Why does the Cisco Lina process on the Firepower Threat Defense consumes 100% (or more) CPU?

Actually, this is normal because the lina process is constantly polling the Network Interface Cards (NICs) for input traffic. In short, the lina process utilization can be safely ignored.

Key Takeaway:

Firepower Threat Defense is a unified operating system consisting of 2 engines (ASA and Snort).
The FTD CLI shows that ‘lina’ process (ASA engine) consumes a lot of CPU cycles.

Here is an example from an FTD running on ASA5506-X appliance:
> system support utilization
top – 01:26:40 up 12 days, 16:00, 1 user, load average: 22.08, 22.10, 22.10
Tasks: 161 total, 1 running, 159 sleeping, 0 stopped, 1 zombie
Cpu(s): 22.6%us, 4.1%sy, 0.0%ni, 73.2%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 3927684k total, 2793860k used, 120904k free, 181548k buffers
Swap: 3996668k total, 257632k used, 3739036k free, 831372k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23000 root 0 -20 1138m 513m 91m S 99 13.4 18205:20 lina <–
2952 admin 20 0 15240 1156 848 R 2 0.0 0:00.02 top
22941 root 20 0 266m 2316 2108 S 2 0.1 47:16.70 ndmain.bin
1 root 20 0 4232 652 620 S 0 0.0 0:12.40 init

In the above output you should only take into consideration the us (user) + sy (system) CPU utilization along with the id (idle) value.

 

Contributed by Mikis Zafeiroudis, Ignacio Penalva, Haitham Jaradat and David Torres Rivas, Cisco TAC Engineers