ASA CPU peaks

Unanswered Question
Apr 21st, 2009

Two questions really.

Q1. What is a safe peak for a cluster (Active/Standby) pair of ASA 5520's?

During different times of the day, I can see major peaks that push the ASA cluster into the high 80's and low 90% utilization.

Q2. To combat these peaks, I've tried lowering the logging, turning off Inspections and even clustering rules so the list of ACL's is shorter for the ASA to run through for each lookup. None of these have made a measurable impact to CPU peaks. Any idea's what else I can do to save CPU time?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
huangedmc Thu, 04/23/2009 - 03:38

Not sure what the official recommendation is from Cisco, but I don't want my ASA CPU to go over 50% in average.

Our ASA5550's average 5% of CPU usage.

It should be ok to go above that from time to time though.

How long did each 80 - 90% peak last?

If it's just a few minutes I think you should be ok.

If it's constant you'll probably need to upgrade to a 5550 or 5580.

If 5580 doesn't even cut it in your evaluation, then you may need to go w/ Juniper or Palo Alto Networks...Cisco's great for their feature sets, but unfortunately you can't push as much traffic through their devices...either firewall or switches.

Anyone from Cisco reading this post...why do you guys under-engineer your products all the time?

This should go to the Security forum and not Application by the way.

maratkinson Thu, 04/23/2009 - 05:12

Thanks! I immediately reposted it in the Security section and tried to delete this one in Application.

As for the peaks, they last for 3-5 minutes each day at specific times that are predictable. If the application responsible for these peaks is not redesigned soon, we predict those 450Meg/s peaks will be pushed upwards to 6.1Gig/s. So the 5580-40 would do the job with its 10Gig ceiling, but at quite a $$ cost!


This Discussion