FWSM 3.2(7)

Answered Question
Jun 8th, 2009
User Badges:

We noticed high cpu utilization after we migrated some services to this firewall. I am wondering if we are hitting a bug? we also wondering if we need to turn off some inspect commands here are the ones that we have turned on:

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp



Last question: how check the processes that eating a lot of cpu on fwsm?



Correct Answer by Kureli Sankar about 7 years 11 months ago

I had asked earlier if you were doing the following:


snmp-server enable traps syslog


Pls. remove just the above line.


CSCsl12334 - Pls. refer this defect here:

http://tools.cisco.com/Support/BugToolKit/



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Mon, 06/08/2009 - 11:42
User Badges:
  • Cisco Employee,

Pls. upload two "sh proc" outputs about 3 min. apart.


I can get a diff. and let you know which process is taking a lot of the cpu cycles.

Kureli Sankar Mon, 06/08/2009 - 12:04
User Badges:
  • Cisco Employee,

Here are the top 5:


snmp 1095097

Dispatch Unit 90950

Logger 59202

snp_timer_thread 53529

syslog_entry 6027



Dispatch unit is just purely packet processing. Try to turn off snmp and see if it goes down.



hbenaouich Mon, 06/08/2009 - 12:06
User Badges:

I won't be able to turn off snmp as this box is production and will generate a lot of alarms. Can you advise if this is a bug?

Kureli Sankar Mon, 06/08/2009 - 12:51
User Badges:
  • Cisco Employee,

Not that I can see. What are you sending to the snmp host? syslog? If so when you see a traffic spike this will go up as well.


issue sh local | i host|count/limit


collect the output to a text file and parse through it to see if any one or more hosts have established many tcp or udp connections. This could indicate an infected host.


When did you notice the cpu spike?

What is the normal cpu that you are used to seeing?

What changes were made prior to the cpu spike?


issue "sh np blocks" and see if the counters are incrementing.



hbenaouich Mon, 06/08/2009 - 13:31
User Badges:

sh local | i host|count/limit -->this command didnt show any suspicious infected host. show np blocks is not showing counters being incremented.

We noticed cpu spike just after the migrating servers from an old dmz to new dmz. Normal cpu is 3 - 5% no changes made prior to that.


I just noticed that show traffic summary is showing a lot bytes-In and out. Do you think inspect dns might have something to do with this?

Kureli Sankar Mon, 06/08/2009 - 13:36
User Badges:
  • Cisco Employee,

sh service-policy


should show you if dns inspection is dropping packets.


You can certainly remove dns, netbios and smtp inspections.


Clear traffic and then issue sh traffic and see if interface is seeing the most traffic.



hbenaouich Mon, 06/08/2009 - 13:44
User Badges:

show service-policy doesnt show drop packets:


Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns maximum-length 512, packet 12637231, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225, packet 0, drop 0, reset-drop 0

Inspect: h323 ras, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 63, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0



Question:


If I remove inspect dns will it have an impact anyhow on production traffic?



Kureli Sankar Mon, 06/08/2009 - 14:25
User Badges:
  • Cisco Employee,

No there will NOT be any impact on dns traffic. No worries.


Seems like a lot of dns packets.


Are all your mail servers configured for proper DNS ip addresses that are active (alive and well)?


Pls. verify.

hbenaouich Mon, 06/08/2009 - 14:27
User Badges:

Thanks a lot for your help!


I will try that and will let you know!

hbenaouich Tue, 06/09/2009 - 17:31
User Badges:

The inspect dns is not the one that causing high cpu. I removed snmp and cpu dropped from 25% to 8%. I am wondering if this is a bug? I also noticed after removing snmp the firewall stop processing traffic and we noticed a dip in traffic see the attached files.



Attachment: 

Actions

This Discussion