5660 CPU bottleneck on port scan - disable FFE/stateful firewall/etc?
For almost 10 years, we used an Adtran Netvanta 3148 with a 100mbps fiber line. On one side it advertised BGP, on the other side it presented a L3 WAN gateway for our Cisco firewalls.
Recently we upgraded to 1 gbps fiber, and had to replace the 3148 with a 5660 to get the full gigabit throughput. Worked fine, except every time there is a port scan (e.g., one single Nessus instance doing a port scan against a couple IPs), CPU usage on the 5660 hits 100% and BGP drops and we lose connectivity for 5ish minutes. Even if total traffic is, say, 20mbps, just one system running a port scan is sufficient to cause the whole router to lock up - and these scans have happened or years with no similar problem until 'upgrading' tp the 5660.
I've been wracking my brain to figure out why the 5660 is so much more susceptible to CPU bottlenecking than the 3148, and had a thought: maybe it supports some newer security controls, or has them enabled by default, while the old one did not have them or did not have them enabled?
So my question is: Can the 5660 be reverted to packet filtering mode rather than stateful firewalling, have most/all SPI type functionality disabled, etc? We're not using any of it and just want a box that quickly forwards packets, no extra security or QoS needed (that's all within our own network), so having added CPU overhead from that functionality is really undesirable.
The other potential culprit I was thinking of is maybe it's related to FFE. Aside from the IBGP within Lumen on the one end, it doesn't really have any other routes. There's our Cisco firewall and a handful of other devices on a L2 switch on the other side of it, all addressed on the same WAN subnet as the L3 interface of the NetVanta they use as a default gateway, outbound traffic is all either NAT or encapsulated within IPSEC - the NetVanta has no routes for anything on our side. So I wouldn't think FFE would present much of an advantage in the first place. Basically in this case it is keeping track of the routing state of tens of thousands of single UDP packets headed to whatever port # is being scanned, which isn't much help. Not sure if FFE was available or enabled by default on the ~decade old 3148.