CPU usage at 99% on a PIX 535

Posted on 2004-11-10
Last Modified: 2013-11-16
Ok smart people, here is a challenge for you.


I have a PIX 535 w/failover, 6 interfaces (inside, outside, syslog, state full, and 2 not used)  My configuration is 35 pages printed.  We are an enterprise entity running off a single firewall.  I am logging informational to a kiwi syslog over udp to filter the monster that the pix creates for a log.  The PIX has a gig of ram.  I am using turbo access lists.


The cpu usage goes to 99% and stays there for 15-20 minutes if I make any changes to a object group.  This slows traffic but not to a halt.  If I make more than 5 changes in 20 minutes it will slow significantly and traffic will timeout through the PIX.  We have the w32.korgo.V virus here and when it was on 6 different machines it would bring the PIX to a halt.  It tries to make connections to other IP's on port 445 and we have 445 blocked on the firewall.  Even though those 6 machines were infected and getting denied by the PIX every time they attempted to connect outside it, this would cause the pix to slow down enough to time out all traffic and most attempts to connect to the PIX itself.  We blocked 445 on the router before the pix and the cpu immediately dropped to 6% usage and stays below 10.  

It is not just the virus but a number of things that will cause the pix to slow lately and I do not see any errors or unexplained syslog messages.  Cisco has sent us a new 535 w/failover and the same thing happened on the new boxes.  This same config has worked perfectly for 5 months with nothing like this happening.  I keep getting "escalated" to a different engineer in Cisco, but I am convinced that the smartest Cisco people do not work for Cisco.  Does anyone have any ideas without me sending the config?


Question by:sunnyd24
    LVL 79

    Expert Comment

    Have you also blocked outbound ICMP on the router before the PIX? This helped us out tremendously with the late Welchia/MSBLast infestation..
    LVL 79

    Accepted Solution

    Using the turbo acls, I can see a CPU spike when changes to object groups because the acl has to be recompiled, but it should only take seconds, not 15-20 minutes.. I think that could be what is compounding the problem if you try to make multiple changes in a short period of time.

    Author Comment

    ICMP is blocked at the internal router yes.  I have never had a problem with the PIX performance in the past.  I am not making any more changes now than before, but for some reason the performance is shot.
    LVL 5

    Expert Comment


    Could'nt you try to selectively disable Turbo-ACL to see what the effect is on your CPU resources?
    Did you upgrade your PIX OS lately?

    Author Comment

    Finally! I found a solution.  For anyone else who may run into this problem:

    Having problems with high CPU on the PIX when an access-list compiles using object-groups?
       Very large ACLs ( >200k) may not compile, or have very poor performace
       Solution:  Upgrade to 6.3(3.107) or higher, and disable turbo-acl and add the new CLI  
          access-list <acl_name> object-group-search
    Try this by disabling turbo acl and adding the access-list <acl_name> object-group-search command.  
    1. no access-lsit compiled
    2. access-list <inside_out > object-group-search,access-list <outside_access_in > object-group-search, and one for each acl

    My config is 935k.

    Tell all your friends and neighbors.
    LVL 79

    Expert Comment

    Thanks for sharing that with us!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now