You can issue the following commands in order to troubleshoot a high CPU problem and Dispatch Unit Error in a Cisco ASA firewall:
show cpu usage // "NORMAL" CPU SHOULD BE UNDER 50%
show proc cpu-usage sorted non-zero // LOOK FOR DISPATCH UNIT
show perfmon
show xlate count
show service-policy
show interface // LOOK FOR OVERRUNS
show traffic
The high CPU and Dispatch Unit is due to a bandwidth oversubscription or excessive load traversing the ASA. You can check the ASA Firewall performance matrix on this link. I had this problem on an ASA 5510. I've issued the crypto engine large-mod-accel global config command. The long term solution would be to upgrade and "size" the correct the hardware platform that will support its current and future bandwidth capacity.
ASA# show cpu usage
CPU utilization for 5 seconds = 85%; 1 minute: 89%; 5 minutes: 91%
ASA# configure terminal
ASA(config)# crypto engine ?
configure mode commands/options:
large-mod-accel Perform Large modulus operations in hardware
ASA(config)# crypto engine large-mod-accel
You'll observe the high CPU and Dispatch Unit dramatically drop after a few minutes. The first-gen ASA was replaced with a next-gen firewall to handle the high bandwidth throughput.
ASA(config)# show cpu usage
CPU utilization for 5 seconds = 61%; 1 minute: 63%; 5 minutes: 65%
ASA(config)# show proc cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
081abd84 a79aff7c 58.9% 60.2% 62.5% Dispatch Unit
08c2cc96 a79a984c 1.8% 1.8% 1.8% Logger
08bf3ffc a79aa03c 0.1% 0.0% 0.0% ssh
08ae9f08 a799efa0 0.1% 0.0% 0.0% tacplus_snd
0854100e a79a0770 0.1% 0.1% 0.1% ARP Thread
show cpu usage // "NORMAL" CPU SHOULD BE UNDER 50%
show proc cpu-usage sorted non-zero // LOOK FOR DISPATCH UNIT
show perfmon
show xlate count
show service-policy
show interface // LOOK FOR OVERRUNS
show traffic
The high CPU and Dispatch Unit is due to a bandwidth oversubscription or excessive load traversing the ASA. You can check the ASA Firewall performance matrix on this link. I had this problem on an ASA 5510. I've issued the crypto engine large-mod-accel global config command. The long term solution would be to upgrade and "size" the correct the hardware platform that will support its current and future bandwidth capacity.
ASA# show cpu usage
CPU utilization for 5 seconds = 85%; 1 minute: 89%; 5 minutes: 91%
ASA# configure terminal
ASA(config)# crypto engine ?
configure mode commands/options:
large-mod-accel Perform Large modulus operations in hardware
ASA(config)# crypto engine large-mod-accel
You'll observe the high CPU and Dispatch Unit dramatically drop after a few minutes. The first-gen ASA was replaced with a next-gen firewall to handle the high bandwidth throughput.
ASA(config)# show cpu usage
CPU utilization for 5 seconds = 61%; 1 minute: 63%; 5 minutes: 65%
ASA(config)# show proc cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
081abd84 a79aff7c 58.9% 60.2% 62.5% Dispatch Unit
08c2cc96 a79a984c 1.8% 1.8% 1.8% Logger
08bf3ffc a79aa03c 0.1% 0.0% 0.0% ssh
08ae9f08 a799efa0 0.1% 0.0% 0.0% tacplus_snd
0854100e a79a0770 0.1% 0.1% 0.1% ARP Thread
No comments:
Post a Comment