This issue possibly occurs due to the presence of Cisco bug ID CSCsg63297.
Every time you add an network object associated with policy nat, the complete access-list is compiled by the CPU.
This means that all network objects are expanded and few network objects can possibly expand exponentially. After that, optimization algorithms run in order to try to reduce the final number of rules for use by the PIX.
For example, if you have four host objects, four port objects and four ACEs, you can get 4.4.4 = 64 internal rules (sometimes even more).
Note: If failover is configured on the firewall with a very short poll time, this possibly causes false switchover.
For a workaround,
Download and upgrade the software version to 7.2(2).
Make slight changes to the NAT policies if it has large number of ACEs.
Note: The upgrade does not fix the high CPU issue. The cpu is still high during compilation of access-lists. The fix is to avoid the cpu-hog-messages and watchdog timeout.
Hello together,I normally use the Cisco AnyConnect Secure Mobility Client to connect to my university's network when I'm working from home.For some time, it hasn't been working any more. As soon as I establish a connection over the VPN client, I can not b...
I'm reaching out to see if anyone knows how to configure a Cisco ASA to send RADIUS attribute 8 FRAMED-IP-ADDRESS to ISE. I would like this communicated to ISE so that it receives a VPN'd users IP address. Thanks.
Hi Guys, just want to double check with you. In FTD, I have 2 subnet and if I need to have intervlan for those 2 VLAN, do I still need to configure an identity NAT or any NAT?My target is doing intervlan routing between the 2 VLAN without any IP change.th...