[c-nsp] High CPU Usage on CISCO ASA 5510

Md. Jahangir Hossain jrjahangir at yahoo.com
Sun Feb 26 13:18:34 EST 2012


thanks peter for your information.






----- Original Message -----
From: Peter Rathlev <peter at rathlev.dk>
To: Md. Jahangir Hossain <jrjahangir at yahoo.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Sunday, February 26, 2012 6:53 PM
Subject: Re: [c-nsp] High CPU Usage on CISCO ASA 5510

On Sun, 2012-02-26 at 02:50 -0800, Md. Jahangir Hossain wrote:
> My total traffic bellow 50Mbps on Box but total connection  per second
> usage nearly 10000+ . I think this is the problem. What is the
> solution for this.

Lower the number of connections per second. ;-) The 5510 is rated for
9000 connections/second, so you're pushing it to the limit.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html#wp9001774

But 10k new connections per second sounds like something you shouldn't
really try to push through a firewall. Is the number within what you
would expect or is it abnormal?

...
> policy-map type inspect dns preset_dns_map
>  parameters
>   message-length maximum client auto
>   message-length maximum 512
> policy-map global_policy
>  class inspection_default
>   inspect ftp 
>   inspect h323 h225 
>   inspect h323 ras 
>   inspect ip-options 
>   inspect netbios 
>   inspect rsh 
>   inspect rtsp 
>   inspect skinny  
>   inspect esmtp 
>   inspect sqlnet 
>   inspect sunrpc 
>   inspect tftp 
>   inspect sip  
>   inspect xdmcp 
>   inspect icmp error 
>   inspect dns 

That's a very long list of inspections. Could you maybe do without some
of these? By the way: The DNS map is preventing DNS functioning
correctly. You really should allow a message-length of 4096 bytes.

It's probably one specific type of traffic, though I'm not aware of any
way to find out which from a policy-map.

-- 
Peter


More information about the cisco-nsp mailing list