Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2508
Views
12
Helpful
16
Replies

High CPU Utilization due to IPS Policy

Ditter
Level 4
Level 4

‎11-04-2024 03:54 AM - edited ‎11-04-2024 03:55 AM

Hi to all,

i am posting this in order to have your opinion about it.

Today our users behind the FTD faced timeouts as well as high RTTs.

Digging a little bit i noticed that CPU core 16 (not the other cores)  was continuously steady at 100%. 

After disabling the IPS policy for the outgoing traffic  the timeouts stopped and the RTTs returned to normal.

So i decided to keep  the IPS process only for the incoming traffic. 

How could i identify the offending host or hosts ?  In addition is there any possibility for this to happen due to elephant flows passing through the firewall or probably a huge backup from inside to the Internet?

Any views/opinions are most welcome.

Thanks 

Ditter.

Preview file
36 KB
0 Helpful
16 Replies 16

ckleopa
Cisco Employee
Cisco Employee
In response to Ditter

‎11-07-2024 09:00 AM

Well if this is still causing issues for you I would recommend opening up a TAC case. They can work with you to isolate where most of the CPU resources are going and propose optimizations on the access control rules around this.

Ditter
Level 4
Level 4

‎11-08-2024 12:32 AM

@ckleopa @MHM Cisco World Update: Going one step further and by accepting Cisco IPS Recommendations the rules increased from 584 active rules to 2996 rules (alert:158 and block:2838)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card