Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
3
Replies

cisco asa overrun issue / Dt.6_7_2015

Go to solution
secureIT
Level 4
Level 4

‎07-06-2015 06:04 AM - edited ‎03-11-2019 11:13 PM

Hi,

im experiencing an asa cpu utilization issue (80%) running with 8.0 version and process hitting on Dispatch unit. At the same time, found only overruns are increasing in the firewall interfaces. Like router or checkpoint, is there any way to increase the buffer size of firewall interfaces ?

Below are my observations --

1-connection count is normal

2-show block shows less low on 1550 blocks, as highlighted below.

SIZE    MAX    LOW    CNT
     0    100     83    100
     4    600    599    599
    80    100     56    100
   256    862    748    862
  1550   9261   6504   7726
  2048   2100   2081   2100
  2560    164    163    164
  4096    100     98    100
  8192    100    100    100
 16384    102    102    102
 65536     16     16     16

3- show cpu
CPU utilization for 5 seconds = 78%; 1 minute: 83%; 5 minutes: 74%

 

4-throughput of the firewall never exceeded 60Mbps as per the calculation from the below link

https://supportforums.cisco.com/document/12495046/calculating-throughput-asa

5- Observed overruns are increasing in Gig1 and Gig2 interfaces (inside and outside respectively)

Gig1 2450000 to 2625000 with in 5 minutes
Gig2 540000 to 581000 with in 5 minutes

Now my query :- is there any command to increase interface buffers ?

 

Regards

SecIT()

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to secureIT

‎07-13-2015 01:28 AM

Hi Sec IT,

Unfortunately flow control is the only way to control the traffic flow coming to the interfaces interfaces.

You could try with QoS on ASA or on Switch connected to interface and see if that helps.

 

Regards,

Akshay Rastogi

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎07-07-2015 08:44 AM

Hi SecIT,

Please check the below things:

- 'show run logging' and 'show run snmp-server'. Make sure snmp and syslog servers are reachable from ASA. if there is any log server which is not reachable exist, i would suggest you to remove the same.

- Also check for loop on these interface. Check if the interface packet counters are very high on these interfaces as compared to other interfaces. This could give you some indication of what is happening on these interface.

- For detail, take header captures on these interfaces. 'cap capi interface inside headers-only' and try to see the mac-addresses with 'show cap capi detail'.  Check if the mac-address are same and looping in that interface (try to see the ttl value as well).

 

Regards,

Akshay Rastogi

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Akshay Rastogi

‎07-12-2015 09:31 AM

Hi Akshay,

Is there anyway to increase the interface buffersize in ASA ? as far as i know the only option is to enable flowcontrol that too only in 8.2.5 - any other options ? i do see the overruns (only) are increasing..

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to secureIT

‎07-13-2015 01:28 AM

Hi Sec IT,

Unfortunately flow control is the only way to control the traffic flow coming to the interfaces interfaces.

You could try with QoS on ASA or on Switch connected to interface and see if that helps.

 

Regards,

Akshay Rastogi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card