Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7791
Views
5
Helpful
4
Replies

FTD instance on Firepower has high CPU utilization on lina process

S891
Level 2
Level 2

‎01-16-2023 05:44 AM

Hi ,

I have Firepower 4115. I am seeing high CPU on one of the FTD instances. There are no complaints of slowness or packet drops from users so far. Any recommendations to fix this?

 

> show cpu usage core all

Core              5 sec  1 min  5 min

Core 0            90.5%  92.8%  92.6%

Core 1            90.6%  92.8%  92.6%

 

 

> show processes cpu-usage sorted

Hardware:   FPR4K-SM-24S

Cisco Adaptive Security Appliance Software Version 9.16(3)11

ASLR enabled, text region 55abc60b5000-55abca6c7475

PC         Thread       5Sec     1Min     5Min   Process

   -          -        85.4%    85.2%    84.8%   DATAPATH-1-3116

   -          -        85.3%    85.2%    84.8%   DATAPATH-0-3115

0x000055abc7c54d66   0x0000151701eb29e0     0.2%     0.2%     0.2%   CP Processing

0x000055abc7a603c3   0x0000151701e9ee80     0.1%     0.1%     0.1%   appagent_async_client_receive_thread

 

root@cmq-dcfw-ftd-01:~# top

Tasks:  81 total,   3 running,  68 sleeping,   0 stopped,  10 zombie

%Cpu(s): 21.7 us,  7.2 sy,  0.0 ni, 71.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st

MiB Mem : 192162.5 total, 137596.8 free,  45892.9 used,   8672.8 buff/cache

MiB Swap:  49152.0 total,  45719.7 free,   3432.2 used. 138505.6 avail Mem

PID USER      PR  NI    VIRT    RES    SHR S       %CPU    %MEM     TIME+ COMMAND                            

2997 root       0 -20 3716024   1.6g   1.1g S   195.7     0.9 311260:57 lina                                

4790 root       1 -19 7949784   5.6g  89844 S   8.7      3.0   8256:04 snort3                            

2863 root      20   0  680204  21208   7412 S   4.3      0.0   3022:10 sftunnel  

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2023 07:07 AM

if this is not effecting all working as expected, check below FAQ :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200950-Clarifying-the-Firepower-Threat-Defense.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎01-16-2023 08:01 AM

show asp drop <<- please share this 

0 Helpful

S891
Level 2
Level 2

‎01-16-2023 09:28 PM

It turned out that it was due to a bunch of VMs migration that drove the Lina process so high. Once the migration was completed the CPU utilization was back to normal. 

However, I am curious about when it starts  dropping packets due to high CPU. Where in the the 'show asp drop' it tells you this? And do I need to consider the drops in one FTD instance only that has the traffic flow or other instances will be impacted too. 

This is the output of 'show asp drop' in the instance where CPU was high. 

> show asp drop

Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 8
No valid adjacency (no-adjacency) 45
No route to host (no-route) 17763
Reverse-path verify failed (rpf-violated) 632691
Flow is denied by configured rule (acl-drop) 487309531
Invalid SPI (np-sp-invalid-spi) 131
First TCP packet not SYN (tcp-not-syn) 11874558
Bad TCP flags (bad-tcp-flags) 5
TCP failed 3 way handshake (tcp-3whs-failed) 3520718
TCP RST/FIN out of order (tcp-rstfin-ooo) 6643683
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 13736
TCP SYNACK on established conn (tcp-synack-ooo) 64
TCP packet SEQ past window (tcp-seq-past-win) 277799
TCP invalid ACK (tcp-invalid-ack) 17
TCP RST/SYN in window (tcp-rst-syn-in-win) 22938
TCP packet failed PAWS test (tcp-paws-fail) 7590
Slowpath security checks failed (sp-security-failed) 16774557
IP option drop (invalid-ip-option) 63256
Invalid LU packet (lu-invalid-pkt) 3437
Dropped by standby unit (fo-standby) 5
Flow drop (flow-expired-drop) 1
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 46012
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 20837
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 15897
Snort instance is busy (snort-busy) 70996
FP L2 rule drop (l2_acl) 75421438
Unable to obtain connection lock (connection-lock) 2110
Interface is down (interface-down) 3066
Packet shunned (shunned) 33
Received a multicast packet in the non-active device (mcast-in-nonactive-device) 22819515
Per-flow block limit reached on flows fast-forwarded by Snort (snort-blist-full) 27160
Blocked or blacklisted by the firewall preprocessor (firewall) 47292
Blocked or blacklisted by the session preprocessor (session-preproc) 2896
Blocked or blacklisted by the reputation preprocessor (reputation) 220
Fragment reassembly failed (fragment-reassembly-failed) 17326250
Packet is blacklisted by snort (snort-blacklist) 130
Failover link is not ready for processing NLP packets (ha-nlp-lu-link-not-ready) 5
Dispatch queue tail drops (dispatch-queue-limit) 7635491

Last clearing: Never

Flow drop:
Flow is denied by access rule (acl-drop) 2
Flow shunned (shunned) 4
Inspection failure (inspect-fail) 1023570
SSL bad record detected (ssl-bad-record-detect) 99

Last clearing: Never
>

0 Helpful

Marius Gunnerud
VIP
VIP
In response to S891

‎01-17-2023 12:56 AM

I suggest clearing the asp drop counter to have better idea of which is increasing the fastest.  Also, check the output of show access-list element-count and be sure that you are not exceeding the ACL limit.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card