ASA AIP-SSM-10 high CPU utilization

pauloroque · ‎12-02-2009

Hi Forum.

We have an ASA 5520 with AIP-SSM-10. The box is used only as IPS. The firewall itself is configured with a "permit any any" for IP/TCP/UDP/ICMP traffic in transparent mode. All traffic is directed to SSM-10.

The ssm-10 operates constantly in 80-100% of CPU utilization and applications are suffering. Traffic rate is about 30Mbps. 90% of traffic is https. Even when no trafifc is directed to ssm-10, it operates at 20% of CPU utilization.

We have no idea what is causing this. What might be causing this situation?

Bellow is the relevant ASA config.

Paulo Roque

ASA Version 8.0(4)
!
firewall transparent
hostname COT-IPS-I-fw
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
security-level 0
management-only
!
boot system disk0:/asa804-k8.bin
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
!
tcp-map TTL-WORKAROUND
no ttl-evasion-protection

ssh timeout 10
console timeout 0
no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 80 burst-rate 50
threat-detection rate scanning-threat rate-interval 3600 average-rate 32 burst-rate 64
no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map spc_global_policy
class IPS
set connection random-sequence-number disable
set connection advanced-options TTL-WORKAROUND
ips inline fail-open

!
service-policy spc_global_policy global

rudenko.alexander · ‎12-03-2009

Hello.

I answered this question few month ago.

First you should understand that the CPU is not good way of measuring the sensor utilization any longer. It is because development has programmed the sensor to grab resources from the Linux system.

The better way to measure the sensor load is looking to Inspection load. This will give you a better fill for how your sensor is loaded.

From the GUI, you would click on "Sensor health" details to the bottom right of the gauge and look at inspection load.

King Regards,