×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

Unanswered Question
May 9th, 2012
User Badges:

Hi,


I know this topic was already discussed before, and I already tried their solution but nothing happened. Bear with me if I'll post this again.

Our company’s Cisco ASA 5520 CPU usage drastically increased up to  93% after installing the antivirus our company purchased.

Upon entering the show commands, which I will post the result later, it shows that the “Dispatch Unit is very high.

I tried to clear the conn of each IP address that has very high bytes, but nothing happened.

I’ll post all the result, and please help me solve this issue. I’m not really familiar with Firewall or security.


INTFW(config)# show proc cpu-usage sorted non-zero

PC         Thread       5Sec     1Min     5Min   Process

081aa324   6bdaf870    81.3%    81.5%    81.4%   Dispatch Unit

08bd08d6   6bda9210     5.7%     5.7%     5.7%   Logger

INTFW(config)# show proc cpu-usage sorted non-zero

PC         Thread       5Sec     1Min     5Min   Process

081aa324   6bdaf870    81.3%    81.5%    81.4%   Dispatch Unit

08bd08d6   6bda9210     5.7%     5.7%     5.7%   Logger


INTFW(config)# show proc cpu-hog

Process:      vpnfol_sync/Bulk Sync - Import , PROC_PC_TOTAL: 23, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   11:27:17 PHST Aug 8 2011

PC:           8da1592 (suspend)

Process:      vpnfol_sync/Bulk Sync - Import , NUMHOG: 23, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   11:27:17 PHST Aug 8 2011

PC:           8da1592 (suspend)

Traceback:    8da1c7e  8d9ff8f  8062413

Process:      ssh_init, PROC_PC_TOTAL: 4, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   07:41:20 PHST Aug 18 2011

PC:           806dcd5 (suspend)

Process:      ssh_init, NUMHOG: 4, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   07:41:20 PHST Aug 18 2011

PC:           806dcd5 (suspend)

Traceback:    8b9d3e6  8bab837  8ba024a  8062413

Process:      ssh_init, PROC_PC_TOTAL: 90801, MAXHOG: 5, LASTHOG: 2

LASTHOG At:   04:47:28 PHST Apr 5 2012

PC:           8b9ac8c (suspend)

Process:      ssh_init, NUMHOG: 90801, MAXHOG: 5, LASTHOG: 2

LASTHOG At:   04:47:28 PHST Apr 5 2012

PC:           8b9ac8c (suspend)

Traceback:    8b9ac8c  8ba77ed  8ba573e  8ba58e8  8ba6971  8ba02b4  8062413

Process:      telnet/ci, PROC_PC_TOTAL: 1, MAXHOG: 3, LASTHOG: 3

LASTHOG At:   08:43:18 PHST Apr 16 2012

PC:           8870ba5 (suspend)

Process:      telnet/ci, NUMHOG: 1, MAXHOG: 3, LASTHOG: 3

LASTHOG At:   08:43:18 PHST Apr 16 2012

PC:           8870ba5 (suspend)

Traceback:    8870ba5  9298bf1  92789fe  9279191  80ca7e7  80cacbb  80c14b5

               80c1c5f  80c2da6  80c3850  8062413

Process:      Unicorn Proxy Thread, PROC_PC_TOTAL: 5, MAXHOG: 3, LASTHOG: 2

LASTHOG At:   20:23:09 PHST Apr 27 2012

PC:           8c0e8e5 (suspend)

Process:      Unicorn Proxy Thread, NUMHOG: 5, MAXHOG: 3, LASTHOG: 2

LASTHOG At:   20:23:09 PHST Apr 27 2012

PC:           8c0e8e5 (suspend)

Traceback:    8c0e8e5  8c23428  8c24561  8cff99d  8cfdb0c  8cf9f81  8cf9ef5

               8cfa9b0  8cec6c9  8cebf7b  8cec22c  8ce5e2f  8d00cfb  8d01d67

Process:      Unicorn Proxy Thread, PROC_PC_TOTAL: 12, MAXHOG: 5, LASTHOG: 4

LASTHOG At:   20:23:09 PHST Apr 27 2012

PC:           8c2bb4d (suspend)

Process:      Unicorn Proxy Thread, NUMHOG: 12, MAXHOG: 5, LASTHOG: 4

LASTHOG At:   20:23:09 PHST Apr 27 2012

PC:           8c2bb4d (suspend)

Traceback:    8c2bb4d  8c0ef7a  8c11576  8c11625  8c12748  8c140f8  8c0f074

               8c23bae  8f2f1f1  8062413

Process:      vpnfol_sync/Bulk Sync - Import , PROC_PC_TOTAL: 488, MAXHOG: 100, LASTHOG: 2

LASTHOG At:   02:44:29 PHST May 6 2012

PC:           80635a5 (suspend)

Process:      ssh_init, NUMHOG: 461, MAXHOG: 3, LASTHOG: 2

LASTHOG At:   02:44:29 PHST May 6 2012

PC:           80635a5 (suspend)

Traceback:    80635a5  8133d0b  9224474  923d3c8  9239045  9238e95  9226f50

               92263d8  92158bf  920530c  922564a  92254c1  9214606  92050bc

Process:      telnet/ci, PROC_PC_TOTAL: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   17:46:33 PHST May 9 2012

PC:           8beab4b (suspend)

Process:      telnet/ci, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   17:46:33 PHST May 9 2012

PC:           8beab4b (suspend)

Traceback:    8beb37e  8bf5961  8870405  92861be  80cf185  80c2c3f  80c3850

               8062413

Process:      snmp, PROC_PC_TOTAL: 65, MAXHOG: 3, LASTHOG: 3

LASTHOG At:   07:51:40 PHST May 10 2012

PC:           8b37300 (suspend)

Process:      snmp, NUMHOG: 65, MAXHOG: 3, LASTHOG: 3

LASTHOG At:   07:51:40 PHST May 10 2012

PC:           8b37300 (suspend)

Traceback:    8b37300  8b35d27  8b32e39  8b358c8  8b10b5e  8b0f7bc  8062413

Process:      ssh_init, PROC_PC_TOTAL: 43490, MAXHOG: 4, LASTHOG: 2

LASTHOG At:   08:03:59 PHST May 10 2012

PC:           83cf301 (suspend)

Process:      ssh_init, NUMHOG: 43490, MAXHOG: 4, LASTHOG: 2

LASTHOG At:   08:03:59 PHST May 10 2012

PC:           83cf301 (suspend)

Traceback:    83cfb25  83c9883  812ea45  89e51b2  89b8dda  8ba0e44  8ba0278

               8062413

Process:      Dispatch Unit, PROC_PC_TOTAL: 50959, MAXHOG: 46, LASTHOG: 2

LASTHOG At:   08:16:30 PHST May 10 2012

PC:           81aa324 (suspend)

Process:      Dispatch Unit, NUMHOG: 50959, MAXHOG: 46, LASTHOG: 2

LASTHOG At:   08:16:30 PHST May 10 2012

PC:           81aa324 (suspend)

Traceback:    81aa324  8062413

Process:      Dispatch Unit, PROC_PC_TOTAL: 4912632, MAXHOG: 1010, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           81aa50f (suspend)

Process:      Dispatch Unit, NUMHOG: 4502524, MAXHOG: 1010, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           81aa50f (suspend)

Traceback:    81aa50f  8062413

Process:      snmp, PROC_PC_TOTAL: 85863, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           8c09598 (suspend)

Process:      snmp, NUMHOG: 85863, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           8c09598 (suspend)

Traceback:    8b300cd  8b1086d  8b0f7bc  8062413

Process:      snmp, PROC_PC_TOTAL: 43522, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           8b3709e (suspend)

Process:      snmp, NUMHOG: 43522, MAXHOG: 4, LASTHOG: 3

LASTHOG At:   08:16:40 PHST May 10 2012

PC:           8b3709e (suspend)

Traceback:    8b3709e  8b35dcb  8b32e39  8b358c8  8b10b5e  8b0f7bc  8062413

Process:      Dispatch Unit, NUMHOG: 14404267, MAXHOG: 1012, LASTHOG: 3

LASTHOG At:   08:17:07 PHST May 10 2012

PC:           81aa5f9 (suspend)

Traceback:    81aa5f9  8062413

Process:      Dispatch Unit, PROC_PC_TOTAL: 20260397, MAXHOG: 1012, LASTHOG: 3

LASTHOG At:   08:17:08 PHST May 10 2012

PC:           81aa5f9 (suspend)

CPU hog threshold (msec):  2.844

Last cleared: None


INTFW(config)# show int | in error

        1762 input errors, 0 CRC, 0 frame, 1762 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

        38632851 input errors, 0 CRC, 0 frame, 38632851 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 7 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

        1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets


INTFW(config)# show int

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff4, MTU 1500

        IP address x.x.x.6, subnet mask 255.255.255.248

        30015960429 packets input, 26267024403964 bytes, 0 no buffer

        Received 9057 broadcasts, 0 runts, 0 giants

        1762 input errors, 0 CRC, 0 frame, 1762 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        199746407478 packets output, 25119852006560 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/24)

  Traffic Statistics for "outside":

        30002303388 packets input, 25691387461881 bytes

        199746407478 packets output, 21463867385699 bytes

        629259354 packets dropped

      1 minute input rate 1754 pkts/sec,  1668152 bytes/sec

      1 minute output rate 11769 pkts/sec,  944305 bytes/sec

      1 minute drop rate, 20 pkts/sec

      5 minute input rate 1646 pkts/sec,  1415643 bytes/sec

      5 minute output rate 11907 pkts/sec,  1263071 bytes/sec

      5 minute drop rate, 19 pkts/sec

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff5, MTU 1500

        IP address x.x.x.9, subnet mask 255.255.255.248

        197887766666 packets input, 24998369433168 bytes, 0 no buffer

        Received 278288 broadcasts, 0 runts, 0 giants

        38632921 input errors, 0 CRC, 0 frame, 38632921 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        29089991932 packets output, 26007238507372 bytes, 79 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "inside":

        197875091433 packets input, 21381545513997 bytes

        29089992011 packets output, 25452507365233 bytes

        47959890 packets dropped

      1 minute input rate 11609 pkts/sec,  926890 bytes/sec

      1 minute output rate 1731 pkts/sec,  1703914 bytes/sec

      1 minute drop rate, 3 pkts/sec

      5 minute input rate 11612 pkts/sec,  988624 bytes/sec

      5 minute output rate 1615 pkts/


INTFW(config)# show conn

----partial result of show conn. Some of the results have an higher bytes but I think this will be enough.

158026 in use, 165954 most used

TCP outside x.x.x.138:1522 inside x.x.x.106:3609, idle 0:00:24, bytes 1231922, flags UIO

TCP outside x.x.x.138:1522 inside x.x.x.106:4583, idle 0:00:05, bytes 108207477, flags UIO

INTFW(config)# show traffic

folink:

        received (in 1922566.370 secs):

                62152861 packets        4669911582 bytes

                1 pkts/sec      2000 bytes/sec

        transmitted (in 1922566.370 secs):

                1215835634 packets      1396053558570 bytes

                0 pkts/sec      726002 bytes/sec

      1 minute input rate 1 pkts/sec,  117 bytes/sec

      1 minute output rate 55 pkts/sec,  65230 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  117 bytes/sec

      5 minute output rate 51 pkts/sec,  59983 bytes/sec

      5 minute drop rate, 0 pkts/sec

outside:

        received (in 1922872.370 secs):

                30003574779 packets     25692551618468 bytes

                15000 pkts/sec  13361000 bytes/sec

        transmitted (in 1922872.370 secs):

                199756000629 packets    21464645138678 bytes

                103001 pkts/sec 11162000 bytes/sec

      1 minute input rate 1496 pkts/sec,  1370318 bytes/sec

      1 minute output rate 11724 pkts/sec,  1001443 bytes/sec

      1 minute drop rate, 23 pkts/sec

      5 minute input rate 1518 pkts/sec,  1369006 bytes/sec

      5 minute output rate 11644 pkts/sec,  992991 bytes/sec

      5 minute drop rate, 25 pkts/sec

inside:

        received (in 1922876.630 secs):

                197884596127 packets    21382322027279 bytes

                102001 pkts/sec 11119000 bytes/sec

        transmitted (in 1922876.630 secs):

                29091209527 packets     25453660568576 bytes

                15001 pkts/sec  13237000 bytes/sec

      1 minute input rate 11607 pkts/sec,  996877 bytes/sec

      1 minute output rate 1476 pkts/sec,  1352799 bytes/sec

      1 minute drop rate, 14 pkts/sec

      5 minute input rate 11487 pkts/sec,  986769 bytes/sec

      5 minute output rate 1453 pkts/sec,  1345452 bytes/sec

      5 minute drop rate, 5 pkts/sec



Thanks,

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Maykol Rojas Wed, 05/09/2012 - 21:32
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hi Mark,


I guess I was the one who got to the bottom of the other case. Let me help you out with this one. I may need some other outputs like the following:


show service-policy

sh local-host (this one is very large), what I am trying to find out with this one is the Embryonic amount of connections that the device is receiving.


For the 2 connections you are hightling they seem to be normal as they belong to SQL connections.


Mike

mparas_04 Wed, 05/09/2012 - 22:19
User Badges:

Hi Mike,

Thanks for the reply. I even sent you a private message regarding with this one.

Here are the information needed. Not sure about the embryonic amount, let me know if

what I sent is incorrect.


INTFW# show service-policy

Global policy:

   Service-policy: global_policy

     Class-map: inspection_default

       Inspect: dns preset_dns_map, packet 523484182, drop 1859534, reset-drop 0

       Inspect: ftp, packet 126584724, drop 5747, reset-drop 260

       Inspect: h323 h225 _default_h323_map, packet 33293, drop 0, reset-drop 0

                tcp-proxy: bytes in buffer 0, bytes dropped 73593

       Inspect: h323 ras _default_h323_map, packet 3924, drop 3072, reset-drop 0

       Inspect: rsh, packet 26083, drop 0, reset-drop 0

       Inspect: rtsp, packet 33584177, drop 0, reset-drop 0

                tcp-proxy: bytes in buffer 0, bytes dropped 376972

       Inspect: esmtp _default_esmtp_map, packet 199361835, drop 80131, reset-drop 0

       Inspect: skinny , packet 3373, drop 0, reset-drop 0

                tcp-proxy: bytes in buffer 0, bytes dropped 88997

       Inspect: sunrpc, packet 8558, drop 1, reset-drop 10

                tcp-proxy: bytes in buffer 0, bytes dropped 28

       Inspect: xdmcp, packet 554, drop 41, reset-drop 0

       Inspect: sip , packet 651549, drop 5, reset-drop 0

                tcp-proxy: bytes in buffer 0, bytes dropped 3169

       Inspect: netbios, packet 83649497, drop 0, reset-drop 0

       Inspect: tftp, packet 369, drop 0, reset-drop 0

     Class-map: global-class

       IPS: card status Unresponsive, mode inline fail-open, sensor vs0

         packet input 197451550328, packet output 197459152624, drop 3901726, reset-drop 395164


INTFW# show local-host

Interface inside: 670 active, 882 maximum active, 0 denied


local host: ,


    TCP flow count/limit = 9/unlimited


    TCP embryonic count to host = 0


    TCP intercept watermark = unlimited


    UDP flow count/limit = 2/unlimited




  Conn:


    TCP outside x.x.x.37:80 inside x.x.x.13:56634, idle 0:00:19, bytes 1539, flags UIO


    TCP outside 220.73.140.37:80 inside x.x.x.13:56633, idle 0:00:19, bytes 3162, flags UIO


    TCP outside 220.73.140.37:80 inside x.x.x.13:56632, idle 0:00:19, bytes 3089, flags UIO


    TCP outside 220.73.140.37:80 inside x.x.x.13:56631, idle 0:00:19, bytes 6446, flags UIO


    TCP outside 10.20.2.61:80 inside x.x.x.13:56630, idle 0:03:31, bytes 5856, flags UFRIO


    UDP outside 180.68.204.199:5005 inside x.x.x.13:61775, idle 0:00:01, bytes 24640, flags -


    TCP outside 180.68.204.199:554 inside x.x.x.13:56437, idle 0:00:00, bytes 34392, flags UIO


    TCP outside 220.73.163.212:554 inside x.x.x.13:56423, idle 0:00:54, bytes 2372747, flags UIO


    TCP outside 10.20.1.31:12571 inside x.x.x.13:51540, idle 0:00:00, bytes 247756, flags UIO


    TCP outside 10.20.2.41:80 inside x.x.x.13:49846, idle 0:00:49, bytes 321266, flags UIO


    UDP outside 180.68.204.199:5004 inside x.x.x.13:61776, idle 0:00:00, bytes 128849882, flags -


local host: <12.230.220.182>,


    TCP flow count/limit = 10/unlimited


    TCP embryonic count to host = 0


    TCP intercept watermark = unlimited


    UDP flow count/limit = 0/unlimited



Thanks,

Mark

Maykol Rojas Wed, 05/09/2012 - 22:38
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hi Mark,


Yeah, I saw it I answered that one as well, lets do the following and track this down. Would you please do a clear service-policy and then do show service-policy one more time (After clearing it, wait for 2 or 3 minutes and grab the show service-policy again)


Mike

mparas_04 Wed, 05/09/2012 - 23:12
User Badges:

Hi Mike,

Thanks, here  is the result after clearing the service-policy.


INTFW(config)# show service-policy



Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 4755, drop 29, reset-drop 0

      Inspect: ftp, packet 4594, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: esmtp _default_esmtp_map, packet 928, drop 0, reset-drop 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

      Inspect: sip , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: netbios, packet 551, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

    Class-map: global-class

      IPS: card status Unresponsive, mode inline fail-open, sensor vs0

        packet input 0, packet output 0, drop 0, reset-drop 0


Thanks,

Mark

Maykol Rojas Thu, 05/10/2012 - 08:42
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hi Mark,


Did you wait for a couple of minutes? It doesnt seem an inspection issue. Can you do clear traffic/Interface, wait for a couple of minutes and then do another show traffic/interface? (Make sure that the CPU is above 85 when you do the tests)


Mike.

Maykol Rojas Thu, 05/10/2012 - 08:44
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Also,


Please do the following:


Capture inside interface inside


Once you complete the capture, do a "show cap inside" see if a single host is showing there. The amount of errors on the insider interface is something to be worried about.


Interface GigabitEthernet0/1 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff5, MTU 1500

        IP address x.x.x.9, subnet mask 255.255.255.248

        197887766666 packets input, 24998369433168 bytes, 0 no buffer

        Received 278288 broadcasts, 0 runts, 0 giants

        38632921 input errors, 0 CRC, 0 frame, 38632921 overrun, 0 ignored, 0 abo


Mike

mparas_04 Thu, 05/10/2012 - 17:57
User Badges:

Hi Mike,


Yes I waited for more than 5 mins. Here are the information needed, I waited for 10 mins after I cleared the traffic & interface. And also I included the proc cpu-usage to make sure the CPU is above 85%. The result is quite large but I post the whole information anyway.


INTFW(config)#  show proc cpu-usage sorted non-zero


PC         Thread       5Sec     1Min     5Min   Process

081aa324   6bdaf870    80.7%    80.7%    80.5%   Dispatch Unit

08bd08d6   6bda9210     5.7%     5.7%     5.7%   Logger

0929b50a   6bdaa9b0     0.1%     0.0%     0.0%   Checkheaps


INTFW(config)# show traffic

folink:

        received (in 747.770 secs):

                 1186 packets    88420 bytes

                 1 pkts/sec      118 bytes/sec

         transmitted (in 747.770 secs):

                 42724 packets   50250540 bytes

                 57 pkts/sec     67200 bytes/sec

       1 minute input rate 1 pkts/sec,  118 bytes/sec

       1 minute output rate 49 pkts/sec,  58022 bytes/sec

       1 minute drop rate, 0 pkts/sec

       5 minute input rate 1 pkts/sec,  117 bytes/sec

       5 minute output rate 58 pkts/sec,  69427 bytes/sec

       5 minute drop rate, 0 pkts/sec

outside:

         received (in 747.770 secs):

                1145778 packets 991636628 bytes

                 1532 pkts/sec   1326125 bytes/sec

         transmitted (in 747.770 secs):

                 8754737 packets 938872744 bytes

                11707 pkts/sec  1255563 bytes/sec

       1 minute input rate 1563 pkts/sec,  1266067 bytes/sec

       1 minute output rate 11699 pkts/sec,  1432560 bytes/sec

       1 minute drop rate, 27 pkts/sec

       5 minute input rate 1481 pkts/sec,  1292937 bytes/sec

       5 minute output rate 11642 pkts/sec,  1201762 bytes/sec

       5 minute drop rate, 27 pkts/sec

inside:

         received (in 749.920 secs):

                 8694743 packets 937999985 bytes

                11594 pkts/sec  1250800 bytes/sec

         transmitted (in 749.920 secs):

                 1115172 packets 982631039 bytes

                 1487 pkts/sec   1310314 bytes/sec

       1 minute input rate 11621 pkts/sec,  1429216 bytes/sec

       1 minute output rate 1526 pkts/sec,  1256246 bytes/sec

       1 minute drop rate, 2 pkts/sec

       5 minute input rate 11543 pkts/sec,  1197691 bytes/sec

       5 minute output rate 1448 pkts/sec,  1282070 bytes/sec

       5 minute drop rate, 2 pkts/sec

dmz:

         received (in 749.920 secs):

                 1016 packets    61624 bytes

                 1 pkts/sec      82 bytes/sec

         transmitted (in 749.920 secs):

                 1092 packets    66512 bytes

                 1 pkts/sec      88 bytes/sec

       1 minute input rate 5 pkts/sec,  358 bytes/sec

       1 minute output rate 5 pkts/sec,  365 bytes/sec

       1 minute drop rate, 0 pkts/sec

       5 minute input rate 0 pkts/sec,  37 bytes/sec

       5 minute output rate 1 pkts/sec,  43 bytes/sec

       5 minute drop rate, 0 pkts/sec

   ----------------------------------------

Aggregated Traffic on Physical Interface

----------------------------------------

GigabitEthernet0/0:

         received (in 750.670 secs):

                 1148372 packets 1015189440 bytes

                 1529 pkts/sec   1352377 bytes/sec

         transmitted (in 750.670 secs):

                 8787467 packets 1103440157 bytes

                 11706 pkts/sec  1469940 bytes/sec

       1 minute input rate 1563 pkts/sec,  1295849 bytes/sec

       1 minute output rate 11699 pkts/sec,  1646462 bytes/sec

       1 minute drop rate, 0 pkts/sec

       5 minute input rate 1482 pkts/sec,  1320981 bytes/sec

       5 minute output rate 11642 pkts/sec,  1414888 bytes/sec

       5 minute drop rate, 0 pkts/sec

GigabitEthernet0/1:

         received (in 750.670 secs):

                 8703391 packets 1097968273 bytes

                 11594 pkts/sec  1462651 bytes/sec

         transmitted (in 750.670 secs):

                 1115916 packets 1004257690 bytes

                 1486 pkts/sec   1337815 bytes/sec

       1 minute input rate 11621 pkts/sec,  1641334 bytes/sec

       1 minute output rate 1526 pkts/sec,  1285324 bytes/sec

       1 minute drop rate, 0 pkts/sec

       5 minute input rate 11543 pkts/sec,  1408490 bytes/sec

       5 minute output rate 1448 pkts/sec,  1309465 bytes/sec

       5 minute drop rate, 0 pkts/sec

GigabitEthernet0/2:

        received (in 751.330 secs):

                1016 packets    83158 bytes

                1 pkts/sec      110 bytes/sec

        transmitted (in 751.330 secs):

                1093 packets    89526 bytes

                1 pkts/sec      119 bytes/sec

      1 minute input rate 5 pkts/sec,  460 bytes/sec

      1 minute output rate 5 pkts/sec,  469 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  62 bytes/sec

      5 minute output rate 1 pkts/sec,  71 bytes/sec

      5 minute drop rate, 0 pkts/sec

GigabitEthernet0/3:

        received (in 751.330 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 751.330 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Control0/0:

        received (in 752.000 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 752.000 secs):

                2350 packets    163298 bytes

                3 pkts/sec      217 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 3 pkts/sec,  217 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 3 pkts/sec,  217 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Data0/0:

        received (in 752.000 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 752.000 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Management0/0:

        received (in 752.540 secs):

                1193 packets    105648 bytes

                1 pkts/sec      140 bytes/sec

        transmitted (in 752.540 secs):

                42939 packets   51105472 bytes

               57 pkts/sec     67910 bytes/sec

      1 minute input rate 1 pkts/sec,  140 bytes/sec

      1 minute output rate 49 pkts/sec,  58717 bytes/sec

     1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  139 bytes/sec

      5 minute output rate 58 pkts/sec,  70253 bytes/sec

      5 minute drop rate, 0 pkts/sec


INTFW(config)# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff4, MTU 1500

        IP address x.x.x.6, subnet mask 255.255.255.248

        1243867 packets input, 1097864112 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        9513399 packets output, 1198008338 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "outside":

        1243866 packets input, 1074333879 bytes

        9513399 packets output, 1023795694 bytes

        24234 packets dropped

      1 minute input rate 1305 pkts/sec,  1069070 bytes/sec

      1 minute output rate 11463 pkts/sec,  1252114 bytes/sec

      1 minute drop rate, 22 pkts/sec

      5 minute input rate 1481 pkts/sec,  1292937 bytes/sec

      5 minute output rate 11642 pkts/sec,  1201762 bytes/sec

      5 minute drop rate, 27 pkts/sec

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff5, MTU 1500

        IP address x.x.x.9, subnet mask 255.255.255.248

        9423492 packets input, 1192203893 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        1209991 packets output, 1086417436 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "inside":

        9423446 packets input, 1020077321 bytes

        1209991 packets output, 1063530712 bytes

        2313 packets dropped

      1 minute input rate 11409 pkts/sec,  1250005 bytes/sec

      1 minute output rate 1280 pkts/sec,  1058571 bytes/sec

      1 minute drop rate, 2 pkts/sec

      5 minute input rate 11543 pkts/sec,  1197691 bytes/sec

      5 minute output rate 1448 pkts/sec,  1282070 bytes/sec

      5 minute drop rate, 2 pkts/sec

Interface GigabitEthernet0/2 "dmz", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff6, MTU 1500

        IP address x.x.x.17, subnet mask 255.255.255.248

        1239 packets input, 99144 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        1323 packets output, 106072 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/136)

  Traffic Statistics for "dmz":

        1239 packets input, 71724 bytes

        1323 packets output, 77092 bytes

        0 packets dropped

      1 minute input rate 1 pkts/sec,  117 bytes/sec

      1 minute output rate 2 pkts/sec,  125 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  37 bytes/sec

      5 minute output rate 1 pkts/sec,  43 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface GigabitEthernet0/3 "", is administratively down, line protocol is down

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex, Auto-Speed

        Available but not configured via nameif

        MAC address d0d0.fd3f.0ff7, MTU not set

        IP address unassigned

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        0 packets output, 0 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/255)

        output queue (blocks free curr/low): hardware (255/255)

Interface Management0/0 "folink", is up, line protocol is up

  Hardware is i82557, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Description: LAN/STATE Failover Interface

        MAC address d0d0.fd3f.0ff3, MTU 1500

        IP address x.x.x.1, subnet mask 255.255.255.0

        1292 packets input, 114396 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        46293 packets output, 55107556 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max packets): hardware (0/1) software (0/2)

        output queue (curr/max packets): hardware (0/14) software (0/1)

  Traffic Statistics for "folink":

        1292 packets input, 96308 bytes

        46293 packets output, 54459454 bytes

       0 packets dropped

       1 minute input rate 1 pkts/sec,  117 bytes/sec

      1 minute output rate 46 pkts/sec,  54715 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  117 bytes/sec

      5 minute output rate 58 pkts/sec,  69427 bytes/sec

      5 minute drop rate, 0 pkts/sec


About the show cap inside, the result is huge,but here is partial the result:


INTFW(config)# capture inside interface inside


INTFW(config)# show capture inside


1861 packets captured



   1: 08:37:39.019209 x.x.x.61.110 > x.x.x.20.49957: . 472732794:472734074(1280) ack 1268278275 win 46

    2: 08:37:39.019240 x.x.x.66.1521 > x.x.x.11.39866: P 729052152:729052783(631) ack 1465609040 win 32768

    3: 08:37:39.019255 x.x.x.61.110 > x.x.x.20.49957: . 472734074:472735354(1280) ack 1268278275 win 46

    4: 08:37:39.019270 x.x.x.20.49957 > x.x.x.61.110: . ack 472839034 win 65340

    5: 08:37:39.019286 x.x.x.183.4268 x.x.x.62.445: S 3250706787:3250706787(0) win 65535

   6: 08:37:39.019316 x.x.x.183.4269 > x.x.x.23.445: S 4159126031:4159126031(0) win 65535

   7: 08:37:39.019331 x.x.x .171.3941 x.x.x.51.445: S 1553740699:1553740699(0) win 65535

   8: 08:37:39.019469 x.x.x.49.2424 > x.x.x.100.445: S 2283719153:2283719153(0) win 65535

   9: 08:37:39.019606 x.x.x.177.4408 > x.x.x.71.445: S 3376639730:3376639730(0) win 65535

  10: 08:37:39.019637 x.x.x.177.4407 x.x.x.52.445: S 3066399355:3066399355(0) win 65535

  11: 08:37:39.019652 x.x.x.84.4075 > x.x.x.118.445: S 1447481176:1447481176(0) win 65535

  12: 08:37:39.019667 x.x.x.84.4078 > x.x.x.19.445: S 3779456741:3779456741(0) win 65535

  13: 08:37:39.019682 x.x.x.84.4081 x.x.x.91.445: S 4014525488:4014525488(0) win 65535

  14: 08:37:39.019698 x.x.x.84.4082 x.x.x.117.445: S 320204595:320204595(0) win 65535

  15: 08:37:39.019698 x.x.x.84.4083 > x.x.x.49.445: S 1669588661:1669588661(0) win 65535

  16: 08:37:39.019713 x.x.x.84.4084 x.x.x.117.445: S 3680195247:3680195247(0) win 65535

  17: 08:37:39.019728 x.x.x.84.4085 x.x.x.105.445: S 4046587513:4046587513(0) win 65535

  18: 08:37:39.019743 x.x.x.84.4088 > x.x.x.83.445: S 501999771:501999771(0) win 65535

  19: 08:37:39.019743 x.x.x.84.4089 > x.x.x.115.445: S 247404973:247404973(0) win 65535

  20: 08:37:39.019759 x.x.x.84.4090 > x.x.x.445: S 2900777504:2900777504(0) win 65535

  21: 08:37:39.019774 x.x.x.84.4091 > x.x.x.72.445: S 2976605973:2976605973(0) win 65535

  22: 08:37:39.019789 x.x.x.4706 > x.x.x.47.445: S 3673016963:3673016963(0) win 65535

  23: 08:37:39.019911 x.x.x.62.4695 x.x.x.23.445: S 1247732881:1247732881(0) win 65535

  24: 08:37:39.020033 x.x.x.239.4213 > x.x.x.33.445: S 4000077130:4000077130(0) win 65535

  25: 08:37:39.020155 x.x.x.70.2107 x.x.x.118.445: S 3435131153:3435131153(0) win 65535

  26: 08:37:39.020277 x.x.x.93.1832 x.x.x.32.445: S 609793484:609793484(0) win 65535

  27: 08:37:39.020399 x.x.x.126.2470 x.x.x.94.445: S 3058158037:3058158037(0) win 65535

  28: 08:37:39.020522 x.x.x.70.2108 x.x.x.63.445: S 3611138674:3611138674(0) win 65535

  29: 08:37:39.020796 x.x.x 61.110 > x.x.x.20.49957: . 472735354:472736634(1280) ack 1268278275 win 46

  30: 08:37:39.020811 x.x.x.66.1521 > x.x.x.11.39866: P 729052783:729054163(1380) ack 1465609040 win 32768


Hope this could help


Thanks,

Mark

mparas_04 Thu, 05/10/2012 - 18:12
User Badges:

Hi Mike,


After I sent you the information above, the CPU usage suddenly increased from 86% to 95%. It really worries me.


Thanks,
Mark

mparas_04 Thu, 05/10/2012 - 18:19
User Badges:

here's the result of show interface/traffice while the usage is 95%.






folink:

        received (in 4239.570 secs):

                6717 packets    500710 bytes

                1 pkts/sec      118 bytes/sec

        transmitted (in 4239.570 secs):

                228659 packets  268674466 bytes

                53 pkts/sec     63373 bytes/sec

      1 minute input rate 1 pkts/sec,  116 bytes/sec

      1 minute output rate 59 pkts/sec,  69824 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  118 bytes/sec

      5 minute output rate 56 pkts/sec,  66114 bytes/sec

      5 minute drop rate, 0 pkts/sec

outside:

        received (in 4239.570 secs):

                6037913 packets 5176235403 bytes

                1424 pkts/sec   1220934 bytes/sec

        transmitted (in 4239.570 secs):

                49016207 packets        4991253698 bytes

                11561 pkts/sec  1177301 bytes/sec

      1 minute input rate 1337 pkts/sec,  1233748 bytes/sec

      1 minute output rate 11413 pkts/sec,  871624 bytes/sec

      1 minute drop rate, 31 pkts/sec

      5 minute input rate 1255 pkts/sec,  1077565 bytes/sec

      5 minute output rate 11387 pkts/sec,  912641 bytes/sec

      5 minute drop rate, 32 pkts/sec

inside:

        received (in 4240.570 secs):

                48582307 packets        4975073589 bytes

                11456 pkts/sec  1173208 bytes/sec

        transmitted (in 4240.570 secs):

                5876344 packets 5122454084 bytes

                1385 pkts/sec   1207963 bytes/sec

      1 minute input rate 11324 pkts/sec,  868583 bytes/sec

      1 minute output rate 1309 pkts/sec,  1221962 bytes/sec

      1 minute drop rate, 2 pkts/sec

      5 minute input rate 11302 pkts/sec,  910108 bytes/sec

      5 minute output rate 1219 pkts/sec,  1065426 bytes/sec

      5 minute drop rate, 3 pkts/sec

dmz:

        received (in 4240.580 secs):

                8713 packets    488304 bytes

                2 pkts/sec      115 bytes/sec

        transmitted (in 4240.580 secs):

                9145 packets    515852 bytes

                2 pkts/sec      121 bytes/sec

      1 minute input rate 3 pkts/sec,  246 bytes/sec

      1 minute output rate 3 pkts/sec,  254 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  98 bytes/sec

      5 minute output rate 2 pkts/sec,  104 bytes/sec

      5 minute drop rate, 0 pkts/sec



----------------------------------------

Aggregated Traffic on Physical Interface

----------------------------------------

GigabitEthernet0/0:

        received (in 4240.750 secs):

                6038921 packets 5291388067 bytes

                1424 pkts/sec   1247748 bytes/sec

        transmitted (in 4240.750 secs):

                49029378 packets        5890308249 bytes

                11561 pkts/sec  1388977 bytes/sec

      1 minute input rate 1337 pkts/sec,  1259044 bytes/sec

      1 minute output rate 11413 pkts/sec,  1080710 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1255 pkts/sec,  1101447 bytes/sec

      5 minute output rate 11387 pkts/sec,  1120950 bytes/sec

      5 minute drop rate, 0 pkts/sec

GigabitEthernet0/1:

        received (in 4240.970 secs):

                48586963 packets        5863132435 bytes

                11456 pkts/sec  1382497 bytes/sec

        transmitted (in 4240.970 secs):

                5876726 packets 5234080445 bytes

                1385 pkts/sec   1234170 bytes/sec

      1 minute input rate 11324 pkts/sec,  1075531 bytes/sec

      1 minute output rate 1309 pkts/sec,  1246617 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 11302 pkts/sec,  1116430 bytes/sec

      5 minute output rate 1219 pkts/sec,  1088789 bytes/sec

      5 minute drop rate, 0 pkts/sec

GigabitEthernet0/2:

        received (in 4241.020 secs):

                8713 packets    685074 bytes

                2 pkts/sec      161 bytes/sec

        transmitted (in 4241.020 secs):

                9145 packets    720740 bytes

                2 pkts/sec      169 bytes/sec

      1 minute input rate 3 pkts/sec,  325 bytes/sec

      1 minute output rate 3 pkts/sec,  335 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  147 bytes/sec

      5 minute output rate 2 pkts/sec,  155 bytes/sec

      5 minute drop rate, 0 pkts/sec

GigabitEthernet0/3:

        received (in 4241.030 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 4241.030 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Control0/0:

        received (in 4241.250 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 4241.250 secs):

                13332 packets   921244 bytes

                3 pkts/sec      217 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 3 pkts/sec,  217 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 3 pkts/sec,  217 bytes/sec

      5 minute drop rate, 0 pkts/sec

Internal-Data0/0:

        received (in 4241.260 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 4241.260 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Management0/0:

        received (in 4241.470 secs):

                6721 packets    595108 bytes

                1 pkts/sec      140 bytes/sec

        transmitted (in 4241.470 secs):

                228768 packets  271999784 bytes

                53 pkts/sec     64128 bytes/sec

      1 minute input rate 1 pkts/sec,  138 bytes/sec

      1 minute output rate 59 pkts/sec,  70654 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  140 bytes/sec

      5 minute output rate 56 pkts/sec,  66900 bytes/sec

      5 minute drop rate, 0 pkts/sec

INTFW#INTFW#   show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff4, MTU 1500

        IP address x.x.x.6, subnet mask 255.255.255.248

        6074570 packets input, 5320402892 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        49384576 packets output, 5928936804 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "outside":

        6074552 packets input, 5205271033 bytes

        49384576 packets output, 5024472630 bytes

        130590 packets dropped

      1 minute input rate 1208 pkts/sec,  1023727 bytes/sec

      1 minute output rate 11329 pkts/sec,  915489 bytes/sec

      1 minute drop rate, 33 pkts/sec

      5 minute input rate 1255 pkts/sec,  1077565 bytes/sec

      5 minute output rate 11387 pkts/sec,  912641 bytes/sec

      5 minute drop rate, 32 pkts/sec

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff5, MTU 1500

        IP address x.x.x.9, subnet mask 255.255.255.248

        48938018 packets input, 5901411677 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        44274 input errors, 0 CRC, 0 frame, 44274 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        5911183 packets output, 5262643902 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "inside":

        48937873 packets input, 5007323456 bytes

        5911183 packets output, 5150641516 bytes

        14369 packets dropped

      1 minute input rate 11262 pkts/sec,  912922 bytes/sec

      1 minute output rate 1174 pkts/sec,  1015701 bytes/sec

      1 minute drop rate, 2 pkts/sec

      5 minute input rate 11302 pkts/sec,  910108 bytes/sec

      5 minute output rate 1219 pkts/sec,  1065426 bytes/sec

      5 minute drop rate, 3 pkts/sec

Interface GigabitEthernet0/2 "dmz", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        MAC address d0d0.fd3f.0ff6, MTU 1500

        IP address x.x.x.17, subnet mask 255.255.255.248

        8825 packets input, 697162 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        9261 packets output, 733192 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/230)

        output queue (blocks free curr/low): hardware (255/136)

  Traffic Statistics for "dmz":

        8825 packets input, 498376 bytes

        9261 packets output, 526216 bytes

        0 packets dropped

      1 minute input rate 1 pkts/sec,  83 bytes/sec

      1 minute output rate 2 pkts/sec,  89 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  98 bytes/sec

      5 minute output rate 2 pkts/sec,  104 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface GigabitEthernet0/3 "", is administratively down, line protocol is down

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex, Auto-Speed

        Available but not configured via nameif

        MAC address d0d0.fd3f.0ff7, MTU not set

        IP address unassigned

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        0 packets output, 0 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (255/255)

        output queue (blocks free curr/low): hardware (255/255)

Interface Management0/0 "folink", is up, line protocol is up

  Hardware is i82557, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Description: LAN/STATE Failover Interface

        MAC address d0d0.fd3f.0ff3, MTU 1500

        IP address x.x.x.1, subnet mask 255.255.255.0

        6772 packets input, 599628 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        230338 packets output, 273856080 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max packets): hardware (0/1) software (0/2)

        output queue (curr/max packets): hardware (0/21) software (0/1)

  Traffic Statistics for "folink":

        6772 packets input, 504820 bytes

        230338 packets output, 270631348 bytes

        0 packets dropped

      1 minute input rate 1 pkts/sec,  119 bytes/sec

      1 minute output rate 57 pkts/sec,  67208 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  118 bytes/sec

      5 minute output rate 56 pkts/sec,  66114 bytes/sec

      5 minute drop rate, 0 pkts/sec


thanks

Maykol Rojas Thu, 05/10/2012 - 18:44
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Mark,


There is just too much netBios traffic getting to the ASA, are the Domain controllers on the other side of the network other than the inside? Can you enable the logs on the ASA?



Mike

mparas_04 Thu, 05/10/2012 - 18:52
User Badges:

Hi Mike,


I'm sorry I didn't get your question about the domain controller. The command is logging enable, right? Just want to make sure.


Thanks,

Mark

Maykol Rojas Thu, 05/10/2012 - 19:56
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Logging on, but I think it is already enable. Now, regarding to the Domain controllers. Are they on the same subnet as the clients? Cuz I see a lot of 445 traffic, which is basically netbios over TCP (Most commonly known as file shares on any windows environment). Do you have any of these File shares on another interface different from where the clients are?



Mike

mparas_04 Thu, 05/10/2012 - 20:28
User Badges:

Hi Mike,


Our clients have different subnets, depends on location and department like x.x.220.0,x.x.221.0,x.x.222.0,x.x.223.0,224 & 225. And yes we do share files. our ftp and our servers reside on x.x.210.0  network. and ASA is on x.x.233.0 network. I'm not really sure if this is the one you are asking but I hope this could help.

The CPU usage remains 94% for more than an hour now.


Thanks,

Mark

Maykol Rojas Thu, 05/10/2012 - 20:36
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Where you able to get the logs? 



Mike

mparas_04 Thu, 05/10/2012 - 20:56
User Badges:

what is the command?

when I entered the show logging, this result shows:

INTFW(config)# show logging

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2153425037 messages logged


I think this is not the one you are asking.

Maykol Rojas Thu, 05/10/2012 - 20:58
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

I see you have asdm, you can go to monitoring--->Logging and grab the logs from there, or do, logging buffered 6 and then show log.


Mike

mparas_04 Thu, 05/10/2012 - 21:07
User Badges:

oh yes we are, and I don't even know how to use it yet.

here is the result, I just did it on CLI instead.


INTFW(config)# show log

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level informational, 189920 messages logged

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2163529896 messages logged

12.84/3306)

<134>:%ASA-session-6-302013: Built outboection 3204397854 for outside:156.99.135.115/445 (156.99.135.115/445) to inside:x.x.211.122/4070 (x.x.211.122/4070)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397855 for outside:48.29.51.119/445 (48.29.51.119/445) to inside:x.x.212.168/4095 (x.x.212.168/4095)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397856 for outside:153.29.17.47/445 (153.29.17.47/445) to inside:x.x.215.62/4600 (x.x.215.62/4600)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397857 for outside:93.96.181.119/445 (93.96.181.119/445) to inside:x.x.216.128/4724 (x.x.216.128/4724)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397858 for outside:142.117.190.105/445 (142.117.190.105/445) to inside:x.x.211.153/4731 (12.230.211.15session-6-302014: Teardown TCP connection 3204241463 for outside:148.18.251.18/42014: Teardown TCP connection 3204241489 for outside:152.34.30.80/445 to inside:x.x.212.234/3528 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204241490 fort

<134>:%ASA-session-6-302014: Teardown TCP connection 3204242978 for outside:133.97.126.73/445 to inside:x.x.211.137/3009 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Tear12.93/3984)

nection 3204242979 for outside:184.32.145.19/445 to inside:x.x.212 for outside:172.99.172.115/445 (172.99.172.115/445) to inside:x.x.218.192/3260 (x.x.218.192/3260)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204399383 for outside:94.122.223.124/445 (94.122.223.124/445) to inside:x.x.216.127/4647 (x.x.216.127/4647)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204399384 for outside:76.58.162.61/445 (76.58.162.61/445) to inside:x.x.212.93/3985 (x.x.212.93/3985)


<134>:%ASA-see:12.230.212.241/1908 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-62 for outside:63.68.184.29/445 (63.68.184.29/445) to inside:x.x.215.87/1840 outbound UDP connection 3204405586 for outside:168.126.63.1/53 (168.126.63.1/53) to inside:x.x.217.211/4038 (x.x.217.211/4038)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204405611 for outside:136.102.38.80/445 (136.1012.230.211.180/1197)

<134>:%ASA-session-6-302013: Built outbound TCP connection 2848 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown 0:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 32 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204249238 fside:x.x.211.180/1199 (x.x.211.180/1199)

<134>:%ASA-session-6-302013: Builimeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204249288 for outsi:%ASA-session-6-302014: Teardown TCP connection 3204249314 for outside:42.29.214sion-6-302014: Teardown TCP connection 3204249340 for outside:181.20.123.79/445  to inside:x.x.211.160/1261 (x.x.211.160/1261)

<134>:%ASA-session-6-302013nection 3204405719 for outside:159.113.13.89/445 (159.113.13.89/445) to inside:10.211.20/4022)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204402014: Teardown TCP connection 3204249371 for outside:80.49.124.112/445 to inside TCP connection 3204249397 for outside:45.93.39.15/445 to inside:x.x.215.48/3n 3204249423/445) to inside:x.x.216.91/2482 (x.x.216.91/2482)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408253 for outside:152.54.105.115/445 (152.54.105.115/445) to inside:x.x.211.150/3239 (x.x.211.150/3239)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408254 for outside:64.95.156.117/445 (64.95.156.117/445) to inside:x.x.218.225/4888 (x.x.218.225/4888)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408255 for outside:59.51.64.61/445 (59.51.64.61/445) to inside:x.x.211.150/3240 (x.x.211.150/3240)

INTFW(config)# ion-6-302013: Built outbound TCP connection 3204408256 for outside:105.52.141.20/445 (1


Thanks,

Mark

Maykol Rojas Thu, 05/10/2012 - 21:15
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Mark,


Do you know the following Addresses ?


152.54.105.115

64.95.156.117

59.51.64.61


What I am seeing so far is just a lot of tcp connections that are not that normal. And most of them end up on SYN timeout. Can you tell me if outbound TCP traffic (445) for file sharing (Not FTP, FTP goes over 21) is normal? We can set some policies on the firewall to limit the amount of oubound embryonic connections.


Let me know.


Mike

mparas_04 Thu, 05/10/2012 - 22:05
User Badges:

I don't know those addresses, they're from outside, the first 2 IPs are from US & the last one came from China I think. can you help me setting up policies?


Thanks,

Mark

Maykol Rojas Thu, 05/10/2012 - 22:17
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Uhm, Sure why not.


First, if not 445 traffic should be going out, block that traffic outbound. Second, we can go ahead and set the policy for half-open sessions on that specific port.


Here,


Access-list MPF permit tcp any any eq 445

class-map MPF

match access-list MPF


Policy-map global_policy

class MPF

  set connection per-client-embryonic-max 10


If no TCP 445 traffic should be going outbound, do the following


access-list inside deny tcp any any eq 445

access-list inside permit ip any any


access-group inside in interface inside.


Mike



Mike

mparas_04 Thu, 05/10/2012 - 23:15
User Badges:

I sent the access-list of our ASA on your private message before I execute this. is it safe to do this, will it not affect the production?

mparas_04 Fri, 05/11/2012 - 04:31
User Badges:

It can't be done. I entered the commands, after that the CPU usage drops so fast. I didn't realized that all the distribution and access switches lost their connections. I removed the commands, now our internet connections fluctuates and the CPU usage of this ASA is now 99%. I don't know what to do with this.

ROBERTO TACCON Fri, 05/11/2012 - 04:53
User Badges:

check which IP do more traffic


#sh local-host | i host|count|maximum


and after check the IP detailed for example:


#sh local-host 10.10.10.10 all detail connection

ROBERTO TACCON Fri, 05/11/2012 - 05:07
User Badges:

do you have an IPS module ?


Class-map: global-class

       IPS: card status Unresponsive, mode inline fail-open, sensor vs0

         packet input 197451550328, packet output 197459152624, drop 3901726, reset-drop 395164



#sh module

Maykol Rojas Fri, 05/11/2012 - 21:18
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

So, we know there that it is in fact the traffic hitting the inside interface. Now, I saw something really alarming on one of the access lists that is there and I think that is when the problem of internet connection issue came in. Did you use the commads I gave you or did you use ASDM.


A policy needs to be set while you troubleshoot the inside network to mitigate the impact on the ASA.


Let me know when you have time.


Mike

mparas_04 Tue, 05/15/2012 - 17:21
User Badges:

Hey Mike,


Sorry for the late reply. We' were so busy because of that CPU usage issue. Well, we found out that it was actually a virus who makes our CPU usage very high. After scanning some PCs on our machine in production, CPU usage suddenly drops to less than 20%. It was wierd but, I'll let you know the details, after we figured out how to totally eliminate the worm actually. Thanks for your help & good luck on your CCIE exam.



Mark

mparas_04 Tue, 05/15/2012 - 17:32
User Badges:

Roberto,


Thanks for the post & sorry I wasn't able to reply. It seems we are on the right track now, but if ever there's an issue again, I'll let you know as well.


Thanks again,

Mark

Actions

This Discussion

Related Content