Showing results for 
Search instead for 
Did you mean: 

When an entry is added or removed in the object-group high CPU load is displayed on PIX Firewall with software version 7.2.1(24)


Core issue

This issue possibly occurs due to the presence of Cisco bug ID CSCsg63297.

Every time you add an network object associated with policy nat, the complete access-list is compiled by the CPU.

This means that all network objects are expanded and few network objects can possibly expand exponentially. After that, optimization algorithms run in order to try to reduce the final number of rules for use by the PIX.

For example, if you have four host objects, four port objects and four ACEs, you can get 4.4.4 = 64 internal rules (sometimes even more).

Note: If failover is configured on the firewall with a very short poll time, this possibly causes false switchover.


For a workaround,

  1. Download and upgrade the software version to 7.2(2).

  2. Make slight changes to the NAT policies if it has large number of ACEs.

Note: The upgrade does not fix the high CPU issue. The cpu is still high during compilation of access-lists. The fix is to avoid the cpu-hog-messages and watchdog timeout.