We have our firewall hitting 98% at some occasions and it has pretty huge connection count 15561 and this was usual and utilization used to stay at 50 tp 60 % but suddenly it pikes up to 98% a day and come back to 50 next morning..
i tried all i can but we are not able to figure out what was happening.
But here is what the log shows:
Deny ICMP reverse path check from x.x.x.x to x.x.x.x on interface outside
we have reverse path specified to outside and this message is the only one we have in the log and this is suppose to be informational,,can someone help me out with this?
thnk uou so much in advance
You should not be doing reverse path checking on the outside interface. Reverse path checking is typically done on interior interfaces to ensure traffic recieved at the FW interface was sourced from the network the FW interface is confgiured for. This stops interior hosts from spoofing addresses. Mostly all traffic hitting the outside interface will be sourced from a different network then the outside interface ip range. So this is not needed and will be resource intensive.
Would this be the reason for high cpu..
Cpu stays good for few days and suddenly pikes up to 98 a day. everything seems fine.
Do you think verify path on inside would redce our cpu utilization without any impact.
I apologize, enabling reverse path forwarding is a viable config for the outside interface. It ensures that packets sourced from the outside are not spoofed packets. Perhaps there is a large amount of spoofed traffic hitting the outside interface of your ASA.
What is the source IP of the traffic in the log message? Is it an address that is used on the inside of the ASA?
Sorry for the confusion, not sur ewhat i was thinking about.
The only thing I can think of is that your routing table on the ASa is routing packets receeived on the outside out a different interface (i.e not the outside interface?)
could be the following;
1) Someone is directing spoofed traffic to the outside interface , verify via commands
2) Routing on the ASA is asymmetrical causing issues
Here is a link on urpf
Invalid TCP Length (invalid-tcp-hdr-length) 40
Invalid UDP Length (invalid-udp-length) 2418
No valid adjacency (no-adjacency) 1595
Reverse-path verify failed (rpf-violated) 3488
Flow is denied by configured rule (acl-drop) 200124160
Flow denied due to resource limitation (unable-to-create-flow) 6
First TCP packet not SYN (tcp-not-syn) 15433941
Bad TCP flags (bad-tcp-flags) 13406
Bad option length in TCP (tcp-bad-option-len) 1386
TCP data exceeded MSS (tcp-mss-exceeded) 2744046
TCP data send after FIN (tcp-data-past-fin) 29
TCP failed 3 way handshake (tcp-3whs-failed) 1089609
TCP RST/FIN out of order (tcp-rstfin-ooo) 762692
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 35774
TCP SYNACK on established conn (tcp-synack-ooo) 5
TCP packet SEQ past window (tcp-seq-past-win) 265
TCP invalid ACK (tcp-invalid-ack) 6200
TCP replicated flow pak drop (tcp-fo-drop) 3236
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 24
TCP Out-of-Order packet buffer full (tcp-buffer-full) 192174
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 189557
TCP RST/SYN in window (tcp-rst-syn-in-win) 967336
TCP DUP and has been ACKed (tcp-acked) 4614408
TCP packet failed PAWS test (tcp-paws-fail) 18666
IPSEC tunnel is down (ipsec-tun-down) 429
Early security checks failed (security-failed) 17
Slowpath security checks failed (sp-security-failed) 11519
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 48483
DNS Guard id not matched (dns-guard-id-not-matched) 194207284
Interface is down (interface-down) 252
Invalid app length (invalid-app-length) 4584
Last clearing: Never
NAT failed (nat-failed) 265228
Need to start IKE negotiation (need-ike) 63888
Inspection failure (inspect-fail) 98752656
interface outside: 3488 unicast rpf drops
interface inside: 0 unicast rpf drops
interface IDMZ: 0 unicast rpf drops
interface PUB-DMZ: 0 unicast rpf drops
interface inside2-failover: 0 unicast rpf drops
interface VDMZ-SprintVPN: 0 unicast rpf drops
interface VDMZ-SprintDNS: 0 unicast rpf drops
interface VDMZ-CSG: 0 unicast rpf drops
interface intf5: 0 unicast rpf drops
Is there more than 100 object groups and acls are configred then try following command on your PIX