cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
493
Views
0
Helpful
2
Replies

ASA - High CPU load because of NTP and DNS

Eric Snijders
Level 1
Level 1

Let's start by a simple topology:

<inside LAN> --> ASA1 --> ASA2
                                \

                                  >>>>> Outside

 

We're having CPU load issues which seem to be caused by DNS and NTP. We have a few devices behind the firewall trying to NTP and DNS to something on the "outside" of this ASA which isn't reachable, but for some reason the traffic keeps "bouncing" between the 2 ASA's (even though the route on ASA1 isn't even to ASA2 so i guess it's all broadcast traffic).

 

Even when we edit the hosts in the LAN to stop using the specific NTP or DNS server the traffic keeps going in between the 2 ASA's. The only solution so far we have now is: edit the hosts on the LAN and temporarily disable one of the ports between ASA1 and ASA2.

 

Example output of "show traffic" of ASA2 (where the traffic shouldn't even come):

management:
received (in 613283.940 secs):
196181832997 packets 12697338634695 bytes
319005 pkts/sec 20703002 bytes/sec
transmitted (in 613283.940 secs):
196181905835 packets 12697516949637 bytes
319005 pkts/sec 20704000 bytes/sec
1 minute input rate 88902 pkts/sec, 5603250 bytes/sec
1 minute output rate 88905 pkts/sec, 5605051 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 91747 pkts/sec, 5816776 bytes/sec
5 minute output rate 91750 pkts/sec, 5818590 bytes/sec
5 minute drop rate, 0 pkts/sec

 

Why aren't those packets hitting the TTL or why does the traffic keeps bouncing even the we disable the hosts of even shutdown the (sub)interface of the hosts?

2 Replies 2

Hi,

 One thing we can be sure: If you disabled host interface and you keep seing traffic , this traffic is not from the machine.

 Share the show running-config  from both firewall please and a more detailed topology with physical connection.

 

andre.ortega
Spotlight
Spotlight

It does not make sense.
Broadcast doesnt go from one L3 interface to another.
Why could these hosts be generating so much traffic to NTP and DNS?
How do you know that traffic is to NTP and DNS? Cannot you just block the traffic on ASA?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: