ASA5505 High CPU and Traffic Utilization

spencermoore · ‎06-01-2015

I recently migrated my ASA5505 (used for Remote Access VPN) to an official DMZ zone. The device currently has one interface, the DMZ interface, which is attached to our DMZ switch then, in turn, our DMZ interface on our firewall. The setup appeared to be running fine, until I noticed the CPU pegged with 95% being allocated to the "Dispatch Unit" process. After doing some additional digging, I'm showing a large number (several thousand/sec) ICMP echo's coming from one of my internal addresses being sent to an address that's used for IPSec remote access. However, when looking at the internal server, I see no such ICMP's being generated. For whatever reason, it appears the ASA is generating these packets itself. My reasoning being, when I reload the ASA, the bandwidth usage on my firewall (for the DMZ interface) drops dramatically and I no longer see said ICMP packets. I hope this makes sense, I have no idea what to think.

Thank you for your time!

spencermoore · ‎06-02-2015

This issue is now resolved. My firewall and VPN appliance are both ASA devices. I had a default route pointing to the firewall on the VPN appliance and a route back to the VPN appliance for RAS for my VPN DHCP scope. Once upon a time, a ping had been sent our by an internal device to a RAS device, but since that device was no longer online (and ASA's don't decrement TTL values) the frame was bouncing between both devices endlessly causing pegged CPU and high bandwidth usage. I resolved the issue by pointing my default route on the VPN appliance to my DMZ SVI. This immediately reduced CPU and bandwidth usage.