06-17-2015 10:54 AM - edited 02-21-2020 05:30 AM
I have an ASA 5545-X with SourceFire and the module is reaching over 90% of CPU usage (not all the time only during working hours). However I can see that only 1 CPU (there are 6) is reaching that limit. I have two questions: does the SourceFire module only use 1 CPU for all of its processes? is there a way to balance the processing load among all available CPUs?
The module has Intrusion, URL & Application and File policies enabled. The ASA is only performing Firewall policy and serves a few remote access VPNs.
In addition, I was using the "security over connectivity" profile in the intrusion policy; nevertheless, after I put the device into production I changed the profile to "connectivity over security" to lower the CPU load but I can see that the behaviour it's the same.
The magement is performed by a Firesight MAnagement Center running in a physical appliance.
I thank you in advance for your time.
06-26-2015 05:07 PM
Hmm, interesting question. I believe for the CX modules the ASA got 1 of the 4 cores and the CX IPS got the other 3 cores. Not sure if the same applies for FirePOWER. That type of info can probably only be provided by Cisco so perhaps you can open a TAC case and let us all know :P
Thank you for rating helpful posts!
05-24-2016 07:19 AM
I has having a similar issue called an "elephant flow" during one particular scheduled backup. Only one CPU, CPU5 was spiking to 90+% during the backup period.
More info here:
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide