12-05-2018 01:39 AM
Hello,
We were planing internet access router migration from some old device to new Cisco ASR1002.
During first attempt of migration we faced an issue with HIGH CPU utilization after first eBGP peering connection established.
Bgp peering loaded full internet routing table (716403) prefix in 3, 3 and a half minutes.
Afterwords CPU shows high "IP RIB Update" for 4-5 minutes and than it calmed down.
Basically it takes 7-8 minutes for one BGP peering to be established and router to be stable and responsive.
Later on we realized that "IP RIB Update" means CEF populating which goes mush slower than BGP routes populating.
Router#show ip cef summary
IPv4 CEF is enabled for distributed and running
VRF Default
716493 prefixes (716493/0 fwd/non-fwd)
Table id 0x0
Database epoch: 2 (716493 entries at this epoch)
We don't expect it to be same speed but this slowness and CPU utilization which makes router almost not responsive is not expected.
For testing purpose we tried simple config in global routing table and VRF, result is the same.
I ll paste version and config, if you can have a look and suggest solution which maybe we have overseen.
Thank you in advance.
Regards,
======================================================================
isco IOS XE Software, Version 03.16.07b.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.5(3)S7b, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Fri 02-Mar-18 08:38 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Router uptime is 1 day, 21 hours, 34 minutes
Uptime for this control processor is 1 day, 21 hours, 38 minutes
System returned to ROM by reload
System image file is "bootflash:/asr1000rp1-adventerprisek9.03.16.07b.S.155-3.S7b-ext"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco ASR1002 (2RU) processor (revision 2RU) with 1638738K/6147K bytes of memory.
Processor board ID FOX1413G90A
4 Gigabit Ethernet interfaces
1 Ten Gigabit Ethernet interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7757823K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
=============================================================
Building configuration...
Current configuration : 8078 bytes
!
! Last configuration change at 12:56:27 UTC Mon Dec 3 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition INTERNET
description INTERNET
rd xxxxx:2
route-target export xxxxx:2
route-target import xxxxx:2
route-target import xxxxx:10014
route-target import xxxxx:10092
route-target import xxxxx:10137
route-target import xxxxx:10145
route-target import xxxxx:10156
!
address-family ipv4
import map VRF-INTERNET-IMPORT-MAP
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
no ipv6 unreachables
interface TenGigabitEthernet0/2/0
ip address 149.x.x.x 255.255.255.252
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.179.3.9 255.255.255.0
negotiation auto
!
router ospf 1
!
router bgp xxxxx
bgp router-id x.x.x.x
no bgp enforce-first-as
bgp log-neighbor-changes
bgp maxas-limit 100
timers bgp 10 30
neighbor x.x.x.x remote-as xxx
neighbor x.x.x.x description xxxxxxx
neighbor x.x.x.x ebgp-multihop 255
neighbor x.x.x.x password 7 09421B020F2416445C0F2F000C1D3D05673343571A
neighbor x.x.x.x update-source TenGigabitEthernet0/2/0
!
address-family ipv4
neighbor x.x.x.x activate
neighbor x.x.x.x prefix-list DENY-ALL out
neighbor x.x.x.x filter-list 2 out
exit-address-family
!
ip forward-protocol nd
!
ip extcommunity-list standard INTERNET permit rt xxxxx:2
ip extcommunity-list standard INTERNET-VRF permit rt xxxxx:2
ip bgp-community new-format
ip community-list standard TEAM-CYMRU-BOGONS permit 65332:888
ip community-list standard SPAMHAUS-DROP permit 65190:1000
ip community-list standard SPAMHAUS-EDROP permit 65190:2000
ip community-list standard SPAMHAUS-BCL permit 65190:3000
ip community-list standard XXXX-BLACKHOLED-PREFIXES permit 666:666
ip community-list expanded KPN-INTERNET permit xxxxx:21
ip community-list expanded IX-INTERNET permit xxxxx:22
ip community-list expanded ADC-INTERNET permit xxxxx:23
ip community-list expanded BDC-INTERNET permit xxxxx:24
ip as-path access-list 1 permit ^$
ip as-path access-list 2 deny ^$
ip as-path access-list 10 permit ^$
ip as-path access-list 10 permit _203630$
ip as-path access-list 12 permit _5432_
ip as-path access-list 38 permit _3856$
ip as-path access-list 42 permit _42$
ip as-path access-list 84 permit 2484$
ip ftp source-interface Loopback100
no ip http server
no ip http secure-server
ip tftp source-interface Loopback100
no ip route static inter-vrf
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.179.3.1
!
!
ip prefix-list BGP-ADVERTISE-FROM-INET-TO-RR-CLIENTS description FILTER PREFIXES TO BE ADVERTISED FROM THE INTERNET TO RR CLIENTS
ip prefix-list BGP-ADVERTISE-FROM-INET-TO-RR-CLIENTS seq 5 permit 0.0.0.0/0
!
ip prefix-list DEFAULT-ROUTE-ONLY description ONLY ALLOW DEFAULT ROUTE
ip prefix-list DEFAULT-ROUTE-ONLY seq 5 permit 0.0.0.0/0
!
ip prefix-list DENY-ALL description BLOCK ALL PREFIXES
ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32
!
ip prefix-list TEAM-CYMRU-BOGON-FILTER-IN description RESTRICT CERTAIN PREFIXES INBOUND FROM CYMRU PEERINGS
ip prefix-list TEAM-CYMRU-BOGON-FILTER-IN seq 5 deny 0.0.0.0/0
ip prefix-list TEAM-CYMRU-BOGON-FILTER-IN seq 15 permit 0.0.0.0/0 le 32
!
ip prefix-list VRF-INTERNET-IMPORT-PREFIXES description ALLOW INTERNET PREFIXES FROM CUSTOMER VRFs
!
control-plane
!
!
!
!
!
!
!
!
!
!
end
================================================================
12-05-2018 05:58 AM
12-07-2018 06:34 AM
Dear Joseph,
PMTUD didn't brought any difference.
12-07-2018 01:43 PM
12-21-2018 06:09 AM
12-07-2018 08:28 AM
Hello,
on a side note, you seem to have an empty OSPF process running ('router ospf 1'), can you remove that ?
12-21-2018 06:14 AM
Yes i can, but that doesn't make any difference still.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: