We have an ASA 5520 with AIP-SSM-10. The box is used only as IPS. The firewall itself is configured with a "permit any any" for IP/TCP/UDP/ICMP traffic in transparent mode. All traffic is directed to SSM-10.
The ssm-10 operates constantly in 80-100% of CPU utilization and applications are suffering. Traffic rate is about 30Mbps. 90% of traffic is https. Even when no trafifc is directed to ssm-10, it operates at 20% of CPU utilization.
We have no idea what is causing this. What might be causing this situation?
Bellow is the relevant ASA config.
ASA Version 8.0(4) ! firewall transparent hostname COT-IPS-I-fw names ! interface GigabitEthernet0/0 speed 100 duplex full nameif outside security-level 0 ! interface GigabitEthernet0/1 speed 100 duplex full nameif inside security-level 100 ! interface GigabitEthernet0/2 shutdown no nameif no security-level ! interface GigabitEthernet0/3 shutdown no nameif no security-level ! interface Management0/0 shutdown no nameif security-level 0 management-only ! boot system disk0:/asa804-k8.bin access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit udp any any access-list outside_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any ! tcp-map TTL-WORKAROUND no ttl-evasion-protection
ssh timeout 10 console timeout 0 no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10 no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8 threat-detection rate scanning-threat rate-interval 600 average-rate 80 burst-rate 50 threat-detection rate scanning-threat rate-interval 3600 average-rate 32 burst-rate 64 no threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map IPS match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp policy-map spc_global_policy class IPS set connection random-sequence-number disable set connection advanced-options TTL-WORKAROUND ips inline fail-open
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...