jrjahangir at yahoo
Feb 26, 2012, 10:18 AM
Post #5 of 5
thanks peter for your information.
----- Original Message -----
From: Peter Rathlev <peter [at] rathlev>
To: Md. Jahangir Hossain <jrjahangir [at] yahoo>
Cc: "cisco-nsp [at] puck" <cisco-nsp [at] puck>
Sent: Sunday, February 26, 2012 6:53 PM
Subject: Re: [c-nsp] High CPU Usage on CISCO ASA 5510
On Sun, 2012-02-26 at 02:50 -0800, Md. Jahangir Hossain wrote:
> My total traffic bellow 50Mbps on Box but total connection per second
> usage nearly 10000+ . I think this is the problem. What is the
> solution for this.
Lower the number of connections per second. ;-) The 5510 is rated for
9000 connections/second, so you're pushing it to the limit.
But 10k new connections per second sounds like something you shouldn't
really try to push through a firewall. Is the number within what you
would expect or is it abnormal?
> policy-map type inspect dns preset_dns_map
> message-length maximum client auto
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect ip-options
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> inspect icmp error
> inspect dns
That's a very long list of inspections. Could you maybe do without some
of these? By the way: The DNS map is preventing DNS functioning
correctly. You really should allow a message-length of 4096 bytes.
It's probably one specific type of traffic, though I'm not aware of any
way to find out which from a policy-map.
cisco-nsp mailing list cisco-nsp [at] puck
archive at http://puck.nether.net/pipermail/cisco-nsp/