Troubleshooting High CPU Utilization in Cisco Firewall

CPU Utlilization

If you noticed the CPU utlization is high, follow these steps in order to troubleshoot:

Verify that the connection count in show xlate count is low.

Verify that the memory block is normal.

Verify that the number of ACLs is higher.

Issue the show memory detail command, and verify that the memory used by the PIX is normal utilization.

Verify that the counts in show processes cpu-hog and show processes memory are normal.

Any host present inside or outside the security appliance can generate the malicious or mass traffic that can be a broadcast/multicast traffic and cause the high CPU utilization. In order to resolve this issue, configure an access list to deny the traffic between the hosts (end to end) and check the usage.

Check the duplex and speed settings in PIX interfaces. The mismatch setting with the remote infterfaces can increase the CPU utilization.

This example shows the higher number in input error and overruns due to the speed mismatch. Use the show interface command in order to verify the errors:

pix#show int e1
interface ethernet1 “inside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0050.54ff.d053
IP address, subnet mask
MTU 1500 bytes, BW 100000 Kbit full duplex
154755357 packets input, 3132291269 bytes, 0 no buffer
Received 5352738 broadcasts, 0 runts, 0 giants
7182 input errors, 0 CRC, 0 frame, 7182 overrun, 0 ignored, 0 abort
2595913856 packets output, 3842928626 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
In order to resolve this issue, set speed as auto to the corresponding interface.

Note: Cisco recommends that you enable the ip verify reverse-path interface command on all the interfaces as it will drop packets that do not have a valid source address, which results in less CPU usage.

Another reason for high CPU usage can be due to too many multicast routes. Issue the show mroute command in order to check if PIX/ASA receives too many multicast routes.

Use the show local-host command in order to see if the network experiences a denial-of-service attack, which can indicate a virus attack in the network.