Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5520 high cpu after upgrade

Hi,

We have problem with high CPU utilization on our ASA 5520.

It started after upgrading from 7.2(2) to 8.2(1).

The CPU utilization went up 30%.

The firewall's job is to protect a web site, no vpn,

Is there any known problem with 8.2(1)?

Best regards

Magnus

9 REPLIES
Cisco Employee

Re: ASA5520 high cpu after upgrade

Magnus (nice name),

     To troubleshoot this issue, you will need to get the output of 'show proc' from the CLI *twice* separated by about 60 seconds. Once you get this output we can determine what is going on. You can also get the output of 'show processes cpu-usage' if your version supports it.

- Magnus

New Member

Re: ASA5520 high cpu after upgrade

Hi,

Thanks for the replay.

I have attatched two files.

One with "sh processes", "sh cpu use" and one with version.

It is two ASA 5520 with failover Active/Standby.

The high score on CPU is 73%

Best Regards

Magnus

Cisco Employee

Re: ASA5520 high cpu after upgrade

Magnus,

     It looks like DIspatch Unit is the high hitter process. This process is directly tied to traffic processing and traffic inspection. What does the output of 'show service-policy' give you? Any inspection seeing a ton of traffic?

- Magnus

New Member

Re: ASA5520 high cpu after upgrade

Hi,

sh service-policy

Global policy:
   Service-policy: global-policy
     Class-map: global-class
       Inspect: ftp, packet 1579, drop 0, reset-drop 0

Best Regards

Magnus

New Member

Re: ASA5520 high cpu after upgrade

Hi Magnus,

Do you have any information regarding my last contribution.

I hope for information so I can decide what to do.

Best Regards

Magnus

Cisco Employee

Re: ASA5520 high cpu after upgrade

Hello Magnus,

CPU went up to 30% from what? What is the normal CPU?

Release note link for 8.2.x: http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html

You can check the open and closed caveats and see if any high CPU defects match to your traffic pattern.

If you have smartnet I suggest you open a TAC case so, we can collect "sh proc" output 3 min apart and see what the CPU was busy doing in the 3 min.

-KS

New Member

Re: ASA5520 high cpu after upgrade

Hi,

It shuld be 50% instead of 70%.

I inform you wrong about 30%, 20% is right.

Regards

Magnus

Cisco Employee

Re: ASA5520 high cpu after upgrade

Magnus,

Our Magnus says dispatch unit is using the most CPU cycle. This means pure packet processing. Seem like one or more interface is seeing a lot of traffic.

You can collect

cap capin int inside

cap cain int outside

and look at the captures and see what packets are being seen by the firewall.

As I mentioned before the best thing at this point is to open a TAC case so, we can gather some data live on the firewall and decide what causes the high CPU after the upgrade.

-KS

New Member

Re: ASA5520 high cpu after upgrade

Hi,

I have done some research and find out that there is no change done before and direct after the upgrade from 7.2.2 to 8.2.1.

The bandwidth is the same on the interface just the CPU went higher.

So I setup an LAB environment to test, you can see it in the attachment.

I use Iperf with default setting to generate data through the ASA. I had a PC connected to the console and did a “sh cpu usage”

The ASA config, see attachment.

The result of the test I done is:

Version          CPU          Bandwidth

asa7.2.2               27%               624Mb

asa8.2.1               65%               607Mb

asa8.2.3               56%               618Mb

asa8.3.2               50%               617Mb

What is the difference between the software?

Why is the CPU utilization so different between the software?

What level of ASA is showing the right numbers?

Best Regards

Magnus

1264
Views
0
Helpful
9
Replies
CreatePlease to create content