871 high CPU utilization - Page 2

catalin.stan · ‎08-29-2013

Hi,

I have a 871 and when I'm downloading a bigger file (over 100 MB) or uploading via FTP the CPU goes to 99%.

I have tested this with basic configuration (only nat and dhcp service configured). I have install the latest IOS version that is supported on the router (c870-advipservicesk9-mz.124-24.T8.bin) but I still have the same problem.

Can someone please let me know if this is a normal behavior for 871. Will a flash/RAM upgrade will help?

Thank you

Seb Rupik · ‎08-29-2013

I believe that is because all L3 interfaces (your SVIs 1 & 192) are all typically handled that way. Any packets on an SVI showing under 'Processor' will be related to packets shown under 'sh ip cef switching stats' .

I can't explain the issue with FTP. Does transfer initiate or timeout?

catalin.stan · ‎08-29-2013

The FTP transfer is succesfull but in this time nothing else works. This also happens when I try to download a large file via http.

For example if I download 1 GB file, nobody else can use the network.

Seb Rupik · ‎08-30-2013

That sounds like a problem potentially caused by NAT. Perhaps NAT'ing to a pool with a single 'outside' address instead of using PAT and sharing that 'outside' address amoungst all the internal users.

Any chance you can post your router config?

catalin.stan · ‎08-30-2013

Router#sh run

Building configuration...

Current configuration : 1434 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:c870-advsecurityk9-mz.124-24.T8.bin

boot system flash:c870-advipservicesk9-mz.124-24.T8.bin

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

dot11 syslog

ip source-route

!

no ip dhcp use vrf connected

!

ip dhcp pool LAN192

network 192.168.12.0 255.255.255.0

default-router 192.168.12.1

dns-server 8.8.8.8

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

ip ssh version 1

!

interface FastEthernet0

!

interface FastEthernet1

switchport access vlan 192

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

ip address dhcp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1360

!

interface Vlan192

ip address 192.168.12.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0

no ip http server

no ip http secure-server

!

ip nat inside source list NAT_ACL interface Vlan1 overload

!

ip access-list extended NAT_ACL

permit ip 192.168.12.0 0.0.0.255 any

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

Seb Rupik · ‎08-30-2013

Ok, your NAT command is legit.

This may be an issue with the NAT table filling up, but highly unlikely as it is huge! Perhaps it is the connection timeouts...?

Initiate a large download and also attempt to acces other webpages and run the following commnads:

clear nat counters

clear ip nat translations

sh ip nat translations

sh ip nat stats

catalin.stan · ‎08-30-2013

This seems to be OK:

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 192.168.175.77:54154 192.168.12.2:54154 173.194.39.160:443 173.194.39.160:443

tcp 192.168.175.77:54169 192.168.12.2:54169 173.194.39.175:443 173.194.39.175:443

tcp 192.168.175.77:58310 192.168.12.2:58310 157.55.236.79:443 157.55.236.79:443

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 192.168.175.77:54154 192.168.12.2:54154 173.194.39.160:443 173.194.39.160:443

tcp 192.168.175.77:54169 192.168.12.2:54169 173.194.39.175:443 173.194.39.175:443

tcp 192.168.175.77:54180 192.168.12.2:54180 93.115.243.142:80 93.115.243.142:80

tcp 192.168.175.77:58310 192.168.12.2:58310 157.55.236.79:443 157.55.236.79:443

udp 192.168.175.77:59642 192.168.12.2:59642 8.8.8.8:53 8.8.8.8:53

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 192.168.175.77:52575 192.168.12.2:52575 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:53183 192.168.12.2:53183 8.8.8.8:53 8.8.8.8:53

tcp 192.168.175.77:54154 192.168.12.2:54154 173.194.39.160:443 173.194.39.160:443

tcp 192.168.175.77:54158 192.168.12.2:54158 173.194.39.183:443 173.194.39.183:443

tcp 192.168.175.77:54160 192.168.12.2:54160 173.194.112.138:443 173.194.112.138:443

tcp 192.168.175.77:54161 192.168.12.2:54161 173.194.39.175:443 173.194.39.175:443

tcp 192.168.175.77:54164 192.168.12.2:54164 173.194.39.167:443 173.194.39.167:443

tcp 192.168.175.77:54167 192.168.12.2:54167 173.194.39.163:443 173.194.39.163:443

tcp 192.168.175.77:54169 192.168.12.2:54169 173.194.39.175:443 173.194.39.175:443

tcp 192.168.175.77:54180 192.168.12.2:54180 93.115.243.142:80 93.115.243.142:80

tcp 192.168.175.77:54181 192.168.12.2:54181 157.55.152.112:80 157.55.152.112:80

tcp 192.168.175.77:54182 192.168.12.2:54182 157.55.152.112:80 157.55.152.112:80

tcp 192.168.175.77:54183 192.168.12.2:54183 131.253.61.80:443 131.253.61.80:443

tcp 192.168.175.77:54184 192.168.12.2:54184 199.7.54.72:80 199.7.54.72:80

tcp 192.168.175.77:54185 192.168.12.2:54185 199.7.54.72:80 199.7.54.72:80

Pro Inside global Inside local Outside local Outside global

tcp 192.168.175.77:54186 192.168.12.2:54186 23.37.248.70:443 23.37.248.70:443

tcp 192.168.175.77:54188 192.168.12.2:54188 131.253.61.80:443 131.253.61.80:443

tcp 192.168.175.77:54189 192.168.12.2:54189 131.253.61.80:443 131.253.61.80:443

tcp 192.168.175.77:54190 192.168.12.2:54190 95.100.217.28:443 95.100.217.28:443

tcp 192.168.175.77:54191 192.168.12.2:54191 95.100.217.28:443 95.100.217.28:443

tcp 192.168.175.77:54192 192.168.12.2:54192 95.100.217.28:443 95.100.217.28:443

udp 192.168.175.77:54445 192.168.12.2:54445 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:54697 192.168.12.2:54697 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:54798 192.168.12.2:54798 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:55941 192.168.12.2:55941 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:56085 192.168.12.2:56085 148.198.145.2:161 148.198.145.2:161

tcp 192.168.175.77:58310 192.168.12.2:58310 157.55.236.79:443 157.55.236.79:443

udp 192.168.175.77:58369 192.168.12.2:58369 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:59642 192.168.12.2:59642 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:59723 192.168.12.2:59723 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:60652 192.168.12.2:60652 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:62945 192.168.12.2:62945 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:63514 192.168.12.2:63514 8.8.8.8:53 8.8.8.8:53

udp 192.168.175.77:64679 192.168.12.2:64679 8.8.8.8:53 8.8.8.8:53

Router#sh ip nat statistics

Total active translations: 48 (0 static, 48 dynamic; 48 extended)

Peak translations: 5255, occurred 00:40:46 ago

Outside interfaces:

Vlan1

Inside interfaces:

Vlan192

Hits: 1562425 Misses: 0

CEF Translated packets: 1558765, CEF Punted packets: 3661

Expired translations: 18884

Dynamic mappings:

-- Inside Source

[Id: 1] access-list NAT_ACL interface Vlan1 refcount 48

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Seb Rupik · ‎08-30-2013

Something about you nat translations doesn't look right. what's the output from:

sh ip int br

catalin.stan · ‎08-30-2013

Router#sh ip inter brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up up

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up down

FastEthernet4 unassigned YES NVRAM administratively down down

NVI0 unassigned YES unset administratively down down

Vlan1 192.168.175.77 YES DHCP up up

Vlan192 192.168.12.1 YES NVRAM up up

Seb Rupik · ‎08-30-2013

That checks out too.

Do you know what your download speed hits when all other internet access goes? If it is anywhere near 12.5Mbps then you have hit the limit of the router.

At that point I'm not sure how it will prioritse requests. Looks like FIFO so it maintains your download but drops everything else.

catalin.stan · ‎08-30-2013

My download speed is arorund 300 kbps.

If I download a smaller file (90 MB) everything works fine. The problem appears only with large files.

Seb Rupik · ‎08-30-2013

So if you choose a +100Mb as soon as you start the download the internet is in accessible to other users? Or is is it once you manage to download 100mb+ that the internet becomes unavailable to other users.

If it is the latter then it sounds like a buffer or maybe NAT table issue.

Although I suprised no other 871 users have raised this issue!

catalin.stan · ‎08-30-2013

The problem appears immediatly after I start the download. If I try to download a big file directly form the browser the processor goes up even before I press the "Save File" button.

I have 2 routers (same model) and the issue is the same on both.

Seb Rupik · ‎08-30-2013

OK my final suggestion

Why have you got the following defined in vlan1:

ip tcp adjust-mss 1360

...if you can't accoutnfor it's includion in the config, then maybe try removing it:

!

int vlan1

no ip tcp adjust-mss 1360

!

...see if that makes a difference.

paolo bevilacqua · ‎08-30-2013

Seb Rupik wrote:

OK my final suggestion

Why have you got the following defined in vlan1:

ip tcp adjust-mss 1360

...if you can't accoutnfor it's includion in the config, then maybe try removing it:

!

int vlan1

no ip tcp adjust-mss 1360

!

...see if that makes a difference.

That does not change anything. Adjust-mss is for PPPoE connections, not performance.

catalin.stan · ‎08-30-2013

I even tryed to upgrade the ram. I have just installed a 64 M on the router. I know have 192M. Still the same problem.