Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1027
Views
0
Helpful
0
Comments

When an entry is added or removed in the object-group high CPU load is displayed on PIX Firewall with software version 7.2.1(24)

TCC_2
Level 10
Level 10

‎06-22-2009 04:39 PM - edited ‎03-08-2019 06:17 PM

Core issue

This issue possibly occurs due to the presence of Cisco bug ID CSCsg63297.

Every time you add an network object associated with policy nat, the complete access-list is compiled by the CPU.

This means that all network objects are expanded and few network objects can possibly expand exponentially. After that, optimization algorithms run in order to try to reduce the final number of rules for use by the PIX.

For example, if you have four host objects, four port objects and four ACEs, you can get 4.4.4 = 64 internal rules (sometimes even more).


Note: If failover is configured on the firewall with a very short poll time, this possibly causes false switchover.

Resolution

For a workaround,

  1. Download and upgrade the software version to 7.2(2).

  2. Make slight changes to the NAT policies if it has large number of ACEs.

Note: The upgrade does not fix the high CPU issue. The cpu is still high during compilation of access-lists. The fix is to avoid the cpu-hog-messages and watchdog timeout.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents