cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1171
Views
0
Helpful
1
Replies

Reduce Maximum Deny-Flows to ease up on ASA CPU?

garry.engle
Level 1
Level 1

Hello All,

 

Has anyone tried this or has a good idea on the effect? I have not been able to find any discussion or documentation about this specific adjustment. 

 

As a short-term mitigation to an overtaxed ASA, I'm considering reducing the setting for Maximum Deny-flows in the ASDM Advanced Logging Settings. It's on the default setting of 4096 now and was thinking about setting it to half of that to see if there's an effect on the CPU. The Cisco ASA config guide section on Information about Managing Deny Flows is what gave me the idea when I was looking for ways to lighten the load on the CPU. 

 

As far as I can tell, everything else with it seems to be optimized. The traffic that goes through it has just increased to the point that whenever a spike comes, it pushes that CPU up to mid-90's%. We're waiting on a bigger ASA, but it'll get here when it gets here. 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_logging.html#51838

 

 

Thanks!

Garry

 

1 Reply 1

garry.engle
Level 1
Level 1

 

FYI, gave this a try and didn't see an affect on the CPU usage, so set it back to default.

Review Cisco Networking for a $25 gift card