Re: why the pix 525 cpu load so high.

i00117461 · ‎04-14-2004

normal the device uses for nat and pat function,

cpu load is about 20 % with 40M traffic,

sometime ago, i discovered the internet speed suddenly down,then i used ping and trace

tools.discovered the pix make a large delay.

cpu usage was 98 percent.

i have no idea about .

i try to clear xlate .

the cpu load decrease to 19 %,

if i don't make any operation, a while later.

the network would be normal.

Usage: show cpu usage

MGNXZF02# show xlate count

24374 in use, 59076 most used

MGNXZF02# show xlate count

23984 in use, 59076 most used

MGNXZF02# clear xlate

MGNXZF02#

MGNXZF02# show cpu usage

CPU utilization for 5 seconds = 19%; 1 minute: 81%; 5 minutes: 94%

MGNXZF02# show mem

268435456 bytes total, 187097088 bytes free

MGNXZF02# show logging

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level critical, 6026739 messages logged

History logging: level debugging, 3334069985 messages logged

MGNXZF02# show ver

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 1.1(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

MGNXZF02 up 39 days 16 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000b.5f06.375a, irq 10

1: ethernet1: address is 000b.5f06.375b, irq 11

2: ethernet2: address is 0002.b3b9.7ca6, irq 5

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

Serial Number: 806443142 (0x30115886)

Running Activation Key: 0x586e1488 0x97f8fb05 0xb245b325 0xf0907858

Configuration last modified by enable_15 at 01:01:00.192 UTC Wed Apr 14 2004

any idea ?

thanks

ehirsel · ‎04-15-2004

I noted the logging history is enabled for debugging. What do the pix logs at the syslog server and the snmp server say around the time you are having this problem.

Is this problem a common occurance? Or does it happen infrequently? You may need to set logging buffer to the error level to get a better idea

How are your routes setup? From the pix 6.2 doc:

If the route command statement uses the IP address from one of the PIXFirewall unit's interfaces as the gateway IP address, PIXFirewall will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

Proxy arping could cause the pix cpu to jump high.

One other thing to look at is the interface status and counts at the time you are having this issue. Clear the interface counters and when you have the problem, look at the counters. The clear interface should reset the counters and not take down the interface.

jroyster · ‎04-15-2004

Also get a sniffer on the interfaces. I saw this with just a few nachi infected machines. The tremendous amount of pings from only 4-6 machines brought the 525 to a halt.

was running 6.2.2

i00117461 · ‎04-15-2004

this is a second time to happen.

i have been change logging buffered level to errors.

it appear in the blue .

the default route have been set a next-hop ip address.

then i should be waitting the thing to occur.

thanks.

i00117461 · ‎04-16-2004

today,the scenario appear again.

how to clear interface counters.

ehirsel · ‎04-16-2004

What did the logs say when the event happened while logging was turned on? If you posted them, I could not find them.

paland · ‎04-15-2004

Try turning off syslog logging when it happens and see if that helps.