Posted by: manilageek | September 10, 2011

ASA Firewall High CPU Utilization Issue:

The firewall will start to experience problems if the CPU begins to reach 85%.
Possible Reason:
• High CPU utilization
• Poor system or throughput performance
• OSPF adjacencies or BGP peering is failing
• Device management is slower than normal
• Ping to the management interface times out
• Firewall is not passing traffic
• Packet drops
• The ‘in overrun’ counter (get counter stat) could increment.

# sh cpu usage
          CPU utilization for 5 seconds = 19%; 1 minute: 15%; 5 minutes: 13%

This is used to determine the traffic load placed on the PIX CPU. During peak traffic times, network surges, or attacks, the CPU usage can spike.

# sh xlate count
          6890 in use, 13009 most used

The show xlate count command displays the current and maximum number of translations through the PIX. A translation is a mapping of an internal address to an external address and can be a one-to-one mapping, such as Network Address Translation (NAT), or a many-to-one mapping, such as Port Address Translation (PAT). This command is a subset of the show xlate command, which outputs each translation through the PIX. Command output shows translations “in use,” which refers to the number of active translations in the PIX when the command is issued; “most used” refers to the maximum translations that have ever been seen on the PIX since it was powered on.

# sh processes cpu-usage
               PC Thread 5Sec 1Min 5Min Process
               00cf6d84 0166a258 0.0% 0.0% 0.0% emweb/cifs
               0010720c 0166a048 0.0% 0.0% 0.0% block_diag
               0022a147 01669c28 9.8% 9.2% 8.6% Dispatch Unit

The show processes command on the PIX displays all the active processes that run on the PIX at the time the command is executed. This information is useful in order to determine which processes receive too much CPU time and which processes do not receive any CPU time.

# sh traffic
               received (in 100786.464 secs):
               98694 packets 4539918 bytes
               0 pkts/sec 2 bytes/sec
               transmitted (in 100786.464 secs):
               5 packets 140 bytes
               0 pkts/sec 0 bytes/sec

The show traffic command shows how much traffic that passes through the PIX over a given period of time. The results are based on the time interval since the command was last issued. For accurate results, issue the clear traffic command first and then wait 1-10 minutes before you issue the show traffic command. You could also issue the show traffic command and wait 1-10 minutes before you issue the command again, but only the output from the second instance is valid.
You can use the show traffic command in order to determine how much traffic passes through your PIX. If you have multiple interfaces, the command can help you determine which interfaces send and receive the most data. For PIX appliances with two interfaces, the sum of the inbound and outbound traffic on the outside interface should equal the sum of the inbound and outbound traffic on the inside interface.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: