Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

High CPU Usage on CISCO ASA 5510

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


jrjahangir at yahoo

Feb 26, 2012, 1:31 AM

Post #1 of 5 (2287 views)
Permalink
High CPU Usage on CISCO ASA 5510
Dear Honorable member:


i am getting high CPU  usage on CISCO ASA 5510 nealy 90 to 95%


Here ASA information:



ASA Version 8.2(2)

ciscoasa# sh processes cpu-usage
PC         Thread       5Sec     1Min     5Min   Process
08054f7c   d59afc90     0.0%     0.0%     0.0%   block_diag
081ab92f   d59af8a0    98.8%    87.7%    90.8%   Dispatch Unit
083af4d5   d59af4b0     0.0%     0.0%     0.0%   CF OIR
08a43050   d59af2b8     0.0%     0.0%     0.0%   lina_int
08068a26   d59aecd0     0.0%     0.0%     0.0%   Reload Control Thread
08070c86   d59aead8     0.0%     0.0%     0.0%   aaa
08c53b1d   d59ae8e0     0.0%     0.0%     0.0%   UserFromCert Thread


if you have any suggestion for solved this issue please inform me.





thanks
jahangir
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Feb 26, 2012, 2:14 AM

Post #2 of 5 (2085 views)
Permalink
Re: High CPU Usage on CISCO ASA 5510 [In reply to]
On Sun, 2012-02-26 at 01:31 -0800, Md. Jahangir Hossain wrote:
> i am getting high CPU usage on CISCO ASA 5510 nealy 90 to 95%
>
> Here ASA information:
...
> 081ab92f d59af8a0 98.8% 87.7% 90.8% Dispatch Unit

The "Dispatch Unit" does forwarding. You're probably overloading the
box. What traffic (type & rates) is running through the device? What
kind of threat-detection and/or inspection have you enabled?

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jrjahangir at yahoo

Feb 26, 2012, 2:50 AM

Post #3 of 5 (2089 views)
Permalink
Re: High CPU Usage on CISCO ASA 5510 [In reply to]
Thanks for your reply peter .


My total traffic bellow 50Mbps on Box but total connection  per second usage nearly 10000+ . I think this is the problem. What is the solution for this.


Here the information bellow:



#############

threat-detection basic-threat

#############

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp error
  inspect dns





thanks
jahangir






----- Original Message -----
From: Peter Rathlev <peter [at] rathlev>
To: Md. Jahangir Hossain <jrjahangir [at] yahoo>
Cc: "cisco-nsp [at] puck" <cisco-nsp [at] puck>
Sent: Sunday, February 26, 2012 4:14 PM
Subject: Re: [c-nsp] High CPU Usage on CISCO ASA 5510

On Sun, 2012-02-26 at 01:31 -0800, Md. Jahangir Hossain wrote:
> i am getting high CPU  usage on CISCO ASA 5510 nealy 90 to 95%
>
> Here ASA information:
...
> 081ab92f  d59af8a0    98.8%    87.7%    90.8%  Dispatch Unit

The "Dispatch Unit" does forwarding. You're probably overloading the
box. What traffic (type & rates) is running through the device? What
kind of threat-detection and/or inspection have you enabled?

--
Peter
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Feb 26, 2012, 4:53 AM

Post #4 of 5 (2068 views)
Permalink
Re: High CPU Usage on CISCO ASA 5510 [In reply to]
On Sun, 2012-02-26 at 02:50 -0800, Md. Jahangir Hossain wrote:
> My total traffic bellow 50Mbps on Box but total connection per second
> usage nearly 10000+ . I think this is the problem. What is the
> solution for this.

Lower the number of connections per second. ;-) The 5510 is rated for
9000 connections/second, so you're pushing it to the limit.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html#wp9001774

But 10k new connections per second sounds like something you shouldn't
really try to push through a firewall. Is the number within what you
would expect or is it abnormal?

...
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum client auto
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect ip-options
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> inspect icmp error
> inspect dns

That's a very long list of inspections. Could you maybe do without some
of these? By the way: The DNS map is preventing DNS functioning
correctly. You really should allow a message-length of 4096 bytes.

It's probably one specific type of traffic, though I'm not aware of any
way to find out which from a policy-map.

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jrjahangir at yahoo

Feb 26, 2012, 10:18 AM

Post #5 of 5 (2109 views)
Permalink
Re: High CPU Usage on CISCO ASA 5510 [In reply to]
thanks peter for your information.






----- Original Message -----
From: Peter Rathlev <peter [at] rathlev>
To: Md. Jahangir Hossain <jrjahangir [at] yahoo>
Cc: "cisco-nsp [at] puck" <cisco-nsp [at] puck>
Sent: Sunday, February 26, 2012 6:53 PM
Subject: Re: [c-nsp] High CPU Usage on CISCO ASA 5510

On Sun, 2012-02-26 at 02:50 -0800, Md. Jahangir Hossain wrote:
> My total traffic bellow 50Mbps on Box but total connection  per second
> usage nearly 10000+ . I think this is the problem. What is the
> solution for this.

Lower the number of connections per second. ;-) The 5510 is rated for
9000 connections/second, so you're pushing it to the limit.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html#wp9001774

But 10k new connections per second sounds like something you shouldn't
really try to push through a firewall. Is the number within what you
would expect or is it abnormal?

...
> policy-map type inspect dns preset_dns_map
>  parameters
>  message-length maximum client auto
>  message-length maximum 512
> policy-map global_policy
>  class inspection_default
>  inspect ftp
>  inspect h323 h225
>  inspect h323 ras
>  inspect ip-options
>  inspect netbios
>  inspect rsh
>  inspect rtsp
>  inspect skinny 
>  inspect esmtp
>  inspect sqlnet
>  inspect sunrpc
>  inspect tftp
>  inspect sip 
>  inspect xdmcp
>  inspect icmp error
>  inspect dns

That's a very long list of inspections. Could you maybe do without some
of these? By the way: The DNS map is preventing DNS functioning
correctly. You really should allow a message-length of 4096 bytes.

It's probably one specific type of traffic, though I'm not aware of any
way to find out which from a policy-map.

--
Peter
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.