Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM 3.2(7)

We noticed high cpu utilization after we migrated some services to this firewall. I am wondering if we are hitting a bug? we also wondering if we need to turn off some inspect commands here are the ones that we have turned on:

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Last question: how check the processes that eating a lot of cpu on fwsm?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWSM 3.2(7)

I had asked earlier if you were doing the following:

snmp-server enable traps syslog

Pls. remove just the above line.

CSCsl12334 - Pls. refer this defect here:

http://tools.cisco.com/Support/BugToolKit/

13 REPLIES
Cisco Employee

Re: FWSM 3.2(7)

Pls. upload two "sh proc" outputs about 3 min. apart.

I can get a diff. and let you know which process is taking a lot of the cpu cycles.

New Member

Re: FWSM 3.2(7)

Please see the attached file. Can you please advise how you interpret the output of this command?

Cisco Employee

Re: FWSM 3.2(7)

Check this link for known high cpu issues in the 3.2.7. release.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/release/notes/fwsmrn32.html

Cisco Employee

Re: FWSM 3.2(7)

Here are the top 5:

snmp 1095097

Dispatch Unit 90950

Logger 59202

snp_timer_thread 53529

syslog_entry 6027

Dispatch unit is just purely packet processing. Try to turn off snmp and see if it goes down.

New Member

Re: FWSM 3.2(7)

I won't be able to turn off snmp as this box is production and will generate a lot of alarms. Can you advise if this is a bug?

Cisco Employee

Re: FWSM 3.2(7)

Not that I can see. What are you sending to the snmp host? syslog? If so when you see a traffic spike this will go up as well.

issue sh local | i host|count/limit

collect the output to a text file and parse through it to see if any one or more hosts have established many tcp or udp connections. This could indicate an infected host.

When did you notice the cpu spike?

What is the normal cpu that you are used to seeing?

What changes were made prior to the cpu spike?

issue "sh np blocks" and see if the counters are incrementing.

New Member

Re: FWSM 3.2(7)

sh local | i host|count/limit -->this command didnt show any suspicious infected host. show np blocks is not showing counters being incremented.

We noticed cpu spike just after the migrating servers from an old dmz to new dmz. Normal cpu is 3 - 5% no changes made prior to that.

I just noticed that show traffic summary is showing a lot bytes-In and out. Do you think inspect dns might have something to do with this?

Cisco Employee

Re: FWSM 3.2(7)

sh service-policy

should show you if dns inspection is dropping packets.

You can certainly remove dns, netbios and smtp inspections.

Clear traffic and then issue sh traffic and see if interface is seeing the most traffic.

New Member

Re: FWSM 3.2(7)

show service-policy doesnt show drop packets:

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns maximum-length 512, packet 12637231, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225, packet 0, drop 0, reset-drop 0

Inspect: h323 ras, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 63, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Question:

If I remove inspect dns will it have an impact anyhow on production traffic?

Cisco Employee

Re: FWSM 3.2(7)

No there will NOT be any impact on dns traffic. No worries.

Seems like a lot of dns packets.

Are all your mail servers configured for proper DNS ip addresses that are active (alive and well)?

Pls. verify.

New Member

Re: FWSM 3.2(7)

Thanks a lot for your help!

I will try that and will let you know!

New Member

Re: FWSM 3.2(7)

The inspect dns is not the one that causing high cpu. I removed snmp and cpu dropped from 25% to 8%. I am wondering if this is a bug? I also noticed after removing snmp the firewall stop processing traffic and we noticed a dip in traffic see the attached files.

Cisco Employee

Re: FWSM 3.2(7)

I had asked earlier if you were doing the following:

snmp-server enable traps syslog

Pls. remove just the above line.

CSCsl12334 - Pls. refer this defect here:

http://tools.cisco.com/Support/BugToolKit/

497
Views
0
Helpful
13
Replies