Solved: CPU spike for ASA 5520

kamal kumar · ‎08-13-2012

Hi

In our ASA 5520 " tmatch compile thread" process is taking too much CPU while applying ACL for a moment . CPU goes to high and then back to normal .. The code is 8.2(5) . Is this a normal operation or abnormal .

Ramraj Sivagnanam Sivajanam · ‎08-13-2012

Hi Bro

In my experience, v8.2.5 is very buggy. From the error message alone, it does seem you've a memory leak issue in your Cisco ASA FW. You're software version is hit with a known bug http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj37890

I know some people might have told you to upgrade your memory to 1GB but before you do that, please do the following first;

a) To remove threat-detection command

b) To remove all unused ACLs and grouped those active ACLs using object-group

c) To downgrade your Cisco ASA to version 8.2.3. Upgrading to v8.3.X and above required memory upgrade, and this involves costs.

For further details, you could also refer to http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

P/S: Please do rate this comment nicely, if you think the information provided here is useful :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-13-2012

Hi Bro

In my experience, v8.2.5 is very buggy. From the error message alone, it does seem you've a memory leak issue in your Cisco ASA FW. You're software version is hit with a known bug http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj37890

I know some people might have told you to upgrade your memory to 1GB but before you do that, please do the following first;

a) To remove threat-detection command

b) To remove all unused ACLs and grouped those active ACLs using object-group

c) To downgrade your Cisco ASA to version 8.2.3. Upgrading to v8.3.X and above required memory upgrade, and this involves costs.

For further details, you could also refer to http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

P/S: Please do rate this comment nicely, if you think the information provided here is useful :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Marcin Latosiewicz · ‎08-13-2012

tmatch compile thread is the process responsible for compling ACLs, there is indeed a difference between 8.0 and 8.2 in terms of how memory and CPU are used when compiling and when compiled - with 8.2 being a faster in ACL lookup but with a bit higher memory footprint.

Looks to me like expected operation, but if in doubt open up a TAC case..

kamal kumar · ‎08-13-2012

Thanks a lot Ramraj and Marcin

We face this issue for 30 min or so when firewall config was synchronized with the active firewall after the reload or when we tried to apply nearly 25 ACL'S in a single shot copied from notepad. After this period of time ASA CPU utilzation comes to normal range . Mostly tmatch compile thread causes issues related to memory ,but in our case there is no issue in memory and no spike in memory .

Ramraj Sivagnanam Sivajanam · ‎08-14-2012

Hi Bro

Have you downgraded your Cisco ASA to version 8.2.3? I've used this version, and I hardly found any issues.

Note: I mean the simplest way to resolve this is to ask Cisco TAC but not everyone has the privilege and access to Cisco TAC. Hence, we turn to people in this community to assist. I want to assist.

Warm regards,
Ramraj Sivagnanam Sivajanam

kamal kumar · ‎08-14-2012

Hi Ram ,

Actually the issue is related to this bug and its mainly affected in 8.2(5) :-

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr75034

We are planning to upgrade to 8.3 with additional RAM .