https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102138#M914394 <HTML><HEAD></HEAD><BODY><P>Try checking the CPU load during low volume and high volume times. </P><P></P><P>show proc cpu | e 0.00% 0.00% 0.00%</P><P></P><P>I don't think you'll get a definitive answer but it should help point in the right direction. </P><P></P><P>Also check this-</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/ios/12_0t/12_0t4/feature/guide/fw800.html#wp20431" target="_blank">http://www.cisco.com/en/US/docs/ios/12_0t/12_0t4/feature/guide/fw800.html#wp20431</A></P><P></P><P>CBAC was designed for SMBs, not really Enterprises. I understand that routers work better (and I usually suggest them to my customers), but you might have to figure out new routing techniques and put in a ASA firewall.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 18 Aug 2008 16:16:07 GMT Collin Clark 2008-08-18T16:16:07Z https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102137#M914393 <P>I use a 2821 IOSFW for internet access</P><P>It holds 14 DMZ (one Vlan / server on each)</P><P>and about 2000 internal internet daily users.</P><P>My internet access is 10Mbps symetric.</P><P>When trafic grows, CPU grows correspondingly to IP trafic, up to 50%.</P><P></P><P>I suppose that CPU load is due to IP nat, ACLs and CBAC between inside and outside.</P><P>Some external Citrix users sometimes loose their connexion.</P><P></P><P>Cisco's Commercial argue that I should migrate to ASA 5510, but I need some features like PBR which is unavailable.</P><P>I am looking for a serious diagnostic method.</P> Mon, 11 Mar 2019 13:32:22 GMT https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102137#M914393 falain 2019-03-11T13:32:22Z https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102138#M914394 <HTML><HEAD></HEAD><BODY><P>Try checking the CPU load during low volume and high volume times. </P><P></P><P>show proc cpu | e 0.00% 0.00% 0.00%</P><P></P><P>I don't think you'll get a definitive answer but it should help point in the right direction. </P><P></P><P>Also check this-</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/ios/12_0t/12_0t4/feature/guide/fw800.html#wp20431" target="_blank">http://www.cisco.com/en/US/docs/ios/12_0t/12_0t4/feature/guide/fw800.html#wp20431</A></P><P></P><P>CBAC was designed for SMBs, not really Enterprises. I understand that routers work better (and I usually suggest them to my customers), but you might have to figure out new routing techniques and put in a ASA firewall.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 18 Aug 2008 16:16:07 GMT https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102138#M914394 Collin Clark 2008-08-18T16:16:07Z https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102139#M914395 <HTML><HEAD></HEAD><BODY><P>Downgrade the router from an Advanced Sec license to lower and get an ASA <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>You are pushing the router to its limits it seems. Have you looked at the optimization for CBAC?</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftfirewl.html" target="_blank">http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftfirewl.html</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 18 Aug 2008 18:22:19 GMT https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102139#M914395 Farrukh Haroon 2008-08-18T18:22:19Z https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102140#M914397 <HTML><HEAD></HEAD><BODY><P>I find quite a lot of %FW log msgs</P><P>%FW-6-DROP_TCP_PKT: Dropping tcp pkt xxx =&gt; yyy due to Invalid Seq# -- ip ident 37313 tcpflags 0x8010 seq.no 2048715884 ack 3899465202</P><P></P><P>Is it an overload symptom ?</P><P></P><P>Joined some stat counts in attachment</P><P></P><P></P><P> </P><P></P></BODY></HTML> Tue, 19 Aug 2008 14:19:19 GMT https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102140#M914397 falain 2008-08-19T14:19:19Z https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102141#M914399 <HTML><HEAD></HEAD><BODY><P>Thanks for reply, but for now due to budget restrictions, I must face the problem without investments.</P><P>CPU is mainly due to outbound http traffic.</P><P>1) I moved Http PBR from 2821 to inside C3750E vlan switch.</P><P>I hope I will gain 10-20% of CPU.</P><P></P><P>2) Http outbound trafic goes to a squid proxy machine.</P><P>If I connect Squid's second Eth Int to another Internet IosFW router (using a free public IP address), may be I can reduce CPU overload of 2821.</P><P>I guess Http inspect CBAC is the most CPU consumer.</P><P>do you know if there is a better IOSFW release which runs CBAC in hardware as ASAs Asic does ?</P><P>For now, I run IosFW 12.4.16 standard train.</P><P></P><P>Best regards</P><P></P></BODY></HTML> Tue, 26 Aug 2008 14:29:30 GMT https://community.cisco.com/t5/network-security/c2821-cpu-overload/m-p/1102141#M914399 falain 2008-08-26T14:29:30Z