I tried changing the access

hemantpatel · ‎07-24-2017

Hi All,

I have 7206 router with NPE-G2. One interface is connected to ISP and another interface is connected to Cisco-2960. All other devices are connected to 2960.

Virtually there is no configuration present on the router other than default route to ISP and one ACL having few hundred lines.

ACL looks like this:

object-group network objInternalHosts
   host 1.1.1.2
   host 1.1.1.3
   host 1.1.1.4

object-group network objCompany1
host 2.2.2.1
host 2.2.2.2
host 2.2.2.3
host 2.2.2.4
host 2.2.2.5

object-group network objCompany2
host 3.3.3.1
host 3.3.3.2
host 3.3.3.3
host 3.3.3.4

access-list 101 permit tcp object-group objCompany1 object-group objInternalHosts eq 5060
access-list 101 permit tcp object-group objCompany2 object-group objInternalHosts eq 5060
access-list 101 permit tcp object-group objCompany3 object-group objInternalHosts eq 5060
access-list 101 permit tcp object-group objCompany4 object-group objInternalHosts eq 5060
.........................................................................
access-list 101 permit tcp object-group objCompany100 object-group objInternalHosts eq 5060

NPE-G2-LA1#show int gi0/2
GigabitEthernet0/2 is up, line protocol is up
Hardware is MV64460 Internal MAC, address is 0006.2a6e.781a (bia 0006.2a6e.781a)
Description: X-Conn to C2960
Internet address is 1.1.1.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 24/255, rxload 26/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 00:02:00
Last input 00:00:03, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 104538000 bits/sec, 62432 packets/sec
30 second output rate 97329000 bits/sec, 58279 packets/sec
     987361275 packets input, 1226103346 bytes, 354 no buffer
     Received 1169677 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     3240 input errors, 0 CRC, 0 frame, 0 overrun, 3240 ignored
     0 watchdog, 9299351 multicast, 0 pause input
     1364662643 packets output, 2553242613 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     532402 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     2 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

NPE-G2-LA1#show int gi0/3
GigabitEthernet0/3 is up, line protocol is up
Hardware is MV64460 Internal MAC, address is 0006.2a6e.7819 (bia 0006.2a6e.7819)
Description: X-CONN to ISP
Internet address is 1.2.3.4/30
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 26/255, rxload 24/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, link type is force-up, media type is LX
output flow-control is XON, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:02, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/238547 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 95849000 bits/sec, 57367 packets/sec
30 second output rate 103089000 bits/sec, 61590 packets/sec
     393159960 packets input, 3450538793 bytes, 167 no buffer
     Received 13292 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     333518 input errors, 0 CRC, 0 frame, 0 overrun, 333518 ignored
     0 watchdog, 0 multicast, 0 pause input
     1714994595 packets output, 2006773777 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     6 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

NPE-G2-LA1#show proc cpu sorted 1min
CPU utilization for five seconds: 76%/76%; one minute: 77%; five minutes: 78%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
138     6358604   102048250         62 0.07% 0.07% 0.04%   0 ADJ resolve proc
240    21306792    15977786       1333 0.07% 0.04% 0.05%   0 Per-Second Jobs
86       12940   499098621          0 0.07% 0.04% 0.02%   0 IPAM Manager
   6     9084900     2255559       4027 0.00% 0.03% 0.02%   0 Check heaps
   2      358480     3195268        112 0.00% 0.03% 0.02%   0 Load Meter
26     1428148   288185899          4 0.00% 0.01% 0.00%   0 EnvMon
90     7172480   131666035         54 0.07% 0.01% 0.02%   0 IP Input
239     1500564      539280       2782 0.00% 0.00% 0.00%   0 Per-minute Jobs
31       12296    16662771          0 0.07% 0.00% 0.00%   0 ARP Background
30      711020     9950596         71 0.00% 0.00% 0.00%   0 ARP Input

Georg Pauwen · ‎07-24-2017

Hello,

which IOS version are you running ?

In a previous post on that issue it was suggested to make sure that you have 'ip cef' enabled (obviously) and to make sure that no 'ip route-cache' commands are configured on any of the interfaces. Also, automatic buffer tuning could help:

buffers tune automatic

Joseph W. Doherty · ‎07-25-2017

Besides what Georg suggested, you might try using the Turbo ACL feature, if supported on your IOS, enabling flow cache on your interfaces and/or determine if there's any way you could group consecutive groups of host IPs into an address block.

hemantpatel · ‎07-25-2017

Georg & Joseph,

Appreciate your help.

I tried changing the access list to turbo/compiled access list, it does lower the CPU usage but some how hacking attempts were able to pass through. I saw connections coming in from various IP's which were not supposed to come in. I have already changed the consecutive IP's to address block where ever possible.

I do see 'ip cef' in the global configuration but not see on the individual interfaces. 'ip route-cache' is not used anywhere in the configuration.

interface GigabitEthernet0/2
description X-Conn to C2960
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip unreachables
load-interval 30
duplex auto
speed auto
media-type rj45
negotiation auto
arp timeout 120
!
interface GigabitEthernet0/3
description X-CONN to XO
ip address yyy.yyy.yyy.yyy 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
load-interval 30
duplex full
speed 1000
media-type sfp
no negotiation auto
!

Joseph W. Doherty · ‎07-25-2017

I tried changing the access list to turbo/compiled access list, it does lower the CPU usage but some how hacking attempts were able to pass through. I saw connections coming in from various IP's which were not supposed to come in.

Interesting! The lower CPU was expected, different results were not. Sounds like a bug you could work with Cisco (if there's still any support on this platform). Or, depending on how much CPU reduction you noted (i.e. if you think worth pursuing, maybe loading a later IOS version, if available, would resolve that issue).

'ip route-cache' is not used anywhere in the configuration.

That's fine. The interface command you would want would be "ip route-cache flow". NB: I'm hoping in your case, it will bring down CPU, but it can also drive it even higher.

Cisco-7206-NPE-G2 High CPU Usage