cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
0
Helpful
3
Replies

cisco asa overrun issue / Dt.6_7_2015

secureIT
Level 4
Level 4

Hi,

im experiencing an asa cpu utilization issue (80%) running with 8.0 version and process hitting on Dispatch unit. At the same time, found only overruns are increasing in the firewall interfaces. Like router or checkpoint, is there any way to increase the buffer size of firewall interfaces ?

Below are my observations --

1-connection count is normal

2-show block shows less low on 1550 blocks, as highlighted below.

SIZE    MAX    LOW    CNT
     0    100     83    100
     4    600    599    599
    80    100     56    100
   256    862    748    862
  1550   9261   6504   7726
  2048   2100   2081   2100
  2560    164    163    164
  4096    100     98    100
  8192    100    100    100
 16384    102    102    102
 65536     16     16     16

3- show cpu
CPU utilization for 5 seconds = 78%; 1 minute: 83%; 5 minutes: 74%

 

4-throughput of the firewall never exceeded 60Mbps as per the calculation from the below link

https://supportforums.cisco.com/document/12495046/calculating-throughput-asa

5- Observed overruns are increasing in Gig1 and Gig2 interfaces (inside and outside respectively)

Gig1 2450000 to 2625000 with in 5 minutes
Gig2 540000 to 581000 with in 5 minutes

Now my query :- is there any command to increase interface buffers ?

 

Regards

SecIT()

1 Accepted Solution

Accepted Solutions

Hi Sec IT,

Unfortunately flow control is the only way to control the traffic flow coming to the interfaces interfaces.

You could try with QoS on ASA or on Switch connected to interface and see if that helps.

 

Regards,

Akshay Rastogi

View solution in original post

3 Replies 3

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi SecIT,

Please check the below things:

- 'show run logging' and 'show run snmp-server'. Make sure snmp and syslog servers are reachable from ASA. if there is any log server which is not reachable exist, i would suggest you to remove the same.

- Also check for loop on these interface. Check if the interface packet counters are very high on these interfaces as compared to other interfaces. This could give you some indication of what is happening on these interface.

- For detail, take header captures on these interfaces. 'cap capi interface inside headers-only' and try to see the mac-addresses with 'show cap capi detail'.  Check if the mac-address are same and looping in that interface (try to see the ttl value as well).

 

Regards,

Akshay Rastogi

Hi Akshay,

Is there anyway to increase the interface buffersize in ASA ? as far as i know the only option is to enable flowcontrol that too only in 8.2.5 - any other options ? i do see the overruns (only) are increasing..

Hi Sec IT,

Unfortunately flow control is the only way to control the traffic flow coming to the interfaces interfaces.

You could try with QoS on ASA or on Switch connected to interface and see if that helps.

 

Regards,

Akshay Rastogi

Review Cisco Networking for a $25 gift card