 4717 Flow is denied by configured rule (acl-drop) 84841 First TCP packet not SYN (tcp-not-syn) 13731 TCP failed 3 way handshake (tcp-3whs-failed) 314 TCP RST/FIN out of order (tcp-rstfin-ooo) 7644 TCP packet SEQ past window (tcp-seq-past-win) 1829 TCP invalid ACK (tcp-invalid-ack) 5 TCP RST/SYN in window (tcp-rst-syn-in-win) 72 TCP packet failed PAWS test (tcp-paws-fail) 5848 Early security checks failed (security-failed) 441 Slowpath security checks failed (sp-security-failed) 29993 IP option drop (invalid-ip-option) 3 DNS Inspect id not matched (inspect-dns-id-not-matched) 1 FP L2 rule drop (l2_acl) 11619 Interface is down (interface-down) 9738 Dropped pending packets in a closed socket (np-socket-closed) 32
Last clearing: 17:00:09 ART Apr 16 2020 by XXXX
Flow drop: Flow is denied by access rule (acl-drop) 1512 Inspection failure (inspect-fail) 3054 SSL handshake failed (ssl-handshake-failed) 35 DTLS hello processed and closed (dtls-hello-close) 1
I don't know exactly what this error code refers to which process. If CPU is still high, you can clear asp drop statistics and see which category has more increment to start pointing out the cause. It could be also the threat detection. Are you using Firepower services?
Thanks Francesco PS: Please don't forget to rate and select as validated answer if this answered your question
Hi Francesco, thanks for your time. No, it's not using the Firepower Feature.
This is somehow related to a marketing campaign because this started three days ago. In december we had a more agressive campaign with lots of connections and the CPU usage difference wasnt that much.
I did clear the asp drops counters and i'm starting mitigate the cases, Most of them are because ACL Drops and Slowpath verify for Netbios broadcast packets, i'm worried that those, which i think are common cases, are increasing the CPU Usage and reducing the device capabilities when the bussiness get bigger.
Now, at night with less traffic i get the usual 10% CPU usage.