Cisco ASA 5520 with 99% CPU usage and a lot of Shunning.

DotTest37 · ‎10-19-2011

Hello guys,, first time posting on this forum.

Im running ASA 8.0(3) on Active/StandBy failover pair.

Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:

Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand)

Scanning Attacks = 18600+ (more than Eighteen thousand)

Im having about 130 connections and 250 NAT Xlates

Pretty small environment.

I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these:

4

Oct 19 2011

11:35:12

401004

Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN

There is nothing on the Coumns "Source IP" " Source Port" "Destination IP" or "Destination Port"

Only these columns are populated:

Severity

Date

Time

SyslogID

Description

The IP 10.64.0.1 is my ASA

The IP 10.64.10.1 is a PC with a Monitoring Tool (Solarwinds Orion with IPAM)

Yesterday night I disabled the Interface on the PC and waited for 15 minutes,, and I still saw the counters, nothing changed.

I enabled the Interface on the PC again,, and installed Wireshark,, I dont see that PC trying to connect to 10.64.0.1.

I wonder what else I could check and how to track down what is killing the CPU on my firewall.

I hope somebody can give me some ideas.

Thanks!!

DotTest37 · ‎10-19-2011

Well

I just realized tha the IP 10.64.10.1 (my monitoring machine) was in the "shunned" list.

That machine has an IPAM module that was supposed to scan all subnets every 8 hours.

Maybe the ASA didnt like that.

The funny thing is,,, how come that machine was able to monitor the subnet (i didnt see any message on the IPAM saying"cannot reach network"etc.

Also,, why the monitoring machine was interpreted as an attach on the ASA?

My CPU is back to normal now and the number of attacks went down to 2-3,,,

I hope somebody still can give me some pointers.