09-17-2014 10:45 AM - edited 03-11-2019 09:46 PM
Hi All,
Recently observed constant high cpu in asa firewall with version 8.2.5 - 80% utilization. The process consuming more cpu is - tmatch compile thread around 60%. Do you recommend downgrade to 8.2.3 or is it an opened bug in the current version 8.2.5 BugID - CSCtw75734
regards
SecIT
09-18-2014 01:33 PM
Hello;
The bug you pointed out seems to be due to a software reload. How much ACLs do you have on the ASA configured? It seems like you have reach a maximum and when (if running in HA pair) the replication starts it can cause a high CPU, this is normal.
Mike.
09-19-2014 02:32 AM
Thanks for the update.
We have 2000 ACL, in which 200 inactive ACLs and 50 timebased expired ACLs. I tried disabling http replication during high cpu, which did not subside the utilization.
09-19-2014 09:48 AM
Hello;
We have not seen that many tickets with Tmatch stuck, it can be probably one time problem or something we are overlooking.
Do you have object groups configure? What if you do "show access-lists | inc elements" how many do you see?
Mike.
09-22-2014 12:29 PM
We do have multiple object groups. By getting the number of access list elements, you mean to say that if the number of access-list elements are huge, the higher the cpu and memory utilization. Actually similar issue i have faced few months ago in pix firewall, where the cpu/mem went high due to too many no. of acl elemtents. Hence i reduced it by deleting the object groups and no. of access elements. I though in ASA it is different and there is no restriction like no. of objects and no. of acl entries.
09-22-2014 01:01 PM
Nope, you know, the ASA has a Fixed amount of RAM so there is always a limit.
The real amount of ACLs is the one that you see on this output that I gave you. Moreover, probably is due to the same issue you have before.
Reducing the amount of ACLs should fix the problem.
Mike.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: