Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
2
Replies

ASA 5540 Version 7.2(2) CPU spike

mattbclarke
Level 1
Level 1

‎01-25-2007 09:30 AM - edited ‎03-11-2019 02:24 AM

Hi,

First a bit of history

A few months ago we upgraded our PIX 515 from version 6.3(5) to version 7.2.1. we then suffered the consequences with a very heavily utilised CPU and packet loss.. the thing was idling around 50% cpu..

Anyway we have just recently replaced out PIX failover pair with a pair of ASA 5540 running version 7.2(2). Initially the replacement went fine and things seem to work ok. However we now seem to have the same problem we had before???!!! I would say total firewall throughput across all 12 physical and logical interfaces is less than 100Mbps , xlates and connections are low and all interfaces are good..

The ASA's initially seemed to be good and idle along most of the time at around 5% cpu however we have started so noticed a few issues with some of our VOIP (this goes inside a dmvpn tunnel that passes through the PIX)... so I enabled prioriry queues on the ASA

Looking into the VOIP problems it seems that the ASA CPU seems to spike at around 99% for maybe a second (long enough for voip) and then drops..... not sure why this is happening... the ASA 5540 are supposed to be able to handle 650Mbps...???

Could this be some sort of bug? If I show CPU hog on the ASA we get the following?

Process: Dispatch Unit, NUMHOG: 1406, MAXHOG: 9084, LASTHOG: 1010

LASTHOG At: 17:12:59 UTC Jan 25 2007

PC: 89cd5d

Traceback: 2f16b3 2f0f4d 2f4b81 2ed253 74bbd7 7411ce c3a905

c3ae4f c3b334 740fab 74bf38 74e086 62b970 21906a

I know that this unit is more than capable of handling this.. our old 515E was... can anyone shed any light on this?

Thanks

Matt

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎02-01-2007 07:15 AM

It looks like a bug, I suggest you rio change the encryption type. If you are AES -128, changed to 3DES encryption for the VPN traffic.

0 Helpful

mattbclarke
Level 1
Level 1
In response to amritpatek

‎02-01-2007 07:28 AM

Hi,

I got to the bottom of this, it seemed to be related to esmtp fixup. I turned this off and cpu hog went away... Looking in the logs fixup was not liking some of our mail...

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card