This issue is due to the presence of Cisco bug ID CSCsh13946.
In this issue, the modification of an access-list that has multiple entries and is tied to a NAT statement can cause the central processing unit (CPU) usage to be high for an extended period of time, which results in packet loss, triggers failover, and so forth.
This issue is typically seen when an access-list that references several object-groups exists in the configuration. When this access-list is edited in order to include more elements that reference additional object-groups, the number of access-list elements grows substantially. When this type of access-list is tied to a NAT statement and the ACL edits are made, the CPU can spike for a few minutes.
The workaround for this issue is to modify the access-lists applied to NAT statements so that the number of elements stays as low as possible.
Note: In order to minimizethe impact, make all of these changes during maintenance windows.
This issue is resolved in these PIX/ASA versions:
In order to completely resolve this issue, downgrade or upgrade to any of the suggested PIX/ASA software versions from Cisco Downloads.
The background is the end devices PC would like to use EAP-TLS for 802.1x wired auth. by the cert. signed by window CA. When the cert. signed by window standalone CA, it is working fine.However, when the cert. signed by window enterprise CA. it ...
Hi, I want to create IPS Reporting on FMC but cant see any data under any available templates. I wana to create standard Intrusion Report for all kind of Intrusion events. Plus I can see IPS events in Dashboard Summary but None of them refl...
I'm trying to deploy ASAv in Azure and as the docs suggest, the management-only setting should be removed from the Management interface since "...the Management interface is the only interface that can have an Azure public IP address associated with it. B...
Hello Community, I need good advice to update two FTDs on ASA 5525X in HA from FMC1) do you need to break the HA to update them one at a time? so there is no effect on the service?Or is this process handled by the FMC without breaking the HA?I await...