High CPU on ASA5520

Unanswered Question
Jun 14th, 2007
User Badges:

We migrated our old Borderware firewall to Cisco asa5520 and noticed the CPU on it always over 30% and sometime over 60%/70%. I was wondering if there is anything I can do to improve performance and resolve this issue.

The interfaces looks okay and we have about 15MB internet pipe so it's not heavey usage configuaration. It also has 51 3des Site-to-Site VPN tunnels. I am thinking about enabling CSC module and start scanning http/email but I am not sure if I should go forward that until I resolve cpu issue.



Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)


Compiled on Wed 22-Nov-06 14:16 by builders

System image file is "disk0:/asa722-k8.bin"

Config file at boot was "startup-config"


catoactive up 5 days 14 hours

failover cluster up 7 days 3 hours


Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0019.0665.6964, irq 9

1: Ext: GigabitEthernet0/1 : address is 0019.0665.6965, irq 9

2: Ext: GigabitEthernet0/2 : address is 0019.0665.6966, irq 9

3: Ext: GigabitEthernet0/3 : address is 0019.0665.6967, irq 9

4: Ext: Management0/0 : address is 0019.0665.6968, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5


Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2


This platform has an ASA 5520 VPN Plus license.


Serial Number:

Running Activation Key: 0xb9012b61 Configuration register is 0x1

Configuration last modified by sysadmin at 17:18:14.257 PDT Wed Jun 13 2007

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
1cmerchant Fri, 06/15/2007 - 12:43
User Badges:

Do you have large ACL's applied to the interfaces? If so it might be worth checking which lines are getting the most hits and re-writing the ACLs so the most 'active' items are listed first, etc.

Just a thought,

Carl

ciscoforumuser Tue, 06/19/2007 - 09:00
User Badges:

The Cisco TAC is saying that it's normal for ASA cpu running around 30%. Since last night the CPU usage is about 1-5% and nothing has changhed since yesterday so It does not make sense. This has to be bug or something.

JBDanford2002 Tue, 06/19/2007 - 09:52
User Badges:

Are you having a high connection rate? (sh conn count) You said 51 site to site tunnels. If you do a "sh cry isa sa" What state are the crypto tunnels in? qm_idle? mm key exchange? Post your connection count when this happens again and an example of some of the connections(block out IPs of course)

ciscoforumuser Tue, 06/19/2007 - 10:08
User Badges:

Here is SH cont with cpu about 30%

sh conn count

1469 in use, 2974 most used



Type : L2L Role : initiator



Here is sh cry results, most of them in MM_Active State. Most of our tunnels rarely used (less than few pages printout)


Sh cry isa sa

Active SA: 48

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey

Total IKE SA: 48


1 IKE Peer: x.x.x.x Type : L2L Role : responder

Rekey : no State : MM_ACTIVE



I will keep checking conn counts when CPU peaks again..thanks for your help.

Actions

This Discussion