High CPU 原因
- 流量过大
- 存在抓包未关闭/抓包内容过多
- 路由环路
- SSH hog
- BUG
- 子接口
- 多模墙
- syslog、SNMP过多
信息收集
Gather Basic outputshow techshow versionCheck CPU Detailsshow perfmonshow cpu hogshow cpu coreshow cpu detailedshow processshow process profileshow process cpu-hogshow process cpu-usageshow process cpu-usage sorted non-zeroCheck Featuresshow captureshow loggingshow run snmp-servershow run loggingshow capturesshow run threat-detectionCheck Packet Dropsshow asp event dp-cpshow asp event dp-cp | in inspectVerify Logging (Possible Loop)show loggingshow run route
路由环路 log
Mar 23 2017 19:04:27: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:27: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:27: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence numberMar 23 2017 19:04:31: %ASA-4-419002: Duplicate TCP SYN from inside:10.97.154.13/52404 to inside:10.97.154.168/3211 with different initial sequence number
解决思路
show process cpu-usage [sorted] [non-zero]
- 查看过去5秒、1分钟、5分钟内哪些进程正在使用的CPU占比。
- show process命令的输出不包含时间戳,因此没有简单的方法来判断输出中出现的进程是否是最新的。监视两个命令的输出,以查看NUMHOG计数器是否为该进程递增。
- 分隔60秒重复执行show processes,进行比对 diff .计算每个进程占用多少CPU。
- 大部分 process描述
cpu profile activate [ticks] 默认ticks为1000
- 使用 show cpu profile 查看输出
- 在SMP平台上需要使用命令 show cpu profile dump 查看输出
- clear cpu profile 删除配置文件
- 将捕获得文件进行9.1.2 之前解码工具,9.1.2 之后增加了很多新功能,解码工具地址。
常见问题
流量过载
要确定是否流量过载,使用show traffic、clear traffic 命令,在1-3分钟后再允许show traffic 命令。show traffic 命令输出的是上次运行clear traffic 命令之后的平均值。
使用 show service-policy 命令确定是否存在高流量负载的检查,尽可能禁用此检查,看看是否可以降低CPU利用率。
路由环路
路由环路是CPU利用路高的常见原因,尤其是低端设备。路由环路可以使ASA一次又一次重复转发同一个数据包,直到TTL降到0为止,由于ASA默认不会减低TTL,因此路由环路的存在时间会更长,只有对端设备会减少TTL值。
%ASA-4-419002: Received duplicate TCP SYN from in_interface:src_address/src_port to out_interface:dest_address/dest_port with different initial sequence number.
连接数较多
- show conn count
- show xlate count
- show perfmon
- show local-host
- 对每个主机的连接数进行排序,对于每个主机输出TCP、UDP、建立连接中的数量。
日志过多
- ASA 正在生成大量的syslog
- 调试级别配置了多个syslog
- 有多个syslog服务器通过SNMP发送日志
案例
High CPU Usage in Control Point
Control Point 处理的流量是到达ASA或者ASA发起得流量,包括SSH、ASDM、TACACS、IPSec 终端、路由协议、WebSense、系统日志和一些检查等等。
High CPU in ASA 9.3.2 to 9.3.2.2 codes in Datapath process related to threat detetection
Dispatch Unit Causes High CPU Utilization on ASA
ASA CPU Profiler: How to use ASA CPU Profiling to troubleshoot High CPU
[
](https://techzone.cisco.com/t5/kudos/messagepage/board-id/firewall%40tkb/message-id/835/tab/all-users)
若有收获,就点个赞吧
0 人点赞
