ASA AIP-SSM-10 high CPU utilization

Unanswered Question
Dec 2nd, 2009

Hi Forum.

We have an ASA 5520 with AIP-SSM-10. The box is used only as IPS. The firewall itself is configured with a "permit any any" for IP/TCP/UDP/ICMP traffic in transparent mode.  All traffic is directed to SSM-10.

The ssm-10 operates constantly in 80-100% of CPU utilization and applications are suffering. Traffic rate is about 30Mbps. 90% of traffic is https. Even when no trafifc is directed to ssm-10, it operates at 20% of CPU utilization.

We have no idea  what is causing this. What might be causing this situation?

Bellow is the relevant ASA config.

Paulo Roque

ASA Version 8.0(4)
!
firewall transparent
hostname COT-IPS-I-fw
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
security-level 0
management-only
!
boot system disk0:/asa804-k8.bin
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
!
tcp-map TTL-WORKAROUND
  no ttl-evasion-protection

ssh timeout 10
console timeout 0
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 80 burst-rate 50
threat-detection rate scanning-threat rate-interval 3600 average-rate 32 burst-rate 64
no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
policy-map spc_global_policy
class IPS
  set connection random-sequence-number disable
  set connection advanced-options TTL-WORKAROUND
  ips inline fail-open
 
!
service-policy spc_global_policy global

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rudenko.alexander Thu, 12/03/2009 - 04:25

Hello.

I answered this question few month ago.

First you should understand that the CPU is not good way of measuring the sensor utilization any longer. It is because development has programmed the sensor to grab resources from the Linux system.

The better way to measure the sensor load is looking to Inspection load. This will give you a better fill for how your sensor is loaded.

From the GUI, you would click on "Sensor health" details to the bottom right of the gauge and look at inspection load.

King Regards,

Actions

This Discussion