High CPU on ASA5520

ciscoforumuser · ‎06-14-2007

We migrated our old Borderware firewall to Cisco asa5520 and noticed the CPU on it always over 30% and sometime over 60%/70%. I was wondering if there is anything I can do to improve performance and resolve this issue.

The interfaces looks okay and we have about 15MB internet pipe so it's not heavey usage configuaration. It also has 51 3des Site-to-Site VPN tunnels. I am thinking about enabling CSC module and start scanning http/email but I am not sure if I should go forward that until I resolve cpu issue.

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "disk0:/asa722-k8.bin"

Config file at boot was "startup-config"

catoactive up 5 days 14 hours

failover cluster up 7 days 3 hours

Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0019.0665.6964, irq 9

1: Ext: GigabitEthernet0/1 : address is 0019.0665.6965, irq 9

2: Ext: GigabitEthernet0/2 : address is 0019.0665.6966, irq 9

3: Ext: GigabitEthernet0/3 : address is 0019.0665.6967, irq 9

4: Ext: Management0/0 : address is 0019.0665.6968, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number:

Running Activation Key: 0xb9012b61 Configuration register is 0x1

Configuration last modified by sysadmin at 17:18:14.257 PDT Wed Jun 13 2007

1cmerchant · ‎06-15-2007

Do you have large ACL's applied to the interfaces? If so it might be worth checking which lines are getting the most hits and re-writing the ACLs so the most 'active' items are listed first, etc.

Just a thought,

Carl

ciscoforumuser · ‎06-19-2007

The Cisco TAC is saying that it's normal for ASA cpu running around 30%. Since last night the CPU usage is about 1-5% and nothing has changhed since yesterday so It does not make sense. This has to be bug or something.

JBDanford2002 · ‎06-19-2007

Are you having a high connection rate? (sh conn count) You said 51 site to site tunnels. If you do a "sh cry isa sa" What state are the crypto tunnels in? qm_idle? mm key exchange? Post your connection count when this happens again and an example of some of the connections(block out IPs of course)

ciscoforumuser · ‎06-19-2007

Here is SH cont with cpu about 30%

sh conn count

1469 in use, 2974 most used

Type : L2L Role : initiator

Here is sh cry results, most of them in MM_Active State. Most of our tunnels rarely used (less than few pages printout)

Sh cry isa sa

Active SA: 48

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey

Total IKE SA: 48

1 IKE Peer: x.x.x.x Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

I will keep checking conn counts when CPU peaks again..thanks for your help.