Solved: DATAPAHT high load

mackermann · ‎01-12-2023

Hello @ all

can someone explain to me why the load is too high.

If more information needed please tell me

Thanks in advance

show processes cpu-usage sorted non-zero
Hardware: ASA5516
Cisco Adaptive Security Appliance Software Version 9.14(2)8
ASLR enabled, text region 55b6780b3000-55b67cc65025
PC Thread 5Sec 1Min 5Min Process
- - 31.3% 31.2% 31.1% DATAPATH-0-1593
- - 30.5% 30.6% 30.6% DATAPATH-1-1594

MHM Cisco World · ‎01-13-2023

Name: tcp-global-buffer-full
TCP global Out-of-Order packet buffer full:
    This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection and there are no more global buffers available. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to the SSM for inspection. When the global Out-of-Order buffer queue is full, the packet will be dropped and this counter will increment.

Recommendations:
    This is a temporary condition when all global buffers are used. If this counter is constantly incrementing, then please check your network for large amounts of Out-of-Order traffic, which could be caused by traffic of the same flow taking different routes through the network.

this with high CPU and with you mention that you run ASA active/active.

are both ASA pair have same BW link ?

View solution in original post

MHM Cisco World · ‎01-12-2023

can I see

show asp drop ?

mackermann · ‎01-12-2023

Hello ,

I think it has to do with NAT, could that bee?

----------------------

sh asp drop

Frame drop:
Flow is being freed (flow-being-freed) 1
Invalid IP header (invalid-ip-header) 3485710
No valid adjacency (no-adjacency) 57
No route to host (no-route) 39
Flow is denied by configured rule (acl-drop) 3952862
First TCP packet not SYN (tcp-not-syn) 15836
TCP failed 3 way handshake (tcp-3whs-failed) 168
TCP RST/FIN out of order (tcp-rstfin-ooo) 2848
TCP packet SEQ past window (tcp-seq-past-win) 90
TCP Out-of-Order packet buffer full (tcp-buffer-full) 1968868
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 34067
TCP RST/SYN in window (tcp-rst-syn-in-win) 2
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 1224
Slowpath security checks failed (sp-security-failed) 29671380
Expired flow (flow-expired) 7
FP L2 rule drop (l2_acl) 533745
Interface is down (interface-down) 386
Dropped pending packets in a closed socket (np-socket-closed) 18
Dispatch queue tail drops (dispatch-queue-limit) 880361
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 274

Last clearing: Never

Flow drop:
NAT reverse path failed (nat-rpf-failed) 2204
Inspection failure (inspect-fail) 6

Last clearing: Never

MHM Cisco World · ‎01-13-2023

Name: tcp-global-buffer-full
TCP global Out-of-Order packet buffer full:
    This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection and there are no more global buffers available. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to the SSM for inspection. When the global Out-of-Order buffer queue is full, the packet will be dropped and this counter will increment.

Recommendations:
    This is a temporary condition when all global buffers are used. If this counter is constantly incrementing, then please check your network for large amounts of Out-of-Order traffic, which could be caused by traffic of the same flow taking different routes through the network.

this with high CPU and with you mention that you run ASA active/active.

are both ASA pair have same BW link ?

mackermann · ‎01-13-2023

What do you mean with BW Link (Failover Link) ?

MHM Cisco World · ‎01-13-2023

No, Link connect to IN and OUT of ASA,
the failover link interconnect two ASA so it sure same.

mackermann · ‎01-13-2023

Hello @ all

Many thanks for your support!

your answers put me on the right track

It was part of my routing entries.
I have several ip segments "/28" and one segment is part of the firewall himself.
The others segments are behind an other firewall.
My mistake was to route the whole net xxx.xxx.1.0/24 to the other firewall.
After i splitted the routing entrys the error was gone

Again Thanks for your fast support
Regards Michael

MHM Cisco World · ‎01-13-2023

You are so so welcome

balaji.bandi · ‎01-12-2023

May be bug here :

https://bst.cisco.com/bugsearch/bug/CSCuy94787

is this with SFR ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mackermann · ‎01-12-2023

Hello,

Only active/active Cluster

No SFR

No FirePOWER services activated.

Marius Gunnerud · ‎01-13-2023

I have seen similar issues on FTD, in my case it was related to the number of access control entries in the ACP. So I would recommend checking how many access-list entries there are.

Also, have you verified that the traffic load on the firewall is within the limits of what it can handle?

--
Please remember to select a correct answer and rate helpful posts