Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco asa high cpu - 90% -100%

Hi All,

Recently observed constant high cpu in asa firewall with version 8.2.5 - 80% utilization. The process consuming more cpu is - tmatch compile thread around 60%. Do you recommend downgrade to 8.2.3 or is it an opened bug in the current version 8.2.5  BugID - CSCtw75734




Cisco Employee

Hello;The bug you pointed out


The bug you pointed out seems to be due to a software reload. How much ACLs do you have on the ASA configured? It seems like you have reach a maximum and when (if running in HA pair) the replication starts it can cause a high CPU, this is normal.



New Member

Thanks for the update.We have

Thanks for the update.

We have 2000 ACL, in which 200 inactive ACLs and 50 timebased expired ACLs. I tried disabling http replication during high cpu, which did not subside the utilization.

Cisco Employee

Hello;We have not seen that


We have not seen that many tickets with Tmatch stuck, it can be probably one time problem or something we are overlooking.

Do you have object groups configure? What if you do "show access-lists | inc elements" how many do you see?


New Member

We do have multiple object

We do have multiple object groups. By getting the number of access list elements, you mean to say that if the number of access-list elements are huge, the higher the cpu and memory utilization. Actually similar issue i have faced few months ago in pix firewall, where the cpu/mem went high due to too many no. of acl elemtents. Hence i reduced it by deleting the object groups and no. of access elements. I though in ASA it is different and there is no restriction like no. of objects and no. of acl entries.

Cisco Employee

Nope, you know, the ASA has a

Nope, you know, the ASA has a Fixed amount of RAM so there is always a limit.

The real amount of ACLs is the one that you see on this output that I gave you. Moreover, probably is due to the same issue you have before.

Reducing the amount of ACLs should fix the problem.



CreatePlease login to create content