I has having a similar issue

gjaramilloa · ‎06-17-2015

I have an ASA 5545-X with SourceFire and the module is reaching over 90% of CPU usage (not all the time only during working hours). However I can see that only 1 CPU (there are 6) is reaching that limit. I have two questions: does the SourceFire module only use 1 CPU for all of its processes? is there a way to balance the processing load among all available CPUs?

The module has Intrusion, URL & Application and File policies enabled. The ASA is only performing Firewall policy and serves a few remote access VPNs.

In addition, I was using the "security over connectivity" profile in the intrusion policy; nevertheless, after I put the device into production I changed the profile to "connectivity over security" to lower the CPU load but I can see that the behaviour it's the same.

The magement is performed by a Firesight MAnagement Center running in a physical appliance.

I thank you in advance for your time.

nspasov · ‎06-26-2015

Hmm, interesting question. I believe for the CX modules the ASA got 1 of the 4 cores and the CX IPS got the other 3 cores. Not sure if the same applies for FirePOWER. That type of info can probably only be provided by Cisco so perhaps you can open a TAC case and let us all know :P

Thank you for rating helpful posts!

Jordan1212 · ‎05-24-2016

I has having a similar issue called an "elephant flow" during one particular scheduled backup. Only one CPU, CPU5 was spiking to 90+% during the backup period.

More info here:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

CPU usage: ASA with SourceFire