This issue possibly occurs due to the presence of Cisco bug ID CSCsg63297.
Every time you add an network object associated with policy nat, the complete access-list is compiled by the CPU.
This means that all network objects are expanded and few network objects can possibly expand exponentially. After that, optimization algorithms run in order to try to reduce the final number of rules for use by the PIX.
For example, if you have four host objects, four port objects and four ACEs, you can get 4.4.4 = 64 internal rules (sometimes even more).
Note: If failover is configured on the firewall with a very short poll time, this possibly causes false switchover.
For a workaround,
Download and upgrade the software version to 7.2(2).
Make slight changes to the NAT policies if it has large number of ACEs.
Note: The upgrade does not fix the high CPU issue. The cpu is still high during compilation of access-lists. The fix is to avoid the cpu-hog-messages and watchdog timeout.
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-product configuration details.
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs here.
Threat Response is free with selected Cisco Security products. To get access, simply go to the login page for your region - NA, EU, or APJC* - and either log in or click to create an account. You can also watch this 1 min video on creating...