Guest

Preview Tool

Cisco Bug: CSCur40249 - ASA may become unresponsive due to memory debugging commands and SFR module or threat detection

Last Modified

Oct 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

100.10(6.10) 100.12(0.77)

Description (partial)

Symptom:
An ASA Firewall may exhibit elevated CPU utilization under very low traffic rates. 

'show process cpu-usage non-zero' shows most of the CPU usage is in the datapath as shown here:
uut19-5512# show processes cpu-usage  non-zero 
PC         Thread       5Sec     1Min     5Min   Process
0x00000000019649eb   0x00007fffee11d560     0.0%     0.2%     0.3%   ssh
   -          -        95.4%    34.9%    38.5%   DATAPATH-0-1451

Also, 'cpu hog granular-detection 1000 1' and 'show process cpu-hog'  contain output similar to this:

Process:      DATAPATH-0-1451, PROC_PC_TOTAL: 52, MAXHOG: 9284, LASTHOG: 2584
LASTHOG At:   23:41:21 UTC Apr 6 2015
PC:           0x0000000000000000 (suspend)

Process:      DATAPATH-0-1451, NUMHOG: 51, MAXHOG: 9284, LASTHOG: 2584
LASTHOG At:   23:41:21 UTC Apr 6 2015
PC:           0x0000000000000000 (suspend)
Call stack:   0x00000000004381fa  0x000000000071cc3d  0x000000000171170d
              0x000000000171aaac  0x000000371c808201

      Interrupt based hog entry #1
      Hog #1, traceback #1, at:   23:40:28 UTC Apr 6 2015, hog 9 ms
      PC:           0x000000371c47a9b4
      Call stack: 
      Hog #1, traceback #2, at:   23:40:28 UTC Apr 6 2015, hog 19 ms
      PC:           0x000000371c47a9b0
      Call stack: 

Note there is no Call stack in the "Interrupt based hog entry", and the PC is in the 0x0000003700000000 range.

Conditions:
Threat-detection is enabled or memory delay-free-poisoner are enabled.

This issue affects 9.3.2.x code versions only.  9.3.3 contains the fix for this issue.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.