High CPU, load inspection load

Unanswered Question
Jul 1st, 2009

Hi everyone

We are busy evaluating an ASA5520 + AIP-SSM-20, and are noticing that if we push 30mbit through the firewall, the CPU goes up to about 70%. I'm talking about a single FTP transfer. The inspection load, however, stays below 10%.

We are not using any custom signatures at this stage, and have a reasonably standard configuration. Cisco quote 375MBps for the device, but at this rate, I cannot see it pushing 50 - what can we possibly look for that could be causing the high CPU?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
rudenko.alexander Wed, 07/01/2009 - 04:12

Hello.

First of all. You should understand that the CPU is not good way of measuring the sensor utilization any longer. It is because development has programmed the sensor to grab resources from the Linux system.

The better way to measure the sensor load is looking to Inspection load. This will give you a better fill for how your sensor is loaded.

Next on is the widespread misunderstanding of how to measure the sensors throughput. It's not good test to run just only one flow through the sensor for bandwidth test. The SSM is designed to aggregate the throughput. It will change the behaviour of your single downloads. A better test would be to have more than 20 users downloaded at once and see what the aggregation

download speed is.

Regards,

osiristrading Wed, 07/01/2009 - 09:48

Thanks for the reply. We are concerned as to whether or not high CPU (i.e. hitting 100%) is going to slow down traffic or drop packets.

abinjola Thu, 07/02/2009 - 00:14

The E3 changes included a fix to a problem with high latency during low traffic loads. The fix was to have sensorApp check the packet buffers on the driver more often. So the packet could be pulled off the driver queue quicker for analysis instead of waiting for the driver to fill the queue before passing it to sensorApp. This increased checking caused a corresponding increase in cpu usage.

This may or may not be what you are seeing in your cpu usage statistics since E3.

If you are not seeing any packet drops on the interfaces, then it is a good chance that you are just seeing the increased checking of packet buffers.

So 100%CPU would not result in blocking the traffic untill prosession load percentage, memory, show stat vs0 , show interface does not show any huge packets drops

hth

rudenko.alexander Thu, 07/02/2009 - 04:43

Also, when you making your test. You have to look around how many signatures are enabled, because all enabled signatures can be affected in fall of bandwidth and high CPU.

And the last, you should expect about 70% of our advertised throughput in terms of aggregate download in a real life environment.

routercpu Thu, 07/30/2009 - 08:09

How do you look at the inspection load? Is there a specific CLI command on the sensor?

Thanks

rudenko.alexander Thu, 07/30/2009 - 09:45

From the GUI, you would click on “sensor health” details to the bottom right of the gauge and look at inspection load.

Regards,

Actions

This Discussion