Showing results for 
Search instead for 
Did you mean: 

ASA 5545 CPU Usage increased DATAPATH-0-2326




Today i found out that ASA5545 CPU went to 60% and it was all consumed by the DATAPATH-0-2326 process. I could lower it to 30% by removing a capture process that wasnt removed by ASDM after the program close.

The average CPU usage three days ago was 10% so i want to track what is the source of that 20% increment. In another discusions that were about DATAPATH the problem was related to diferent ASP Drops but i couldnt find the 2326 code.


Does anyone knows what is the DATAPATH-0-2326 related? Is the number 2326 specific to certain code or it just different in other devices?


This is the output of the processess cpu-usage


show processes cpu-usage non-zero sorted

Hardware: ASA5545
Cisco Adaptive Security Appliance Software Version 9.8(4)
ASLR enabled, text region 7fa26c777000-7fa270adf254
PC Thread 5Sec 1Min 5Min Process
- - 29.4% 26.5% 27.0% DATAPATH-0-2326


And asp drop, in the last two hours, the most frame drops were because ACL Deny, Can that make such a difference?

show asp drop

Frame drop:
NAT-T keepalive message (natt-keepalive) 1588
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 12
SVC Module does not have a session (mp-svc-no-session) 16
SVC Module is in flow control (mp-svc-flow-control) 462
Unexpected packet (unexpected-packet) 508
No route to host (no-route) 745
Reverse-path verify failed (rpf-violated) 4717
Flow is denied by configured rule (acl-drop) 84841
First TCP packet not SYN (tcp-not-syn) 13731
TCP failed 3 way handshake (tcp-3whs-failed) 314
TCP RST/FIN out of order (tcp-rstfin-ooo) 7644
TCP packet SEQ past window (tcp-seq-past-win) 1829
TCP invalid ACK (tcp-invalid-ack) 5
TCP RST/SYN in window (tcp-rst-syn-in-win) 72
TCP packet failed PAWS test (tcp-paws-fail) 5848
Early security checks failed (security-failed) 441
Slowpath security checks failed (sp-security-failed) 29993
IP option drop (invalid-ip-option) 3
DNS Inspect id not matched (inspect-dns-id-not-matched) 1
FP L2 rule drop (l2_acl) 11619
Interface is down (interface-down) 9738
Dropped pending packets in a closed socket (np-socket-closed) 32

Last clearing: 17:00:09 ART Apr 16 2020 by XXXX

Flow drop:
Flow is denied by access rule (acl-drop) 1512
Inspection failure (inspect-fail) 3054
SSL handshake failed (ssl-handshake-failed) 35
DTLS hello processed and closed (dtls-hello-close) 1



2 Replies 2

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor

I don't know exactly what this error code refers to which process. If CPU is still high, you can clear asp drop statistics and see which category has more increment to start pointing out the cause. It could be also the threat detection.
Are you using Firepower services?

PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco, thanks for your time. No, it's not using the Firepower Feature.


This is somehow related to a marketing campaign because this started three days ago. In december we had a more agressive campaign with lots of connections and the CPU usage difference wasnt that much.


I did clear the asp drops counters and i'm starting mitigate the cases, Most of them are because ACL Drops and Slowpath verify for Netbios broadcast packets, i'm worried that those, which i think are common cases, are increasing the CPU Usage and reducing the device capabilities when the bussiness get bigger.


Now, at night with less traffic i get the usual 10% CPU usage.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links