cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1303
Views
15
Helpful
5
Replies

cisco asa high cpu - 90% -100%

secureIT
Enthusiast
Enthusiast

Hi All,

Recently observed constant high cpu in asa firewall with version 8.2.5 - 80% utilization. The process consuming more cpu is - tmatch compile thread around 60%. Do you recommend downgrade to 8.2.3 or is it an opened bug in the current version 8.2.5  BugID - CSCtw75734

regards

SecIT

 

5 Replies 5

Maykol Rojas
Cisco Employee
Cisco Employee

Hello;

The bug you pointed out seems to be due to a software reload. How much ACLs do you have on the ASA configured? It seems like you have reach a maximum and when (if running in HA pair) the replication starts it can cause a high CPU, this is normal.

 

Mike.

Mike

Thanks for the update.

We have 2000 ACL, in which 200 inactive ACLs and 50 timebased expired ACLs. I tried disabling http replication during high cpu, which did not subside the utilization.

Hello;

We have not seen that many tickets with Tmatch stuck, it can be probably one time problem or something we are overlooking.

Do you have object groups configure? What if you do "show access-lists | inc elements" how many do you see?

Mike.

Mike

We do have multiple object groups. By getting the number of access list elements, you mean to say that if the number of access-list elements are huge, the higher the cpu and memory utilization. Actually similar issue i have faced few months ago in pix firewall, where the cpu/mem went high due to too many no. of acl elemtents. Hence i reduced it by deleting the object groups and no. of access elements. I though in ASA it is different and there is no restriction like no. of objects and no. of acl entries.

Nope, you know, the ASA has a Fixed amount of RAM so there is always a limit.

The real amount of ACLs is the one that you see on this output that I gave you. Moreover, probably is due to the same issue you have before.

Reducing the amount of ACLs should fix the problem.

 

Mike.

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers