PIX 515 Problem

Unanswered Question
Mar 22nd, 2007
User Badges:

We have PIX 515 with 7.0(2) and having intermittent problem. Four VPN tunnels are configured and also internet traffic pass thro this PIX.


Currently the PIX is very slow and if I ping the inside interface the ping resonse is varying between 50 to 100ms and also the latency to the internet sites is high.


If the traffic is zero the ping response is normal~ 1ms and behaves normal.


Is it related to any hardware issue or bug with image 7.0(2)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
allcastr Thu, 03/22/2007 - 06:01
User Badges:

Hello,


Have you checked for any errors that you might be getting on your interfaces?


By using the "show interface" command you will be able to see this.


Thx

ckuriyar74 Thu, 03/22/2007 - 06:08
User Badges:

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address 0003.6bf6.a3a2, MTU 1500

IP address 10.140.0.14, subnet mask 255.255.254.0

29370012 packets input, 1984214767 bytes, 0 no buffer

Received 3507 broadcasts, 0 runts, 0 giants

21466 input errors, 0 CRC, 0 frame, 21466 overrun, 0 ignored, 0 abort

29480501 packets output, 3299878690 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (120/278)

output queue (curr/max blocks): hardware (0/66) software (0/1)

Received 29357386 VLAN untagged packets, 1567411547 bytes

Transmitted 29491353 VLAN untagged packets, 2606638316 bytes

Dropped 27792162 VLAN untagged packets


I observed the CPU gone high 99% and doe it look like a virus?


If virus attack how can I resolve the issue?


Thx

Chandru

allcastr Thu, 03/22/2007 - 06:12
User Badges:

Hello,


I can see that you are getting the following:


21466 input errors, 0 CRC, 0 frame, 21466 overrun, 0 ignored, 0 abort


When you see this big amount of input errors it means that you have a duplex mismatch or a faulty cable and for the packets overrun it means that the interface is handling more traffic than what it can.


A good way to see if there is a virus on any of your computers would be to use the "show local-host" command and see if any of your current PCs are generating an excessive amount of connections.


I hope this helps

allcastr Thu, 03/22/2007 - 06:19
User Badges:

You can also take a look at the show process output command and see which process on the firewall is being used the most


On the inside interface you have configured the duplex setting as well as the speed setting to AUTO. Try to hard code the duplex mode and setting to full duplex and see if you would get any different results.


You can clear the counters on the interfaces by using the "clear interface" command

ckuriyar74 Thu, 03/22/2007 - 06:31
User Badges:

I tried changing the cable but still i see the errors.


I have a backup firewall and if i move the internet traffic the CPU % remains constant 20% and i dont see any problem with backup firewall.


After i move the traffic the PIX which is giving problem behaves normal and the CPU will remain 2% constant.



Can you help me what could be causing the probelm for high CPU?

allcastr Thu, 03/22/2007 - 06:33
User Badges:

Could you post a show tech from the firewall?

allcastr Thu, 03/22/2007 - 07:28
User Badges:

The two processes taking the more CPU usage are:


Mrd 001dbdc6 01212460 00db9fe0 7665080 0120e508 11428/16384 Dispatch Unit


Mrd 009da86f 012b5cc0 00db9fe0 3968310 012b3d48 6632/8192 Logger


Logger as the name implies is used for logging. Try disabling logging completely on the firewall to see if the CPU usage would go down.

The Dispatch Unit process is used for application inspection.

Can you try disabling the inspection for HTTP and see what results you would get?

ckuriyar74 Thu, 03/22/2007 - 07:49
User Badges:

Hi Allan,


I tried disabling the logging option and the CPU has come down to 49% and i will try removing inspect HTTP & will observe the util.


Thanks for ur tips.

allcastr Thu, 03/22/2007 - 07:54
User Badges:

Great!


Keep me posted to see how did that go.


Thanks!

ckuriyar74 Thu, 03/22/2007 - 23:51
User Badges:

If I remove the inspection http option the CPU util remains constant around 48%.


Earlier the average CPU util was 20% and it suddenly increased to 99% after Saturday morning ie 17th March.


Does the US DST settings caused for this issue as I have not updated in my PIX?

ckuriyar74 Fri, 03/23/2007 - 03:13
User Badges:

Hi Allan,


Glenn asked to upgrade the IOS to 7.0(6) but the cpu load remains the same.


If i again enable the logging the load reaches 99% and this config was there from the time pix configured but it suddenly raised from 17th march.


I checked and no pc's are affected virus in the network.


Iam surprised how it can suddenly go to 99% CPU

allcastr Fri, 03/23/2007 - 05:29
User Badges:

When you have logging enable at level 7 it takes a lot of resources from the PIX. It is always advised to use this logging level just for troubleshooting purposes and not for day to day monitoring.

Actions

This Discussion