The firewall will start to experience problems if the CPU begins to reach 85%.
• High CPU utilization
• Poor system or throughput performance
• OSPF adjacencies or BGP peering is failing
• Device management is slower than normal
• Ping to the management interface times out
• Firewall is not passing traffic
• Packet drops
• The ‘in overrun’ counter (get counter stat) could increment.
# sh cpu usage
CPU utilization for 5 seconds = 19%; 1 minute: 15%; 5 minutes: 13%
This is used to determine the traffic load placed on the PIX CPU. During peak traffic times, network surges, or attacks, the CPU usage can spike.
# sh xlate count
6890 in use, 13009 most used
The show xlate count command displays the current and maximum number of translations through the PIX. A translation is a mapping of an internal address to an external address and can be a one-to-one mapping, such as Network Address Translation (NAT), or a many-to-one mapping, such as Port Address Translation (PAT). This command is a subset of the show xlate command, which outputs each translation through the PIX. Command output shows translations “in use,” which refers to the number of active translations in the PIX when the command is issued; “most used” refers to the maximum translations that have ever been seen on the PIX since it was powered on.
# sh processes cpu-usage
PC Thread 5Sec 1Min 5Min Process
00cf6d84 0166a258 0.0% 0.0% 0.0% emweb/cifs
0010720c 0166a048 0.0% 0.0% 0.0% block_diag
0022a147 01669c28 9.8% 9.2% 8.6% Dispatch Unit
The show processes command on the PIX displays all the active processes that run on the PIX at the time the command is executed. This information is useful in order to determine which processes receive too much CPU time and which processes do not receive any CPU time.
# sh traffic
received (in 100786.464 secs):
98694 packets 4539918 bytes
0 pkts/sec 2 bytes/sec
transmitted (in 100786.464 secs):
5 packets 140 bytes
0 pkts/sec 0 bytes/sec
The show traffic command shows how much traffic that passes through the PIX over a given period of time. The results are based on the time interval since the command was last issued. For accurate results, issue the clear traffic command first and then wait 1-10 minutes before you issue the show traffic command. You could also issue the show traffic command and wait 1-10 minutes before you issue the command again, but only the output from the second instance is valid.
You can use the show traffic command in order to determine how much traffic passes through your PIX. If you have multiple interfaces, the command can help you determine which interfaces send and receive the most data. For PIX appliances with two interfaces, the sum of the inbound and outbound traffic on the outside interface should equal the sum of the inbound and outbound traffic on the inside interface.