• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1128
  • Last Modified:

Cisco ASA

Hello,

We have some problems with 2 Cisco ASA 5540. One of these 2 ASA is Active and another is Standby.

We are doing some tests, we try to shutdown the active ASA and Standby takes over, but there is around 650 ipsec vpn clients that connects at the same time on to Standby because Active is down, so the standby ASA gets 100% on CPU usage during this  and only around 150 ipsec clients gets connected the rest is not possible.... to connect and cpu hangs on 100% because the rest is trying to connect....


Any idea what we can do in this case ??

Thank You
Best regards
0
FalconQ
Asked:
FalconQ
  • 7
  • 3
4 Solutions
 
JFrederick29Commented:
Are you doing stateful failover?
0
 
FalconQAuthor Commented:
yes that`s right
0
 
FalconQAuthor Commented:
the mem usage is ok but only CPU hanging on 99% 100 %... all the time ...while ipsec clients try to connect..
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
JFrederick29Commented:
Well, that is the thing, if you are doing stateful failover, there should be no reconnect as their tunnels should be synced to the standby box.  Can you post a "show failover" from the 5540?
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Which ASA version do you have running?

The PIX/ASA firewall has a high CPU load while the access-lists associated with NAT statements are modified
https://supportwiki.cisco.com/ViewWiki/index.php/The_PIX/ASA_firewall_has_a_high_CPU_load_while_the_access-lists_associated_with_NAT_statements_are_modified
0
 
FalconQAuthor Commented:
JFrederick29 I am waiting for sh failover

mwecomputers, here is no nat at all, these ASA is used only for IPSEC connections....
0
 
FalconQAuthor Commented:
Sorry, I just found out that asa is not using failover but loading it via CSM module in CAT 6500 Series....
Can this be an issue than ?? the CSM module ??
0
 
FalconQAuthor Commented:
I also see the message from sh tech:

Message #1369 : MAX PKI sessions active
0
 
JFrederick29Commented:
The ASA has built in load balancing/clustering.  You might want to look at that instead of load balancing via CSM. With CSM, all the tunnel traffic which is now invalid would be forwarded to the second box and if everybody immediately attempts to connect again, I could see it killing the box.  VPN load balancing or stateful active/standby would minimize the impact in a failure situation.
0
 
FalconQAuthor Commented:
Vi found the problem, it was an optical fiber flap on the network. It was dusted...
The reason that ASA run 99% of cpu usage  was "hits" it has 30 000 hits from around 450 ipsec clients, which means that each ipsec client has more than 100 hits pr connection...

Thank You all for helping !!!

Best regards
0
 
FalconQAuthor Commented:
and I assume that large amount of the "hits" could be caused by flap on the network, unstable connection
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now