> Sounds like "many virus port scans inside". > > Check "show ip nat tra" for typical virus signs. Nope, it really is all legit traffic. Main concern is that out of 80% cpu util, about 5% is ip input, 35% is fast switching, and all the rest is the nat ager.. Just doesn't seem like aging those ~225 conns/s of 15k should be so expensive.