Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

Analyze events for time of high CPU utilization and see if there were alarms for some flood, for example, DNS flood, SYN flood etc.

Dear Andrey!

Thanks for your reply.

I have found a lot attack of TCP SYN HOST

Sweep.

Is it relate with high cpu on the IPS?

Thanks for any help.

May be.

If this attack was absent in time of normal CPU load I think that this event may cause it.

You may check it.

It is difficult to say, I'm not seeing the exact signature.

If it is 3030/0, it is my understanding (from experience and TAC) that it is quite common that a busy host(user)/SMTP server/proxy server fire this alarm.

It is my understanding that 3030/0 is based on the source port of the initial SYN. So an internal host initiates a TCP connection to an internet host, its source TCP port is (for example) 1049. The IPS tracks that. The user powers off their PC at the end of the day. Next day, user powers up the host and TCP source ports begin all over at 1024 (XP, don't know about Vista/7.) The user connects to TCP hosts in the Internet, one of those TCP SYNs is sourced by TCP 1049. 3030/0 fires. My understanding from TAC is that the IPS module remembers this TCP communication as long as the IPS itself hasn't been rebooted. So, one may see a whole lot of 3030/0 alarms.

An SMTP server can make this fire a lot.

Potential resolution options may be; disabling 3030/0 or write and EAF (and try to be specific on the source host(s).

Thanks for your relpy.

Yes your`r right, that`s Sig.Id is

3030/0.

As your opinion ,Sig.ID 3030/0 is not

cause high cpu on IPS Module?

Sig 3030/0 fires when there are 15 destination hosts were seen with 1 src host.

I don't know about your network but usually this signature don't cause high CPU load.

May be if you have 1000 hosts generating sweep it may cause the high CPU load.

In any case you may turn off this signature and then see if it causes high CPU utilization.

Sorry, my attempt was primarily to point out there is a sig that may fire very often from legitimate authorized hosts. You were discussing a sig firing a lot.

As a test, you could disable 3030/0 temporarily to see if it changes your CPU usage. However, my suspicion is that it may not have much effect. Someone else here may disagree.

A whole lot of signature have been created and enabled by default over the past year. And maybe you are on a version of IPS OS SW which enables the Atomic Engine (I think that is the engine) sigs, maybe there is more CPU cycle consumption with that.

Maybe a TAC case is suitable for your issue.

First of all thanks for your relpy.

As your opinion,I did disalbe sig no.3030

but it did not effect high cpu situation.

I found strange status on gigabit interface.

There through a lot of traffic.

I attaching gigabit 0/1 interface status.

Do you think that is relate on high cpu

consumption?

Thanks for any helps!

Does Gi0/1 subinterfaced to process the traffic and return the clear one to ASA or you use it in promiscuous mode?

Thanks for your advice.

I did try clear the interface counter but I have not found commands on the AIP-SSM.

Can you tell me how can I clear interface counter?

Thanks for any help

# show interfaces clear

it will clear all interfaces counters not specific one.