12-25-2016 09:03 PM - edited 03-12-2019 01:42 AM
Hello,
I have one 5555-X firewall. Usually the CPU usage is around 25%. Recently just done using TCP flooding test. Which is simply using hping3 to produce TCP flooding forward to firewall inside interface
When initiated attack traffic I noticed very high packet drop on inside and interface and a huge spike in ACL drops. The ACL drop was due to invalid TCP packet being used in attack traffic. Keep to find log from firewall syslog
Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44704 to 2.2.2.2/0
Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44781 to 2.2.2.2/0
Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44908 to 2.2.2.2/0
Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44926 to 2.2.2.2/0
The ASA like was bombarded with high packets/sec which results in packets not being processed at the rate at which they arrive resulting in packet drop and high CPU.
Also each of the received packet by processed by CPU and discarded which again adds up to CPU spike.
That's I guess it is a reason for spike in CPU when small size and high packet rate attack. Also, during the testing I found the CPU usage raised to around 70%.
Most surprise is that why such high performance firewall will comes with worse result.
Could you please advise is it expected result? and how can improve the protection at ASA?
Thanks!
12-26-2016 03:36 AM
Hi.
It highly depends on the level of the packet rate. What packet rate was at your test?
Just for information: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html
Look at the "New connections per second" line.
Best Regards.
12-26-2016 07:28 AM
Hello,
I saw the max incoming traffic is around 29,000 pkts/sec which I think is reach to limit of 30,000 by spec show.
However, is it CPU really high impact when over or near to limit it can handle?
Anything I can do to improvement?
Thanks!
12-26-2016 07:46 AM
Hi.
Yes, when you're reaching limit it rises CPU. So you can use CPU stats as a indirect information about hiting a limit (for example I saw 80% CPU load at the ASA 5515-X at the 1Gbit speed of the traffic).
All you can do for rising a limit is to change device to a better one or to buy one (two, tree or more) more and do a cluster with them (in active/active mode devices are reaching 70% of total bandwith of all devices).
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide