Cisco ASA

Hello,

We have some problems with 2 Cisco ASA 5540. One of these 2 ASA is Active and another is Standby.

We are doing some tests, we try to shutdown the active ASA and Standby takes over, but there is around 650 ipsec vpn clients that connects at the same time on to Standby because Active is down, so the standby ASA gets 100% on CPU usage during this  and only around 150 ipsec clients gets connected the rest is not possible.... to connect and cpu hangs on 100% because the rest is trying to connect....


Any idea what we can do in this case ??

Thank You
Best regards
FalconQAsked:
Who is Participating?
 
Michael WorshamConnect With a Mentor Infrastructure / Solutions ArchitectCommented:
Which ASA version do you have running?

The PIX/ASA firewall has a high CPU load while the access-lists associated with NAT statements are modified
https://supportwiki.cisco.com/ViewWiki/index.php/The_PIX/ASA_firewall_has_a_high_CPU_load_while_the_access-lists_associated_with_NAT_statements_are_modified
0
 
JFrederick29Connect With a Mentor Commented:
Are you doing stateful failover?
0
 
FalconQAuthor Commented:
yes that`s right
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
FalconQAuthor Commented:
the mem usage is ok but only CPU hanging on 99% 100 %... all the time ...while ipsec clients try to connect..
0
 
JFrederick29Connect With a Mentor Commented:
Well, that is the thing, if you are doing stateful failover, there should be no reconnect as their tunnels should be synced to the standby box.  Can you post a "show failover" from the 5540?
0
 
FalconQAuthor Commented:
JFrederick29 I am waiting for sh failover

mwecomputers, here is no nat at all, these ASA is used only for IPSEC connections....
0
 
FalconQAuthor Commented:
Sorry, I just found out that asa is not using failover but loading it via CSM module in CAT 6500 Series....
Can this be an issue than ?? the CSM module ??
0
 
FalconQAuthor Commented:
I also see the message from sh tech:

Message #1369 : MAX PKI sessions active
0
 
JFrederick29Connect With a Mentor Commented:
The ASA has built in load balancing/clustering.  You might want to look at that instead of load balancing via CSM. With CSM, all the tunnel traffic which is now invalid would be forwarded to the second box and if everybody immediately attempts to connect again, I could see it killing the box.  VPN load balancing or stateful active/standby would minimize the impact in a failure situation.
0
 
FalconQAuthor Commented:
Vi found the problem, it was an optical fiber flap on the network. It was dusted...
The reason that ASA run 99% of cpu usage  was "hits" it has 30 000 hits from around 450 ipsec clients, which means that each ipsec client has more than 100 hits pr connection...

Thank You all for helping !!!

Best regards
0
 
FalconQAuthor Commented:
and I assume that large amount of the "hits" could be caused by flap on the network, unstable connection
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.