I'm trying to do some research on the Dispatch Unit process. It seems High CPU and this process go hand in hand. I haven't figured out an effective way of determining what underlying issue is the actual source. Can someone point me in the right direction to try an understand what the Dispatch Unit process is doing? I have an ASA 5550. I have seen the cpu hover around 85% +- 5% for sustained long periods, 30 - 60 min +. I have always been under the impression that around 80% cpu and you're probably dropping packets (that could be an out-dated belief).
Any help to understand this is much appreciated.
Solved! Go to Solution.
I thought I'd add the commands I've used thus far to isolate the issue. It seems that the high Dispatch Unit process isn't very conclusive other than the ASA is processing a high amount of traffic. The below commands will aid in determining the source/destination/service type traffic the ASA is processing so that you may take action.
show xlate count
show conn count
show memory detail
show processes cpu-usage
show processes cpu-hog
show processes memory
In my case so far, I haven't had any one thing causing the high cpu. The highest percentage drop I have seen so far was removing netbios from my service profile during a cpu spike to 95% and an hour of sustained cpu at 90% +. I had cleared the majority of my counters and noticed that the number of netbios packets matching the service policy was increasing at a rate far higher than the rest. Once I removed netbios the cpu dropped over 15% immediately and continued to drop over a period of time.
So really the only advice I can give is be familiar with the traffic traversing your ASA. The listed commands above will help to isolate possible sources/causes. It could be legitimate production traffic or malicious.
Hope this helps.
That is indeed very true, but that only aleaveates the CPU processing but it does not get rid of the issue, based on the ICMP messages and netbios, there could be loops and packets bouncing, hence the high amount of inspection hits. Adding to the packet processing on the interface itself, the inspection will add another CPU intensing consuming.
As you rightly pointed, the main thing on these cases is to first identify the traffic and then, check if it is normal or not.
Open capture on the interface and verify the packets reaching the interface. The buffer will be taking a fixed amount of resources, so it shouldnt cause major issues.
Check the capture, see the most frequent IP used and check the amount of bytes on each connection and the time that they have been up, not so much the amount of connections that it has.
Let mek now when you collect this info.