high CPU on AIP-SSM-20

Unanswered Question
Nov 1st, 2009

Dear Experts!

We have several AIP-SSM-20s on the ASA

and one of the AIP-SSM-20 has seen high

cpu status one hours ago and it still going on.

another AIP-SSM-20 has 2~20% cpu load.

Is this normal status? Do you have same


I have one more question,where can I find

Ips Manager Express configuraiton manual on the cisco site?

I have not found manual anywhere on the cisco site for the configuration IPS.

I really appreciate for any help.



CPU Statistics

Usage over last 5 seconds = 97

Usage over last minute = 93

Usage over last 5 minutes = 72

Memory Statistics

Memory usage (bytes) = 1026400256

Memory free (bytes) = 1067204608


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Leeyoungsoo Mon, 11/02/2009 - 00:55

Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

Leeyoungsoo Mon, 11/02/2009 - 00:58

Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

andrey.dugin Mon, 11/02/2009 - 01:30

Analyze events for time of high CPU utilization and see if there were alarms for some flood, for example, DNS flood, SYN flood etc.

Leeyoungsoo Mon, 11/02/2009 - 20:57

Dear Andrey!

Thanks for your reply.

I have found a lot attack of TCP SYN HOST


Is it relate with high cpu on the IPS?

Thanks for any help.

andrey.dugin Tue, 11/03/2009 - 02:12

May be.

If this attack was absent in time of normal CPU load I think that this event may cause it.

You may check it.

bnidacoc Tue, 11/03/2009 - 11:28

It is difficult to say, I'm not seeing the exact signature.

If it is 3030/0, it is my understanding (from experience and TAC) that it is quite common that a busy host(user)/SMTP server/proxy server fire this alarm.

It is my understanding that 3030/0 is based on the source port of the initial SYN. So an internal host initiates a TCP connection to an internet host, its source TCP port is (for example) 1049. The IPS tracks that. The user powers off their PC at the end of the day. Next day, user powers up the host and TCP source ports begin all over at 1024 (XP, don't know about Vista/7.) The user connects to TCP hosts in the Internet, one of those TCP SYNs is sourced by TCP 1049. 3030/0 fires. My understanding from TAC is that the IPS module remembers this TCP communication as long as the IPS itself hasn't been rebooted. So, one may see a whole lot of 3030/0 alarms.

An SMTP server can make this fire a lot.

Potential resolution options may be; disabling 3030/0 or write and EAF (and try to be specific on the source host(s).

Leeyoungsoo Tue, 11/03/2009 - 16:51

Thanks for your relpy.

Yes your`r right, that`s Sig.Id is


As your opinion ,Sig.ID 3030/0 is not

cause high cpu on IPS Module?

andrey.dugin Wed, 11/04/2009 - 04:50

Sig 3030/0 fires when there are 15 destination hosts were seen with 1 src host.

I don't know about your network but usually this signature don't cause high CPU load.

May be if you have 1000 hosts generating sweep it may cause the high CPU load.

In any case you may turn off this signature and then see if it causes high CPU utilization.

bnidacoc Wed, 11/04/2009 - 06:02

Sorry, my attempt was primarily to point out there is a sig that may fire very often from legitimate authorized hosts. You were discussing a sig firing a lot.

As a test, you could disable 3030/0 temporarily to see if it changes your CPU usage. However, my suspicion is that it may not have much effect. Someone else here may disagree.

A whole lot of signature have been created and enabled by default over the past year. And maybe you are on a version of IPS OS SW which enables the Atomic Engine (I think that is the engine) sigs, maybe there is more CPU cycle consumption with that.

Maybe a TAC case is suitable for your issue.

Leeyoungsoo Thu, 11/05/2009 - 00:55

First of all thanks for your relpy.

As your opinion,I did disalbe sig no.3030

but it did not effect high cpu situation.

I found strange status on gigabit interface.

There through a lot of traffic.

I attaching gigabit 0/1 interface status.

Do you think that is relate on high cpu


Thanks for any helps!

andrey.dugin Thu, 11/05/2009 - 04:31

Does Gi0/1 subinterfaced to process the traffic and return the clear one to ASA or you use it in promiscuous mode?

Leeyoungsoo Thu, 11/05/2009 - 17:53

Thanks for your advice.

I did try clear the interface counter but I have not found commands on the AIP-SSM.

Can you tell me how can I clear interface counter?

Thanks for any help

andrey.dugin Fri, 11/06/2009 - 00:18

# show interfaces clear

it will clear all interfaces counters not specific one.


This Discussion