Please see the attached file. Can you please advise how you interpret the output of this command?

Check this link for known high cpu issues in the 3.2.7. release.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/release/notes/fwsmrn32.html

Here are the top 5:

snmp 1095097

Dispatch Unit 90950

Logger 59202

snp_timer_thread 53529

syslog_entry 6027

Dispatch unit is just purely packet processing. Try to turn off snmp and see if it goes down.

I won't be able to turn off snmp as this box is production and will generate a lot of alarms. Can you advise if this is a bug?

Not that I can see. What are you sending to the snmp host? syslog? If so when you see a traffic spike this will go up as well.

issue sh local | i host|count/limit

collect the output to a text file and parse through it to see if any one or more hosts have established many tcp or udp connections. This could indicate an infected host.

When did you notice the cpu spike?

What is the normal cpu that you are used to seeing?

What changes were made prior to the cpu spike?

issue "sh np blocks" and see if the counters are incrementing.

sh local | i host|count/limit -->this command didnt show any suspicious infected host. show np blocks is not showing counters being incremented.

We noticed cpu spike just after the migrating servers from an old dmz to new dmz. Normal cpu is 3 - 5% no changes made prior to that.

I just noticed that show traffic summary is showing a lot bytes-In and out. Do you think inspect dns might have something to do with this?

sh service-policy

should show you if dns inspection is dropping packets.

You can certainly remove dns, netbios and smtp inspections.

Clear traffic and then issue sh traffic and see if interface is seeing the most traffic.

show service-policy doesnt show drop packets:

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns maximum-length 512, packet 12637231, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225, packet 0, drop 0, reset-drop 0

Inspect: h323 ras, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 63, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Question:

If I remove inspect dns will it have an impact anyhow on production traffic?

No there will NOT be any impact on dns traffic. No worries.

Seems like a lot of dns packets.

Are all your mail servers configured for proper DNS ip addresses that are active (alive and well)?

Pls. verify.

Thanks a lot for your help!

I will try that and will let you know!

The inspect dns is not the one that causing high cpu. I removed snmp and cpu dropped from 25% to 8%. I am wondering if this is a bug? I also noticed after removing snmp the firewall stop processing traffic and we noticed a dip in traffic see the attached files.