Preview Tool

Cisco Bug: CSCur87061 - Potential ICMP error storm in cluster CCL link

Last Modified

Aug 07, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

100.8(40.92) 9.1(4)

Description (partial)

ICMP error packets may loop between the cluster members on cluster control link when owner of the flow embedded inside the ICMP error has removed the connection (due to timeout etc.), but director of the flow still has the connection. This happens when the update message from owner to director for deleting the connection gets dropped on the CCL.

All of the symptoms below are observed in this case:

1. High CPU on ASA cluster members.

2. Extremely large difference between Regular flow rate and Director flow rate.
ciscoasa/master# sh cluster info conn-distribution  
Unit            Total Conns (/sec)    Reg Conns (/sec)   Dir Conns (/sec)    Fwd Conns (/sec)
asa1             27301               26513               536                 252                

asa2           31597               30932               424                 241                

3. Extremely high rate of increase in CCL_OWNER_ELECTED counter under "show asp cluster counter"

4. Extremely high rate of increase in cluster-redirect counter under "show asp drop"

5. Packet capture on cluster control link shows the same icmp error packet looping a very high rate.

ASA is in clustering setup
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.