Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
3
Replies

ASA 5510 High Cpu usage caused by disptach unit

networks
Level 1
Level 1

‎07-17-2013 03:07 AM - edited ‎03-11-2019 07:13 PM

Hi,

We have a cisco ASA 5510 running on Software Version 8.0(4)28.

Recently we are seeing high cpu usage as below

ABC-ASA# show cpu usage

CPU utilization for 5 seconds = 53%; 1 minute: 43%; 5 minutes: 45%

ABC-ASA#

and I have notice its becuase of dispatch unit

ABC-ASA# show processes cpu-usage non-zero sorted

PC         Thread       5Sec     1Min     5Min   Process

0817ff94   d442f92c    44.9%    41.1%    42.1%   Dispatch Unit

08b207ad   d4429aa4     2.5%     2.4%     2.3%   Logger

091c6c28   d442af70     0.1%     0.0%     0.0%   Checkheaps

ABC-ASA#

Please advise what should be the avarage cpu and Dispatch unit utilization in the peak connections time .

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-17-2013 10:52 AM

Hello,

There is no average CPU usage for an ASA, that will depend of your enviroment (how much traffic is going through the ASA, How many features you have enabled on the box, how many inspection engines are doing DPI, etc ,etc ,etc)

So my recomendation would be:

-Get a baseline of what is your usual CPU usage and from there start monitoring the box, then if you see the CPU incrementing you can let us know,

-FYI Dispatch unit is related to traffic handling of the ASA so in this case the CPU is at 46% due to how it handles traffic and the logging services (most being used by the dispatch unit)

44% is not something to be scared of, unless you were on 2 % this morning and suddenly you go up to 46%

Regards

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

networks
Level 1
Level 1
In response to Julio Carvajal

‎07-18-2013 02:53 AM

Thanks Julio,

We are running DPI default and basic inspection setting as below.

I will keep monitor the CPU usgae and traffic on ASA to see if got any sudden change.

=========

dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

class class-default

  set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to networks

‎07-18-2013 09:28 AM

Hello,

That's all you got to do now, keep an eye on it,

Regards

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card