Have an HA pair of ASA 2130 (Firepower running ASA code) that are getting pegged out here lately. Downstream from ASA are 500 server VMs and 500 VDI VMs, some in a HyperV cluster and some in a UCS environment. Nothing traffic wise has changed, the interfaces headed to the firewall pair (10G with a leg each in a Nexus 93180-YC vPC pair) are loaded but not saturated (3-4gbps peak) but the CPU on the firewall will run up to 99-100% and stay there for a minute or two. Since all north south and east west traverses this firewall when the CPU spikes we see latency and packet loss across the environment.

I need some advice for isolating the problem, anyone out there have similar experiences? My gut says we’re blasting it with tiny packets and hitting the PPS ceiling for inspection but it could be something totally different.