Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

high cpu on asa 5520

                   CPU running high on 5520 ASA. Please help identify the process consuming the cpu cycles:

USLAS-C5520FW-COR-03/sec/stby# show proc

    PC       SP       STATE       Runtime    SBASE     Stack Process
Lwe 0x08058a14 0x6debaff4 0x0a32c5c8          0 0x6deb90e8 7568/8192 block_diag
Mrd 0x081d8531 0x6deeb704 0x0a32cf84 1566609399 0x6decb898 119140/131072 Dispatch Unit
Msi 0x0873bf14 0x6df015fc 0x0a32c6f0      40668 0x6deff6f0 7496/8192 WebVPN KCD Process
Mwe 0x084062ed 0x6df065bc 0x0a32c6f0          0 0x6df04760 7504/8192 CF OIR
Mwe 0x08c8e09c 0x6df087e4 0x0a1d3a80          0 0x6df068f8 7880/8192 lina_int
Mwe 0x0807161d 0x6df6935c 0x0a32c6f0          0 0x6df674a0 7616/8192 Reload Control Thread
Mwe 0x080841c9 0x6df742f4 0x0a32dc6c      13210 0x6df70738 12864/16384 aaa
Mwe 0x08f1c31d 0x6e957bf4 0x0a32c6f0          2 0x6df748d0 6864/8192 UserFromCert Thread
Mwe 0x08f1c31d 0x6eb859c4 0x0a32c6f0          2 0x6df76aa8 6336/8192 aaa_shim_thread
Mwe 0x080b17fc 0x6df7f574 0x0a32ecf4          0 0x6df7b678 15760/16384 CMGR Server Process
Mwe 0x080b3e6d 0x6df816bc 0x0a32c6f0          0 0x6df7f810 7640/8192 CMGR Timer Process
Lwe 0x081d6b94 0x6df8c25c 0x0a33d640         87 0x6df8a350 5272/8192 dbgtrace
Msi 0x084a4894 0x6df94a0c 0x0a32c6f0      98847 0x6df92b00 6224/8192 557mcfix
Msi 0x084a4826 0x6df96bb4 0x0a32c6f0         27 0x6df94c98 7480/8192 557statspoll
Mwe 0x084c9b2d 0x6df9d744 0x0a32c6f0          0 0x6df998a8 15296/16384 idfw_proc
Mwe 0x084d5d0b 0x6df9f784 0x0a32c6f0          0 0x6df9d8d8 7640/8192 idfw_service
Mwe 0x084e1965 0x6dfa18dc 0x0a32c6f0          0 0x6df9fa70 7332/8192 idfw_adagent
Mwe 0x08f1c31d 0x6e37ed44 0x0a32c6f0          0 0x6dfccbb0 7088/8192 netfs_thread_init
Mwe 0x0954cbc5 0x6dfdb26c 0x0a32c6f0          0 0x6dfd93f0 7656/8192 Chunk Manager
Msi 0x08ac4cbe 0x6dfdd99c 0x0a32c6f0     244163 0x6dfdbab0 7464/8192 PIX Garbage Collector
Mwe 0x08aa75ba 0x6dfefcfc 0x0a1bf024          0 0x6dfeddf0 7912/8192 IP Address Assign
Mwe 0x08ce3caa 0x6e186cf4 0x0a239ad8          0 0x6e184de8 7912/8192 QoS Support Module
Mwe 0x08b3f76a 0x6e188ecc 0x0a1bff88          0 0x6e186fc0 7912/8192 Client Update Task
Lwe 0x095aa235 0x6e18d85c 0x0a32c6f0    4182227 0x6e1899b0 14400/16384 Checkheaps
Mwe 0x08ce886d 0x6e199fcc 0x0a32c6f0          0 0x6e192160 29544/32768 Quack process
Mwe 0x08d646ed 0x6e1a2184 0x0a32c6f0      14751 0x6e19a2f8 31952/32768 Session Manager
Mwe 0x08eb560d 0x6e1a8494 0x7307b7f8          4 0x6e1a4628 15464/16384 uauth
Mwe 0x08e44c01 0x6e1aa6cc 0x0a24ccd0          0 0x6e1a87c0 7440/8192 Uauth_Proxy
Msp 0x08e85b2e 0x6e1b0b94 0x0a32c6f0      25189 0x6e1aec88 7496/8192 SSL
Mwe 0x08eb3294 0x6e1b2d0c 0x0a252e34          0 0x6e1b0e20 7516/8192 SMTP
Mwe 0x08ead27c 0x6e1b6e54 0x0a252158  147597793 0x6e1b2fb8 9556/16384 Logger
Mwe 0x08eaa95d 0x6e1b8fcc 0x0a32c6f0          0 0x6e1b7150 7592/8192  Syslog Retry Thread
Mwe 0x08ea6d25 0x6e1bb194 0x0a32c6f0          0 0x6e1b92e8 7408/8192 Thread Logger
Mwe 0x08eb1074 0x6e1db3fc 0x0a252800          0 0x6e1d9500 7272/8192 syslogd
Mwe 0x0910bab2 0x6e1e9f14 0x0a28c8c8          0 0x6e1e8028 7136/8192 vpnlb_thread
Mwe 0x091da77c 0x6e1f2544 0x0a291c28          0 0x6e1f0688 7832/8192 pci_nt_bridge
Mwe 0x082b3625 0x6e365624 0x0a32c6f0          0 0x6e363798 7672/8192 TLS Proxy Inspector
Msi 0x08d80ffc 0x6e3f0ebc 0x0a32c6f0     223187 0x6e3eefb0 7496/8192 emweb/cifs_timer
Mwe 0x0883d4f4 0x6e443bdc 0x0a1ae5e4          0 0x6e441ce0 7520/8192 netfs_mount_handler

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

high cpu on asa 5520

Hi,

I could see too many drops due to icmp inspection. I would suggest you to try to disable icmp inspection and then check. To remove icmp inspection type the following command:

no fixup protocol icmp

- Prateek Verma

3 REPLIES
New Member

high cpu on asa 5520

Hi,

Could you provide me with the output of "show interface", "show traffic", "show version" , "show proc cpu-hog" , "show service-policy"?

- Prateek Verma

New Member

high cpu on asa 5520

C5520# show interface
Interface GigabitEthernet0/0 "out", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 442b.034a.48cc, MTU 1500
        IP address 74.217.187.4, subnet mask 255.255.255.0
        31287758720 packets input, 8641419928719 bytes, 0 no buffer
        Received 1319231 broadcasts, 0 runts, 0 giants
        5170957 input errors, 0 CRC, 0 frame, 5170957 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        35275879623 packets output, 31142646656714 bytes, 6587026 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 7 interface resets
        0 late collisions, 0 deferred
        1 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (254/0)
  Traffic Statistics for "out":
        31288736169 packets input, 8020672049332 bytes
        35282466668 packets output, 30501437080515 bytes
        287192301 packets dropped
      1 minute input rate 5969 pkts/sec,  1784189 bytes/sec
      1 minute output rate 6718 pkts/sec,  6058920 bytes/sec
      1 minute drop rate, 37 pkts/sec
      5 minute input rate 7280 pkts/sec,  1553975 bytes/sec
      5 minute output rate 8561 pkts/sec,  8204523 bytes/sec
      5 minute drop rate, 45 pkts/sec
Interface GigabitEthernet0/1 "", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Available but not configured via nameif
        MAC address 442b.034a.48cd, MTU not set
        IP address unassigned
        52168999762 packets input, 35818194803396 bytes, 0 no buffer
        Received 521327008 broadcasts, 0 runts, 0 giants
        562668893 input errors, 0 CRC, 0 frame, 562668893 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        58031698414 packets output, 34273709370416 bytes, 973095 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 7 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (230/0)
Interface GigabitEthernet0/1.1082 "A", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 1082
        MAC address 442b.034a.48cd, MTU 1500
        IP address 10.117.128.1, subnet mask 255.255.224.0
  Traffic Statistics for "A":
        44646222344 packets input, 31467978707486 bytes
        50837578183 packets output, 31685253863384 bytes
        498194153 packets dropped
Interface GigabitEthernet0/1.1083 "B", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 1083
        MAC address 442b.034a.48cd, MTU 1500
        IP address 10.117.160.1, subnet mask 255.255.254.0
  Traffic Statistics for "B":
        226544663 packets input, 38844251889 bytes
        219414668 packets output, 69979181224 bytes
        3466696 packets dropped
Interface GigabitEthernet0/1.1084 "C", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 1084
        MAC address 442b.034a.48cd, MTU 1500
        IP address 10.117.162.1, subnet mask 255.255.255.0
  Traffic Statistics for "C":
        216407550 packets input, 60099525237 bytes
        223544706 packets output, 45777301994 bytes
        2466591 packets dropped
Interface GigabitEthernet0/1.1085 "D", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        VLAN identifier 1085
        MAC address 442b.034a.48cd, MTU 1500
        IP address 216.52.238.9, subnet mask 255.255.255.248
  Traffic Statistics for "D":
        7084222200 packets input, 3076010664031 bytes
        6752145453 packets output, 1177117774043 bytes
        135212423 packets dropped
Interface GigabitEthernet0/2 "E", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: Nexus 3/9
        MAC address 442b.034a.48ce, MTU 1500
        IP address 10.119.0.138, subnet mask 255.255.255.128
        26411462547 packets input, 25353383299997 bytes, 0 no buffer
        Received 2549800 broadcasts, 0 runts, 0 giants
        2112256 input errors, 0 CRC, 0 frame, 2112256 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        19666566915 packets output, 5683209201703 bytes, 302 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 8 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 762 output reset drops, 3 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (255/4)
  Traffic Statistics for "E":
        26411463127 packets input, 24875969446227 bytes
        19666568184 packets output, 5317879148223 bytes
        6137743 packets dropped
      1 minute input rate 4622 pkts/sec,  5536216 bytes/sec
      1 minute output rate 2206 pkts/sec,  452299 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 4019 pkts/sec,  4295129 bytes/sec
      5 minute output rate 2297 pkts/sec,  552278 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/3 "F", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: LAN/STATE Failover Interface
        MAC address 442b.034a.48cf, MTU 1500
        IP address 10.255.255.1, subnet mask 255.255.255.252
        2366944356 packets input, 2417486508852 bytes, 0 no buffer
        Received 30387 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        3019476858 packets output, 3006340631632 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 3 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (255/0)
  Traffic Statistics for "F":
        2366944271 packets input, 2335503337066 bytes
        3019476760 packets output, 2951988404854 bytes
        0 packets dropped
      1 minute input rate 9 pkts/sec,  658 bytes/sec
      1 minute output rate 382 pkts/sec,  445077 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 9 pkts/sec,  658 bytes/sec
      5 minute output rate 397 pkts/sec,  455688 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Management0/0 "", is administratively down, line protocol is down
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
        Auto-Duplex, Auto-Speed
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 442b.034a.48cb, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (1/0) software (0/0)

C5520# show traffic
out:
        received (in 2204753.796 secs):
                31282669010 packets     8019392153273 bytes
                14001 pkts/sec  3637001 bytes/sec
        transmitted (in 2204753.796 secs):
                35275863349 packets     30495532163124 bytes
                15000 pkts/sec  13831000 bytes/sec
      1 minute input rate 5360 pkts/sec,  1147982 bytes/sec
      1 minute output rate 6429 pkts/sec,  5594816 bytes/sec
      1 minute drop rate, 83 pkts/sec
      5 minute input rate 7831 pkts/sec,  1484400 bytes/sec
      5 minute output rate 9265 pkts/sec,  9029273 bytes/sec
      5 minute drop rate, 68 pkts/sec
A:
        received (in 2204753.806 secs):
                44639000398 packets     31462101562518 bytes
                20001 pkts/sec  14270001 bytes/sec
        transmitted (in 2204753.806 secs):
                50829634367 packets     31681255019508 bytes
                23000 pkts/sec  14369000 bytes/sec
      1 minute input rate 7783 pkts/sec,  5819833 bytes/sec
      1 minute output rate 7534 pkts/sec,  4017858 bytes/sec
      1 minute drop rate, 661 pkts/sec
      5 minute input rate 10107 pkts/sec,  9048956 bytes/sec
      5 minute output rate 10671 pkts/sec,  5011613 bytes/sec
      5 minute drop rate, 49 pkts/sec
B: 
        received (in 2204754.396 secs):
                226162919 packets       38813449203 bytes
                1 pkts/sec      17000 bytes/sec
        transmitted (in 2204754.396 secs):
                219031651 packets       69952912517 bytes
                1 pkts/sec      31001 bytes/sec
      1 minute input rate 4 pkts/sec,  428 bytes/sec
      1 minute output rate 3 pkts/sec,  381 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 5 pkts/sec,  551 bytes/sec
      5 minute output rate 4 pkts/sec,  727 bytes/sec
      5 minute drop rate, 0 pkts/sec
C:  
        received (in 2204756.236 secs):
                216033963 packets       60073998917 bytes
                0 pkts/sec      27000 bytes/sec
        transmitted (in 2204756.236 secs):
                223170452 packets       45751649037 bytes
                1 pkts/sec      20001 bytes/sec
      1 minute input rate 4 pkts/sec,  408 bytes/sec
      1 minute output rate 4 pkts/sec,  470 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 4 pkts/sec,  594 bytes/sec
      5 minute output rate 5 pkts/sec,  566 bytes/sec
      5 minute drop rate, 0 pkts/sec
E:        
        received (in 2204756.666 secs):
                26407406219 packets     24872264600108 bytes
                11001 pkts/sec  11281000 bytes/sec
        transmitted (in 2204756.666 secs):
                19663433273 packets     5317158118155 bytes
                8001 pkts/sec   2411001 bytes/sec
      1 minute input rate 3608 pkts/sec,  3750046 bytes/sec
      1 minute output rate 2402 pkts/sec,  672833 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 4681 pkts/sec,  4628016 bytes/sec
      5 minute output rate 2953 pkts/sec,  758421 bytes/sec
      5 minute drop rate, 0 pkts/sec
F:       
        received (in 2204757.096 secs):
                2365240180 packets      2335380927980 bytes
                1000 pkts/sec   1059000 bytes/sec
        transmitted (in 2204757.096 secs):
                3017305594 packets      2951446943254 bytes
                1000 pkts/sec   1338000 bytes/sec
      1 minute input rate 9 pkts/sec,  658 bytes/sec
      1 minute output rate 553 pkts/sec,  524007 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 9 pkts/sec,  660 bytes/sec
      5 minute output rate 537 pkts/sec,  627009 bytes/sec
      5 minute drop rate, 0 pkts/sec
D:
        received (in 2389707.556 secs):
                7082818059 packets      3075567432440 bytes
                2000 pkts/sec   1287000 bytes/sec
        transmitted (in 2389707.556 secs):
                6750680347 packets      1176159942417 bytes
                2001 pkts/sec   492001 bytes/sec
      1 minute input rate 1415 pkts/sec,  326000 bytes/sec
      1 minute output rate 1359 pkts/sec,  874527 bytes/sec
      1 minute drop rate, 3 pkts/sec
      5 minute input rate 1779 pkts/sec,  594144 bytes/sec
      5 minute output rate 1778 pkts/sec,  1095830 bytes/sec
      5 minute drop rate, 3 pkts/sec
             
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
GigabitEthernet0/0:
        received (in 2204758.086 secs):
                31281728584 packets     8640027157502 bytes
                14001 pkts/sec  3918001 bytes/sec
        transmitted (in 2204758.086 secs):
                35269319769 packets     31136665471571 bytes
                15001 pkts/sec  14122001 bytes/sec
      1 minute input rate 5310 pkts/sec,  1250036 bytes/sec
      1 minute output rate 6382 pkts/sec,  5686121 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7831 pkts/sec,  1644398 bytes/sec
      5 minute output rate 9265 pkts/sec,  9199238 bytes/sec
      5 minute drop rate, 0 pkts/sec
GigabitEthernet0/1:
        received (in 2204758.506 secs):
                52159689788 packets     35811669068801 bytes
                23001 pkts/sec  16242000 bytes/sec
        transmitted (in 2204758.506 secs):
                58021609728 packets     34268519930265 bytes
                26000 pkts/sec  15542001 bytes/sec
      1 minute input rate 9169 pkts/sec,  6329495 bytes/sec
      1 minute output rate 8862 pkts/sec,  5086417 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 11896 pkts/sec,  9910173 bytes/sec
      5 minute output rate 12459 pkts/sec,  6389260 bytes/sec
      5 minute drop rate, 0 pkts/sec
GigabitEthernet0/2:
        received (in 2204759.826 secs):
                26407428413 packets     25349631934122 bytes
                11001 pkts/sec  11497000 bytes/sec
        transmitted (in 2204759.826 secs):
                19663444029 packets     5682433632578 bytes
                8001 pkts/sec   2577001 bytes/sec
      1 minute input rate 3607 pkts/sec,  3814966 bytes/sec
      1 minute output rate 2401 pkts/sec,  716246 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 4681 pkts/sec,  4712520 bytes/sec
      5 minute output rate 2953 pkts/sec,  812098 bytes/sec
      5 minute drop rate, 0 pkts/sec
GigabitEthernet0/3:
        received (in 2204760.266 secs):
                2365240210 packets      2417333408020 bytes
                1000 pkts/sec   1096000 bytes/sec
        transmitted (in 2204760.266 secs):
                3017306949 packets      3005761666212 bytes
                1000 pkts/sec   1363001 bytes/sec
      1 minute input rate 9 pkts/sec,  821 bytes/sec
      1 minute output rate 553 pkts/sec,  532945 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 9 pkts/sec,  826 bytes/sec
      5 minute output rate 537 pkts/sec,  636679 bytes/sec
      5 minute drop rate, 0 pkts/sec
Management0/0:
        received (in 2204760.696 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 2204760.696 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec


C5520# show ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

C5520 up 1 year 110 days
failover cluster up 1 year 130 days

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Ext: GigabitEthernet0/0  : address is 442b.034a.48cc, irq 9
1: Ext: GigabitEthernet0/1  : address is 442b.034a.48cd, irq 9
2: Ext: GigabitEthernet0/2  : address is 442b.034a.48ce, irq 9
3: Ext: GigabitEthernet0/3  : address is 442b.034a.48cf, irq 9
4: Ext: Management0/0       : address is 442b.034a.48cb, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
             
This platform has an ASA 5520 VPN Plus license.
             
             
Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 4              perpetual
Total UC Proxy Sessions           : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
             
This platform has an ASA 5520 VPN Plus license.
             

C5520# show proc cpu-hog

Process:      NIC status poll, PROC_PC_TOTAL: 15, MAXHOG: 17, LASTHOG: 17
LASTHOG At:   22:13:18 PDT Aug 27 2013
PC:           0x08af2955 (suspend)

Process:      NIC status poll, NUMHOG: 15, MAXHOG: 17, LASTHOG: 17
LASTHOG At:   22:13:18 PDT Aug 27 2013
PC:           0x08af2955 (suspend)
Call stack:   0x08af2955  0x0806882c

Process:      fover_ip, PROC_PC_TOTAL: 9, MAXHOG: 4, LASTHOG: 4
LASTHOG At:   20:13:51 PDT Nov 17 2013
PC:           0x0842c6f4 (suspend)

Process:      snmp, NUMHOG: 5, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   16:47:00 PDT Nov 21 2013
PC:           0x08ef7d09 (suspend)
Call stack:   0x08dd1bef  0x08db1d15  0x08db0654  0x0806882c

Process:      snmp, PROC_PC_TOTAL: 36, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   16:47:00 PDT Nov 21 2013
PC:           0x08ef7d09 (suspend)

Process:      ssh, NUMHOG: 9, MAXHOG: 17, LASTHOG: 17
LASTHOG At:   00:22:03 PDT Nov 22 2013
PC:           0x08a6b7e5 (suspend)
Call stack:   0x08a6b7e5  0x080e680a  0x080e7209  0x080dc702  0x080dd60c  0x0806882c
             
Process:      SNMP Notify Thread, NUMHOG: 4, MAXHOG: 3, LASTHOG: 3
LASTHOG At:   15:02:24 PDT Nov 26 2013
PC:           0x0806a702 (suspend)
Call stack:   0x0806a702  0x08db507d  0x0806882c
             
Process:      arp_timer, PROC_PC_TOTAL: 11, MAXHOG: 11, LASTHOG: 3
LASTHOG At:   03:58:41 PDT Dec 11 2013
PC:           0x0869fe3b (suspend)
             
Process:      arp_timer, NUMHOG: 11, MAXHOG: 11, LASTHOG: 3
LASTHOG At:   03:58:41 PDT Dec 11 2013
PC:           0x0869fe3b (suspend)
Call stack:   0x0869fe3b  0x0806882c
             
Process:      ssh, PROC_PC_TOTAL: 13, MAXHOG: 17, LASTHOG: 5
LASTHOG At:   14:22:57 PDT Dec 18 2013
PC:           0x08a6b7e5 (suspend)
             
Process:      ssh, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   14:22:57 PDT Dec 18 2013
PC:           0x08a6b7e5 (suspend)
Call stack:   0x08a6b7e5  0x095a78d8  0x08a0472d  0x08cc7b73  0x08ccef2e  0x08ccf09e  0x08ccf3f1
              0x08a73645  0x08a6c00b  0x08b7ce53  0x08b7cefd  0x08a6c5e7  0x08a74869  0x08a75d0a
             
Process:      ssh, PROC_PC_TOTAL: 35, MAXHOG: 28, LASTHOG: 5
LASTHOG At:   01:17:14 PDT Dec 20 2013
PC:           0x0806a702 (suspend)
             
Process:      ssh, NUMHOG: 7, MAXHOG: 5, LASTHOG: 5
LASTHOG At:   01:17:14 PDT Dec 20 2013
PC:           0x0806a702 (suspend)
Call stack:   0x0806a702  0x08a73407  0x08a6c00b  0x08b7ce53  0x08b7cefd  0x08a6c5e7  0x08a74869
              0x08a75d0a  0x080da27f  0x080dc89f  0x080dd60c  0x0806882c
             
Process:      ssh, PROC_PC_TOTAL: 44, MAXHOG: 18, LASTHOG: 3
LASTHOG At:   22:00:15 PDT Jan 21 2014
PC:           0x08e6c2f5 (suspend)
             
Process:      ssh, NUMHOG: 43, MAXHOG: 18, LASTHOG: 3
LASTHOG At:   22:00:15 PDT Jan 21 2014
PC:           0x08e6c2f5 (suspend)
Call stack:   0x08e6c2f5  0x08e7b146  0x08e6fc34  0x08e6fe28  0x08e6ff1d  0x08a6b71f  0x095a78d8
              0x08a6c5f3  0x08a74869  0x08a75d0a  0x080da27f  0x080dc89f  0x080dd60c  0x0806882c
             
Process:      ssh_init, PROC_PC_TOTAL: 733, MAXHOG: 3, LASTHOG: 2
LASTHOG At:   08:50:14 PDT Jan 22 2014
PC:           0x0842db27 (suspend)
             
Process:      ssh_init, NUMHOG: 733, MAXHOG: 3, LASTHOG: 2
LASTHOG At:   08:50:14 PDT Jan 22 2014
PC:           0x0842db27 (suspend)
Call stack:   0x0842e360  0x08429281  0x08153d45  0x08c44a72  0x08c10d8d  0x08e717d7  0x08e70921
              0x0806882c
             
Process:      ARP Thread, NUMHOG: 173429, MAXHOG: 34, LASTHOG: 2
LASTHOG At:   12:16:19 PDT Jan 22 2014
PC:           0x0869edd5 (suspend)
Call stack:   0x0869edd5  0x0806882c
             
Process:      ARP Thread, PROC_PC_TOTAL: 1341939, MAXHOG: 47, LASTHOG: 6
LASTHOG At:   12:16:19 PDT Jan 22 2014
PC:           0x0869edd5 (suspend)
             
Process:      ARP Thread, PROC_PC_TOTAL: 23373, MAXHOG: 19, LASTHOG: 4
LASTHOG At:   12:16:19 PDT Jan 22 2014
PC:           0x0869ed5e (suspend)
             
Process:      arp_timer, PROC_PC_TOTAL: 331, MAXHOG: 12, LASTHOG: 3
LASTHOG At:   12:17:02 PDT Jan 22 2014
PC:           0x0869fda8 (suspend)
             
Process:      ARP Thread, NUMHOG: 23713, MAXHOG: 19, LASTHOG: 3
LASTHOG At:   12:17:02 PDT Jan 22 2014
PC:           0x0869ed5e (suspend)
Call stack:   0x0806882c
             
Process:      snmp, PROC_PC_TOTAL: 64734, MAXHOG: 6, LASTHOG: 5
LASTHOG At:   12:19:19 PDT Jan 22 2014
PC:           0x08dd928e (suspend)
             
Process:      snmp, NUMHOG: 64721, MAXHOG: 6, LASTHOG: 5
LASTHOG At:   12:19:19 PDT Jan 22 2014
PC:           0x08dd928e (suspend)
Call stack:   0x08dd928e  0x08dd838b  0x08dd522e  0x08dd7e36  0x08db1eeb  0x08db0654  0x0806882c
             
             
Process:      Dispatch Unit, PROC_PC_TOTAL: 34129, MAXHOG: 11, LASTHOG: 2
LASTHOG At:   12:20:40 PDT Jan 22 2014
PC:           0x081d8531 (suspend)
             
Process:      Dispatch Unit, NUMHOG: 34119, MAXHOG: 11, LASTHOG: 2
LASTHOG At:   12:20:40 PDT Jan 22 2014
PC:           0x081d8531 (suspend)
Call stack:   0x081d8531  0x0806882c
             
Process:      Dispatch Unit, PROC_PC_TOTAL: 3779629, MAXHOG: 10, LASTHOG: 3
LASTHOG At:   12:20:58 PDT Jan 22 2014
PC:           0x081d86d2 (suspend)
             
Process:      Dispatch Unit, NUMHOG: 2169408, MAXHOG: 10, LASTHOG: 3
LASTHOG At:   12:20:58 PDT Jan 22 2014
PC:           0x081d86d2 (suspend)
Call stack:   0x081d86d2  0x0806882c
             
Process:      Dispatch Unit, PROC_PC_TOTAL: 13044212, MAXHOG: 20, LASTHOG: 3
LASTHOG At:   12:20:58 PDT Jan 22 2014
PC:           0x081d87aa (suspend)
             
Process:      Dispatch Unit, NUMHOG: 7692052, MAXHOG: 20, LASTHOG: 3
LASTHOG At:   12:20:58 PDT Jan 22 2014
PC:           0x081d87aa (suspend)
Call stack:   0x081d87aa  0x080688


C5520# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 9355136, drop 0, reset-drop 0
      Inspect: netbios, packet 4952901, drop 0, reset-drop 0
      Inspect: tftp, packet 106270, drop 46, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: http, packet 1858524585, drop 28, reset-drop 0
      Inspect: icmp, packet 104686187, drop 275186, reset-drop 0
    Class-map: tcp_bypass
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 0:05:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
      Set connection advanced-options: tcp-state-bypass
    Class-map: smtp-class
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 0:05:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
    Class-map: class-default

      Default Queueing      Set connection policy:         drop 2073057
      Set connection decrement-ttl
             
Interface A:
  Service-policy: pure_policy
    Class-map: puretimeout
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 0:00:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
             
Interface E:
  Service-policy: pure_policy
    Class-map: puretimeout
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 0:00:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
             
Interface D:
  Service-policy: tcp_bypass_policy
    Class-map: tcp_bypass
      Set connection policy:         drop 0
      Set connection timeout policy:
        idle 0:05:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
      Set connection advanced-options: tcp-state-bypass

New Member

high cpu on asa 5520

Hi,

I could see too many drops due to icmp inspection. I would suggest you to try to disable icmp inspection and then check. To remove icmp inspection type the following command:

no fixup protocol icmp

- Prateek Verma

669
Views
0
Helpful
3
Replies