我一直在尝试弄清楚这个问题,但似乎无法解决。我们在数据中心的 ASA5505(软件版本 8.3)后面有两台服务器。它们运行各种服务,包括我们的网站、内部 XMPP 服务器、游戏服务器(Minecraft 和 Team Fortress 2,两者大部分都使用 UDP)、邮件...
每天大约在太平洋标准时间中午时分,网络速度会变得非常糟糕,持续约一小时,而防火墙的系统负载会从通常的 30% 上升到 80% 以上。根据show processes cpu-hog,"Quack process"(什么鬼?!)尤其是 "Dispatch Unit" 占用了一点 CPU。
网络故障似乎有规律。大约 2 秒钟内全速运行,然后又慢下来,几乎停止了 2 秒钟。在此期间,我启用了 ssh 日志记录,但没有任何有趣的事情发生。只有几个被阻止的 ICMP 请求,而且有点奇怪,Deny IP due to Land Attack from [one of our IPs] to [the exact same IP]但这可能是一次真正的攻击?
无论如何,两台服务器之间的速度很慢,防火墙本身的速度也很慢,这让我觉得它负担过重,尽管两台服务器之间的 ping 值始终很好。不过,我不确定网络是如何设置的,所以防火墙和服务器之间可能只是有一个小开关。
另一件奇怪的事情,但是,再说一次,这可能是正常的(找不到任何相关信息),在show threat-detection statistics我们的服务器/虚拟机的内部 IP 中首先显示,并且有些实际上有大于 0 的数字fw-drop。
下次出现此问题时我应该尝试什么?有什么想法可能导致此问题吗?我应该禁用 limit-policy-map(见下文)吗?
编辑:从防火墙 ping 服务器也会出现这些症状。
以下是更多系统信息:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_in; 33 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit tcp any object-group www_servers object-group www_srv 0x9c6770f3
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ftp (hitcnt=2443) 0x73b87a74
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq ssh (hitcnt=27915) 0x73a19ab3
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq www (hitcnt=21568957) 0x045edf43
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq https (hitcnt=19746) 0xe54a2315
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 3389 (hitcnt=3919) 0x58629d3c
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 30 (hitcnt=134) 0xcd3db679
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5922 (hitcnt=43) 0x17c6f16b
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 6122 (hitcnt=1) 0x3ea3c2e6
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 2200 (hitcnt=2) 0x8356fbc6
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq 5722 (hitcnt=1) 0xaefada3e
access-list outside_in line 1 extended permit tcp any(65536) object-group www_servers(1) eq domain (hitcnt=17) 0x45c7e0b1
access-list outside_in line 2 extended permit udp any object-group www_servers object-group www_srv_udp 0x9426d24f
access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq 3389 (hitcnt=1) 0x15cdc545
access-list outside_in line 2 extended permit udp any(65536) object-group www_servers(1) eq domain (hitcnt=4468079) 0x1b6d6b19
access-list outside_in line 3 extended permit icmp host [...] any (hitcnt=0) 0x155d597f
access-list outside_in line 4 extended permit icmp host [...] any (hitcnt=289) 0x0fcc844a
access-list outside_in line 5 extended permit icmp any object-group www_servers echo-reply 0x46f79e30
access-list outside_in line 5 extended permit icmp any(65536) object-group www_servers(1) echo-reply (hitcnt=97) 0x53984766
access-list outside_in line 6 extended permit tcp host [...] eq 25565 host 10.5.209.12 eq 25565 (hitcnt=0) 0x60c828e6
access-list outside_in line 7 extended permit tcp any object-group mc eq 25565 0xcb0d2f17
access-list outside_in line 7 extended permit tcp any(65536) object-group mc(6) eq 25565 (hitcnt=478488) 0x3ce89b9a
access-list outside_in line 8 extended permit tcp any object-group irc object-group ircd 0x65619a8f
access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6667 (hitcnt=6336) 0xda23eb42
access-list outside_in line 8 extended permit tcp any(65536) object-group irc(8) eq 6969 (hitcnt=8445981) 0xb39f9de5
access-list outside_in line 9 extended permit tcp any object-group rob object-group xmppd 0x24db3318
access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5222 (hitcnt=2836) 0x3b220aef
access-list outside_in line 9 extended permit tcp any(65536) object-group rob(9) eq 5269 (hitcnt=316) 0x8c4a1677
access-list outside_in line 10 extended permit udp any object-group rob object-group xmppd 0x56997935
access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5222 (hitcnt=0) 0x1378a09e
access-list outside_in line 10 extended permit udp any(65536) object-group rob(9) eq 5269 (hitcnt=0) 0x484e999c
access-list outside_in line 11 extended permit udp any object-group tf2_servers object-group tf2_udp_ports 0x4ed88dd7
access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 26901 27009 (hitcnt=20) 0x984f0cfd
access-list outside_in line 11 extended permit udp any(65536) object-group tf2_servers(12) range 27015 27024 (hitcnt=1842395) 0x5117dbf3
access-list outside_in line 12 extended permit tcp any object-group tf2_servers object-group tf2_tcp_ports 0xd792e8d1
access-list outside_in line 12 extended permit tcp any(65536) object-group tf2_servers(12) eq 8080 (hitcnt=16028) 0x1f9dcdd6
access-list outside_in line 13 extended permit object-group tcp_udp any object-group rob object-group mumble_ports 0x62e8f226
access-list outside_in line 13 extended permit tcp any(65536) object-group rob(9) eq 64738 (hitcnt=4) 0x663e2204
access-list outside_in line 13 extended permit udp any(65536) object-group rob(9) eq 64738 (hitcnt=14) 0x3751c05a
access-list outside_in line 14 extended permit udp any object-group kfy_servers object-group kfy_ports 0x928ebaab
access-list outside_in line 14 extended permit udp any(65536) object-group kfy_servers(16) eq 9009 (hitcnt=52) 0x3c77464e
access-list outside_in line 15 extended permit udp any host 10.5.209.10 object-group bittorrent 0x20a28a30
access-list outside_in line 15 extended permit udp any host 10.5.209.10(168153354) eq 10299 (hitcnt=44693845) 0x140f0e51
access-list outside_in line 16 extended permit tcp any host 10.5.209.10 object-group bittorrent 0xfe939491
access-list outside_in line 16 extended permit tcp any host 10.5.209.10(168153354) eq 10299 (hitcnt=3763575) 0x1ef0e366
access-list outside_in line 17 extended permit icmp any object-group rob 0x6f990c22
access-list outside_in line 17 extended permit icmp any(65536) object-group rob(9) (hitcnt=1418) 0x8401a397
access-list limiter; 3 elements; name hash: 0x189b5c6d
access-list limiter line 1 extended deny ip host [...] any (hitcnt=0) 0x72cb4f57
access-list limiter line 2 extended deny ip host 10.0.0.0 any (hitcnt=0) 0x3d376866
access-list limiter line 3 extended permit ip any any (hitcnt=89047566) 0x1bc67ee2
policy-map limit-policy-map
class limit-map
set connection per-client-max 500 per-client-embryonic-max 30
set connection timeout embryonic 0:00:10 half-closed 0:05:00 dcd
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
class-map limit-map
match access-list limiter
class-map inspection_default
match default-inspection-traffic
class-map limit
答案1
您是否意识到 ASA5505 的吞吐量只有数十兆比特?它们是为小型办公室/家庭办公室和分支机构设计的。它们从未被设计用于处理千兆级流量。
无论如何,ASA5505 有许多因素可能导致 CPU 负载增加。其中大多数是基于过滤器的。如果您有复杂的过滤器和策略。您在这些过滤器中执行的操作越复杂,每个数据包的处理时间就越长。
我会先查看上游和服务器的流量图表,以找出您指定的时间流量是否增加。您确实在寻找模式。如果您的服务器没有图表,您应该获取一些,您的提供商应该能够为您提供某种形式的流量数据。这应该可以让您了解问题的来源。
如果是在服务器端,那么一切尽在您的掌控之中,应该在那里寻找罪魁祸首。也许是一个错误的进程,或者是狡猾的 cron 作业?也许是某个进程由于某种原因现在产生了大量流量?
如果这是提供商方面的问题,那么您必须咨询他们,看看是否可以采取任何措施。