Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0003.6bf6.a3a2, MTU 1500

IP address 10.140.0.14, subnet mask 255.255.254.0

29370012 packets input, 1984214767 bytes, 0 no buffer

Received 3507 broadcasts, 0 runts, 0 giants

21466 input errors, 0 CRC, 0 frame, 21466 overrun, 0 ignored, 0 abort

29480501 packets output, 3299878690 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (120/278)

output queue (curr/max blocks): hardware (0/66) software (0/1)

Received 29357386 VLAN untagged packets, 1567411547 bytes

Transmitted 29491353 VLAN untagged packets, 2606638316 bytes

Dropped 27792162 VLAN untagged packets

I observed the CPU gone high 99% and doe it look like a virus?

If virus attack how can I resolve the issue?

Thx

Chandru

Hello,

I can see that you are getting the following:

21466 input errors, 0 CRC, 0 frame, 21466 overrun, 0 ignored, 0 abort

When you see this big amount of input errors it means that you have a duplex mismatch or a faulty cable and for the packets overrun it means that the interface is handling more traffic than what it can.

A good way to see if there is a virus on any of your computers would be to use the "show local-host" command and see if any of your current PCs are generating an excessive amount of connections.

I hope this helps

You can also take a look at the show process output command and see which process on the firewall is being used the most

On the inside interface you have configured the duplex setting as well as the speed setting to AUTO. Try to hard code the duplex mode and setting to full duplex and see if you would get any different results.

You can clear the counters on the interfaces by using the "clear interface" command

I tried changing the cable but still i see the errors.

I have a backup firewall and if i move the internet traffic the CPU % remains constant 20% and i dont see any problem with backup firewall.

After i move the traffic the PIX which is giving problem behaves normal and the CPU will remain 2% constant.

Can you help me what could be causing the probelm for high CPU?

Could you post a show tech from the firewall?

Iam attaching the show tech file.

The two processes taking the more CPU usage are:

Mrd 001dbdc6 01212460 00db9fe0 7665080 0120e508 11428/16384 Dispatch Unit

Mrd 009da86f 012b5cc0 00db9fe0 3968310 012b3d48 6632/8192 Logger

Logger as the name implies is used for logging. Try disabling logging completely on the firewall to see if the CPU usage would go down.

The Dispatch Unit process is used for application inspection.

Can you try disabling the inspection for HTTP and see what results you would get?

Hi Allan,

I tried disabling the logging option and the CPU has come down to 49% and i will try removing inspect HTTP & will observe the util.

Thanks for ur tips.

Great!

Keep me posted to see how did that go.

Thanks!

If I remove the inspection http option the CPU util remains constant around 48%.

Earlier the average CPU util was 20% and it suddenly increased to 99% after Saturday morning ie 17th March.

Does the US DST settings caused for this issue as I have not updated in my PIX?

Hi Allan,

Glenn asked to upgrade the IOS to 7.0(6) but the cpu load remains the same.

If i again enable the logging the load reaches 99% and this config was there from the time pix configured but it suddenly raised from 17th march.

I checked and no pc's are affected virus in the network.

Iam surprised how it can suddenly go to 99% CPU

When you have logging enable at level 7 it takes a lot of resources from the PIX. It is always advised to use this logging level just for troubleshooting purposes and not for day to day monitoring.