We are busy evaluating an ASA5520 + AIP-SSM-20, and are noticing that if we push 30mbit through the firewall, the CPU goes up to about 70%. I'm talking about a single FTP transfer. The inspection load, however, stays below 10%.
We are not using any custom signatures at this stage, and have a reasonably standard configuration. Cisco quote 375MBps for the device, but at this rate, I cannot see it pushing 50 - what can we possibly look for that could be causing the high CPU?
First of all. You should understand that the CPU is not good way of measuring the sensor utilization any longer. It is because development has programmed the sensor to grab resources from the Linux system.
The better way to measure the sensor load is looking to Inspection load. This will give you a better fill for how your sensor is loaded.
Next on is the widespread misunderstanding of how to measure the sensors throughput. It's not good test to run just only one flow through the sensor for bandwidth test. The SSM is designed to aggregate the throughput. It will change the behaviour of your single downloads. A better test would be to have more than 20 users downloaded at once and see what the aggregation
The E3 changes included a fix to a problem with high latency during low traffic loads. The fix was to have sensorApp check the packet buffers on the driver more often. So the packet could be pulled off the driver queue quicker for analysis instead of waiting for the driver to fill the queue before passing it to sensorApp. This increased checking caused a corresponding increase in cpu usage.
This may or may not be what you are seeing in your cpu usage statistics since E3.
If you are not seeing any packet drops on the interfaces, then it is a good chance that you are just seeing the increased checking of packet buffers.
So 100%CPU would not result in blocking the traffic untill prosession load percentage, memory, show stat vs0 , show interface does not show any huge packets drops
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :