Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
3
Replies

High CPU utilization during Flooding test

Machi Ma
Level 1
Level 1

‎12-25-2016 09:03 PM - edited ‎03-12-2019 01:42 AM

Hello,

I have one 5555-X firewall.  Usually the CPU usage is around 25%. Recently just done using TCP flooding test. Which is simply using hping3 to produce TCP flooding forward to firewall inside interface

When initiated attack traffic I noticed very high packet drop on inside and interface and a huge spike in ACL drops. The ACL drop was due to invalid TCP packet being used in attack traffic.  Keep to find log from firewall syslog

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44704 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44781 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44908 to 2.2.2.2/0

Dec 23 2016 12:32:39: %ASA-4-500004: Invalid transport field for protocol=TCP, from 1.1.1.1/44926 to 2.2.2.2/0

The ASA like was bombarded with high packets/sec which results in packets not being processed at the rate at which they arrive resulting in packet drop and high CPU.

 

Also each of the received packet by processed by CPU and discarded which again adds up to CPU spike.

That's I guess it is a reason for spike in CPU when small size and high packet rate attack.  Also, during the testing I found the CPU usage raised to around 70%.

Most surprise is that why such high performance firewall will comes with worse result. 

Could you please advise is it expected result? and how can improve the protection at ASA?

Thanks!

Labels:
0 Helpful
3 Replies 3

AllertGen
Level 3
Level 3

‎12-26-2016 03:36 AM

Hi.

It highly depends on the level of the packet rate. What packet rate was at your test?

Just for information: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html

Look at the "New connections per second" line.

Best Regards.

0 Helpful

Machi Ma
Level 1
Level 1
In response to AllertGen

‎12-26-2016 07:28 AM

Hello,

I saw the max incoming traffic is around 29,000 pkts/sec which I think is reach to limit of 30,000 by spec show.

However, is it CPU really high impact when over or near to limit it can handle?

Anything I can do to improvement?

Thanks!

0 Helpful

AllertGen
Level 3
Level 3
In response to Machi Ma

‎12-26-2016 07:46 AM

Hi.

Yes, when you're reaching limit it rises CPU. So you can use CPU stats as a indirect information about hiting a limit (for example I saw 80% CPU load at the ASA 5515-X at the 1Gbit speed of the traffic).

All you can do for rising a limit is to change device to a better one or to buy one (two, tree or more) more and do a cluster with them (in active/active mode devices are reaching 70% of total bandwith of all devices).

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card