03-28-2018 01:21 AM - edited 02-21-2020 07:34 AM
Hello,
Our Cisco ASA 5520 firewall is running with 99% CPU, Processes Dispatch Unit is using over 90 % of CPU, and capture is showing below drop reason :
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
firewall(config)# show processes cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
0x082a430c 0x6edd4ee4 98.5% 98.5% 97.8% Dispatch Unit
0x0911063d 0x6edad768 0.2% 0.2% 0.4% ssh
0x082be9da 0x6edcb07c 0.1% 0.1% 0.1% Logger
0x08502b76 0x6edc0ff0 0.1% 0.1% 0.1% fover_health_monitoring_thread
firewall(config)#
Any thoughts ?
Thank you,
03-28-2018 02:45 AM
I do not think the it's the same problem.
I usually see 'PAT address without pre-existing xlate' for missconfigured nat rules.
The dispatch unit is the central packet processing process and for high dispatch cpu you usually need to have a look at traffic.
Show traffic, show perfmon and sh asp drop can give you an idea where the problem is.
HTH
Bogdan
03-28-2018 03:22 AM
03-28-2018 02:59 AM
03-28-2018 03:19 AM
03-28-2018 04:21 AM
Following counters seem to be incriminating pretty fast: TCP RST/FIN out of order , TCP RST/SYN in window , DNS Inspect packet too long.
You could configure a capture to see exactly who is doing the traffic and verify if it is legitimate or not and if it can be stopped.
cap CAP-RST-SYN type asp-drop tcp-rst-syn-in-win buffer 1000000 circular-buffer
cap CAP-RST-FIN type asp-drop tcp-rstfin-ooo buffer 1000000 circular-buffer
cap CAP-DNS type asp-drop inspect-dns-pak-too-long buffer 1000000 circular-buffer
03-28-2018 05:11 AM
03-28-2018 06:21 AM
Based on the output it seems something is wrong with the proxy setup.
You could disable tcp inspection on the asa, but the problem is not on the asa.
TCP RST/SYN in window:
SYN flag should not be used in data transfer. Only the first packet sent from each end should have this flag set.
TCP RST/FIN out of order:
TCP RST or TCP FIN packet received after the tcp session was closed. It could be caused by a host trying to use a closed tcp session, the other host would normally respond to that with a RST.
03-28-2018 07:20 AM
03-28-2018 07:51 AM
Windows is unfortunately not my area of expertise.
You could maybe have a look at the system logs.
03-28-2018 08:04 AM
03-28-2018 08:10 AM
03-28-2018 08:10 AM
03-28-2018 08:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide