[c-nsp] High CPU Usage on CISCO ASA 5510
Md. Jahangir Hossain
jrjahangir at yahoo.com
Sun Feb 26 13:18:34 EST 2012
thanks peter for your information.
----- Original Message -----
From: Peter Rathlev <peter at rathlev.dk>
To: Md. Jahangir Hossain <jrjahangir at yahoo.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Sunday, February 26, 2012 6:53 PM
Subject: Re: [c-nsp] High CPU Usage on CISCO ASA 5510
On Sun, 2012-02-26 at 02:50 -0800, Md. Jahangir Hossain wrote:
> My total traffic bellow 50Mbps on Box but total connection per second
> usage nearly 10000+ . I think this is the problem. What is the
> solution for this.
Lower the number of connections per second. ;-) The 5510 is rated for
9000 connections/second, so you're pushing it to the limit.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html#wp9001774
But 10k new connections per second sounds like something you shouldn't
really try to push through a firewall. Is the number within what you
would expect or is it abnormal?
...
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum client auto
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect ip-options
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> inspect icmp error
> inspect dns
That's a very long list of inspections. Could you maybe do without some
of these? By the way: The DNS map is preventing DNS functioning
correctly. You really should allow a message-length of 4096 bytes.
It's probably one specific type of traffic, though I'm not aware of any
way to find out which from a policy-map.
--
Peter
More information about the cisco-nsp
mailing list