我一直在尝试深究这一点,好吧,好像我不能。 我们在一个数据中心有一台ASA5505(软件版本为8.3)的服务器。 他们运行各种各样的服务,包括我们的网站,内部XMPP服务器,游戏服务器(Minecraft和军团要塞2,大部分都使用UDP),邮件…
每天大概在太平洋时间PST附近,防火墙的系统负载从通常的30%上升到80%以上,networking速度变得非常糟糕。 根据show processes cpu-hog ,“Quack进程”(什么鸭子?!),尤其是“Dispatch Unit”,好像占用CPU一点点。
networking坏了似乎有一种模式。 大约2秒钟全速,然后减速到2停止。 在此期间,我启用了日志loggingfunction,没有什么有趣的事情出现。 只是一些阻塞的ICMP请求,有点奇怪, Deny IP due to Land Attack from [one of our IPs] to [the exact same IP] ,但这可能是一个实际的攻击?
无论如何,从两台服务器到防火墙本身,速度都是很糟糕的,尽pipe两台服务器之间的ping通总是很好,但这使得我负担过重。 我不确定networking是如何build立起来的,所以防火墙和服务器之间可能只有一个小小的转换。
另一个奇怪的事情,但是,这也许是正常的(找不到任何关于它的),在show threat-detection statistics我们的服务器/虚拟机的内部IP首先出现,一些实际上有大于0的数字fw-drop 。
下次出现这个问题时,我该怎么办? 任何想法可能会导致这个? 我应该禁用限制政策地图(见下文)?
编辑:从防火墙ping服务器也将显示这些症状。
这里有更多的系统信息:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside_in; 33 elements; name hash: 0xc5896c24 access-list outside_in line 1 extended permit tcp any object-group www_servers object-group www_srv 0x9c6770f3 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ftp (hitcnt=2443) 0x73b87a74 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ssh (hitcnt=27915) 0x73a19ab3 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq www (hitcnt=21568957) 0x045edf43 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq https (hitcnt=19746) 0xe54a2315 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 3389 (hitcnt=3919) 0x58629d3c access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 30 (hitcnt=134) 0xcd3db679 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5922 (hitcnt=43) 0x17c6f16b access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 6122 (hitcnt=1) 0x3ea3c2e6 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 2200 (hitcnt=2) 0x8356fbc6 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5722 (hitcnt=1) 0xaefada3e access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq domain (hitcnt=17) 0x45c7e0b1 access-list outside_in line 2 extended permit udp any object-group www_servers object-group www_srv_udp 0x9426d24f access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq 3389 (hitcnt=1) 0x15cdc545 access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq domain (hitcnt=4468079) 0x1b6d6b19 access-list outside_in line 3 extended permit icmp host [...] any (hitcnt=0) 0x155d597f access-list outside_in line 4 extended permit icmp host [...] any (hitcnt=289) 0x0fcc844a access-list outside_in line 5 extended permit icmp any object-group www_servers echo-reply 0x46f79e30 access-list outside_in line 5 extended permit icmp any(65536) object-group www_servers(1) echo-reply (hitcnt=97) 0x53984766 access-list outside_in line 6 extended permit tcp host [...] eq 25565 host 10.5.209.12 eq 25565 (hitcnt=0) 0x60c828e6 access-list outside_in line 7 extended permit tcp any object-group mc eq 25565 0xcb0d2f17 access-list outside_in line 7 extended permit tcp any(65536) object-group mc(6) eq 25565 (hitcnt=478488) 0x3ce89b9a access-list outside_in line 8 extended permit tcp any object-group irc object-group ircd 0x65619a8f access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6667 (hitcnt=6336) 0xda23eb42 access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6969 (hitcnt=8445981) 0xb39f9de5 access-list outside_in line 9 extended permit tcp any object-group rob object-group xmppd 0x24db3318 access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5222 (hitcnt=2836) 0x3b220aef access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5269 (hitcnt=316) 0x8c4a1677 access-list outside_in line 10 extended permit udp any object-group rob object-group xmppd 0x56997935 access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5222 (hitcnt=0) 0x1378a09e access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5269 (hitcnt=0) 0x484e999c access-list outside_in line 11 extended permit udp any object-group tf2_servers object-group tf2_udp_ports 0x4ed88dd7 access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 26901 27009 (hitcnt=20) 0x984f0cfd access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 27015 27024 (hitcnt=1842395) 0x5117dbf3 access-list outside_in line 12 extended permit tcp any object-group tf2_servers object-group tf2_tcp_ports 0xd792e8d1 access-list outside_in line 12 extended permit tcp any(65536) object-group tf2_servers(12) eq 8080 (hitcnt=16028) 0x1f9dcdd6 access-list outside_in line 13 extended permit object-group tcp_udp any object-group rob object-group mumble_ports 0x62e8f226 access-list outside_in line 13 extended permit tcp any(65536) object-group rob(9) eq 64738 (hitcnt=4) 0x663e2204 access-list outside_in line 13 extended permit udp any(65536) object-group rob(9) eq 64738 (hitcnt=14) 0x3751c05a access-list outside_in line 14 extended permit udp any object-group kfy_servers object-group kfy_ports 0x928ebaab access-list outside_in line 14 extended permit udp any(65536) object-group kfy_servers(16) eq 9009 (hitcnt=52) 0x3c77464e access-list outside_in line 15 extended permit udp any host 10.5.209.10 object-group bittorrent 0x20a28a30 access-list outside_in line 15 extended permit udp any host 10.5.209.10(168153354) eq 10299 (hitcnt=44693845) 0x140f0e51 access-list outside_in line 16 extended permit tcp any host 10.5.209.10 object-group bittorrent 0xfe939491 access-list outside_in line 16 extended permit tcp any host 10.5.209.10(168153354) eq 10299 (hitcnt=3763575) 0x1ef0e366 access-list outside_in line 17 extended permit icmp any object-group rob 0x6f990c22 access-list outside_in line 17 extended permit icmp any(65536) object-group rob(9) (hitcnt=1418) 0x8401a397 access-list limiter; 3 elements; name hash: 0x189b5c6d access-list limiter line 1 extended deny ip host [...] any (hitcnt=0) 0x72cb4f57 access-list limiter line 2 extended deny ip host 10.0.0.0 any (hitcnt=0) 0x3d376866 access-list limiter line 3 extended permit ip any any (hitcnt=89047566) 0x1bc67ee2 policy-map limit-policy-map class limit-map set connection per-client-max 500 per-client-embryonic-max 30 set connection timeout embryonic 0:00:10 half-closed 0:05:00 dcd policy-map global_policy class inspection_default inspect dns inspect ftp class-map limit-map match access-list limiter class-map inspection_default match default-inspection-traffic class-map limit
你意识到ASA5505的吞吐量是在10兆位? 它们专为小型办公室/家庭办公室和分支机构而devise。 他们从未被devise处理演出交通。
无论如何,ASA5505有许多因素可能会导致CPU负载增加。 他们大多数都是基于filter的。 如果你有复杂的filter和政策。 你在这些filter中做的更复杂的事情,每个数据包将消耗更多的处理时间。
我将首先查看上游的stream量图,然后通过服务器查找您指定时间的stream量增加情况。 你真的在寻找模式。 如果你没有为你的服务器绘制图表,你应该得到一些,你的提供者应该能够给你一些forms的stream量数据。 这应该给你一些问题来自哪个方向的指示。
如果它在服务器端,那么你有一切在你的控制之下,应该在那里寻找罪魁祸首。 也许是一个错误的过程,或者dodgey cron工作? 也许有些stream程出于某种原因正在产生大量stream量?
如果它的提供者方面的问题,那么你将不得不咨询他们,看看里斯是否可以做的任何事情。