High CPU Usage in Firepower

Friday June 22, 2018

The Symptoms

I use Firepower Management Center quite a bit. Recently, I started getting health monitoring alerts. It looked something like this:

Health Monitor Alert from 10.10.10.10Severity: Critical Module: CPU Usage

Description: Using CPU05 95.34%

These alerts were spamming me every 5 minutes for a few hours.

One of our ASA’s running Firepower Services was having a bad time.

The Findings

I couldn’t find the answer to this on my own, so I logged a call with the TAC. The engineer explained that this is quite common in Firepower. He called it an elephant process.

It came down to how SNORT (the IPS engine) works. SNORT is a single-threaded application. So by default, it doesn’t take advantage of multi-core processors. To work around this, the ASA runs a separate instance of SNORT for each core.

The problem occurs when there is a large file transfer. In our case, there was a large file being transferred over FTP. This flow gets assigned to a SNORT process, which means that it’s assigned to a single CPU core. This runs that core as hard as it can, which results in these alerts.

If the file is large enough, the CPU usage is high long enough to trigger these warnings.

The Solution

These errors can be ignored. This is Firepower’s normal behaviour. You just need to be sure that this is the scenario you find yourself in. I recommend checking if only one core is impacted. If possible, also check if there is a large file transfer going on.