Cisco ASA：一天一兩次網路速度很差，否則很好

一段時間以來，我一直試圖弄清楚這一點，而且，看來我做不到。我們在數據中心的 ASA5505（軟體版本 8.3）後面有兩台伺服器。他們執行各種各樣的服務，包括我們的網站、內部 XMPP 伺服器、遊戲伺服器（Minecraft 和 Team Fortress 2，大部分都使用 UDP）、郵件……

每天大約在太平洋標準時間中午左右，網路速度在大約一個小時內變得非常糟糕，而防火牆的系統負載從通常的 30% 上升到 80% 以上。根據show processes cpu-hog，“Quack 程序”（什麼鴨子？！），尤其是“調度單元”，嗯，有點佔用 CPU。

當網路變壞時，似乎有一種模式。大約 2 秒鐘它是全速的，然後它減速到幾乎停止了 2 秒。在此期間，我啟用了對 ssh 的日誌記錄，但沒有出現任何有趣的事情。只是幾個被阻止的 ICMP 請求，有點奇怪，Deny IP due to Land Attack from [one of our IPs] to [the exact same IP]但這可能是真正的攻擊？

無論如何，兩台伺服器之間以及防火牆本身的速度都很差，這讓我覺得它負擔過重，儘管兩台伺服器之間的 ping 總是很好。我不確定網路是如何設置的，所以防火牆和伺服器之間可能只是一個小開關。

另一個奇怪的事情，但是，再次，這可能是正常的（找不到任何關於它的東西），在show threat-detection statistics我們的伺服器/虛擬機的內部 IP 中首先出現，有些實際上有大於 0 的fw-drop.

下次出現此問題時我應該嘗試什麼？關於可能導致這種情況的任何想法？我應該禁用limit-policy-map（見下文）嗎？

編輯：從防火牆 ping 伺服器也會顯示這些症狀。

以下是更多系統資訊：

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
           alert-interval 300
access-list outside_in; 33 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit tcp any object-group www_servers object-group www_srv 0x9c6770f3 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ftp (hitcnt=2443) 0x73b87a74 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ssh (hitcnt=27915) 0x73a19ab3 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq www (hitcnt=21568957) 0x045edf43 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq https (hitcnt=19746) 0xe54a2315 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 3389 (hitcnt=3919) 0x58629d3c 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 30 (hitcnt=134) 0xcd3db679 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5922 (hitcnt=43) 0x17c6f16b 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 6122 (hitcnt=1) 0x3ea3c2e6 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 2200 (hitcnt=2) 0x8356fbc6 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5722 (hitcnt=1) 0xaefada3e 
 access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq domain (hitcnt=17) 0x45c7e0b1 
access-list outside_in line 2 extended permit udp any object-group www_servers object-group www_srv_udp 0x9426d24f 
 access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq 3389 (hitcnt=1) 0x15cdc545 
 access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq domain (hitcnt=4468079) 0x1b6d6b19 
access-list outside_in line 3 extended permit icmp host [...] any (hitcnt=0) 0x155d597f 
access-list outside_in line 4 extended permit icmp host [...] any (hitcnt=289) 0x0fcc844a 
access-list outside_in line 5 extended permit icmp any object-group www_servers echo-reply 0x46f79e30 
 access-list outside_in line 5 extended permit icmp any(65536) object-group www_servers(1) echo-reply (hitcnt=97) 0x53984766 
access-list outside_in line 6 extended permit tcp host [...] eq 25565 host 10.5.209.12 eq 25565 (hitcnt=0) 0x60c828e6 
access-list outside_in line 7 extended permit tcp any object-group mc eq 25565 0xcb0d2f17 
 access-list outside_in line 7 extended permit tcp any(65536) object-group mc(6) eq 25565 (hitcnt=478488) 0x3ce89b9a 
access-list outside_in line 8 extended permit tcp any object-group irc object-group ircd 0x65619a8f 
 access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6667 (hitcnt=6336) 0xda23eb42 
 access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6969 (hitcnt=8445981) 0xb39f9de5 
access-list outside_in line 9 extended permit tcp any object-group rob object-group xmppd 0x24db3318 
 access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5222 (hitcnt=2836) 0x3b220aef 
 access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5269 (hitcnt=316) 0x8c4a1677 
access-list outside_in line 10 extended permit udp any object-group rob object-group xmppd 0x56997935 
 access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5222 (hitcnt=0) 0x1378a09e 
 access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5269 (hitcnt=0) 0x484e999c 
access-list outside_in line 11 extended permit udp any object-group tf2_servers object-group tf2_udp_ports 0x4ed88dd7 
 access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 26901 27009 (hitcnt=20) 0x984f0cfd 
 access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 27015 27024 (hitcnt=1842395) 0x5117dbf3 
access-list outside_in line 12 extended permit tcp any object-group tf2_servers object-group tf2_tcp_ports 0xd792e8d1 
 access-list outside_in line 12 extended permit tcp any(65536) object-group tf2_servers(12) eq 8080 (hitcnt=16028) 0x1f9dcdd6 
access-list outside_in line 13 extended permit object-group tcp_udp any object-group rob object-group mumble_ports 0x62e8f226 
 access-list outside_in line 13 extended permit tcp any(65536) object-group rob(9) eq 64738 (hitcnt=4) 0x663e2204 
 access-list outside_in line 13 extended permit udp any(65536) object-group rob(9) eq 64738 (hitcnt=14) 0x3751c05a 
access-list outside_in line 14 extended permit udp any object-group kfy_servers object-group kfy_ports 0x928ebaab 
 access-list outside_in line 14 extended permit udp any(65536) object-group kfy_servers(16) eq 9009 (hitcnt=52) 0x3c77464e 
access-list outside_in line 15 extended permit udp any host 10.5.209.10 object-group bittorrent 0x20a28a30 
 access-list outside_in line 15 extended permit udp any host 10.5.209.10(168153354) eq 10299 (hitcnt=44693845) 0x140f0e51 
access-list outside_in line 16 extended permit tcp any host 10.5.209.10 object-group bittorrent 0xfe939491 
 access-list outside_in line 16 extended permit tcp any host 10.5.209.10(168153354) eq 10299 (hitcnt=3763575) 0x1ef0e366 
access-list outside_in line 17 extended permit icmp any object-group rob 0x6f990c22 
 access-list outside_in line 17 extended permit icmp any(65536) object-group rob(9) (hitcnt=1418) 0x8401a397 
access-list limiter; 3 elements; name hash: 0x189b5c6d
access-list limiter line 1 extended deny ip host [...] any (hitcnt=0) 0x72cb4f57 
access-list limiter line 2 extended deny ip host 10.0.0.0 any (hitcnt=0) 0x3d376866 
access-list limiter line 3 extended permit ip any any (hitcnt=89047566) 0x1bc67ee2 


policy-map limit-policy-map
class limit-map
 set connection per-client-max 500 per-client-embryonic-max 30 
 set connection timeout embryonic 0:00:10 half-closed 0:05:00 dcd 
policy-map global_policy
class inspection_default
 inspect dns 
 inspect ftp 


class-map limit-map
match access-list limiter
class-map inspection_default
match default-inspection-traffic
class-map limit

您是否意識到 ASA5505 的吞吐量在 10 兆位？它們專為小型辦公室/家庭辦公室和分支機構而設計。他們從來沒有被設計來處理流量的演出。

無論如何，ASA5505 有許多可能導致 CPU 負載增加的因素。大多數 em 都是基於過濾器的。如果您有復雜的過濾器和策略。您在這些過濾器中執行的操作越複雜，每個數據包所消耗的處理時間就越多。

我將首先查看上游的流量圖，並找出伺服器在您指定的時間增加的流量水平。你真的在尋找模式。如果您的伺服器沒有圖表，您應該得到一些，您的提供商應該能夠為您提供某種形式的流量數據。這應該可以讓您了解問題的來源。

如果它在伺服器端，那麼你的一切都在你的控制之下，應該在那裡尋找罪魁禍首。也許是一個錯誤的程序，或者是狡猾的 cron 工作？也許某些出於某種原因正在產生大量流量的程序？

如果它是供應商方面的問題，那麼您將不得不與他們協商，看看 Rees 是否可以做任何事情。

引用自：https://serverfault.com/questions/522682