11-04-2011 03:03 PM - edited 03-04-2019 02:10 PM
I have a Cisco 887VA router that has a working VDSL configuration. It syncs with an attainable rate of 48932 kbits/s and 13432 kbits/s. Speed tests max out around 38Mbits and I can get download speeds of 4.5MB/s but the CPU utilisation hits the roof. I'm trying to work through the process to determine exactly what is causing the high CPU utilisation. I'm guessing its related to a combination of NAT and/or the zone based firewall but would like to know exactly how I can find out what is causing this so I can look at my options to improve the performance. I would have thought the hardware could be able to cope with full VDSL speed even with NAT enabled. Unless my configuration is wrong somewhere.
I have run a "show process cpu sort" and get the following results:
=============================
sh proc cpu sort
CPU utilization for five seconds: 96%/87%; one minute: 79%; five minutes: 32%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
283 405388 4774710 84 6.79% 0.55% 0.21% 0 Per-Second Jobs
92 71743328 23856936 3007 0.79% 1.38% 1.49% 0 COLLECT STAT COU
5 6339528 739749 8569 0.71% 0.17% 0.12% 0 Check heaps
98 1087752 611431395 1 0.15% 0.41% 0.26% 0 Ethernet Msec Ti
2 88512 954882 92 0.07% 0.23% 0.07% 0 Load Meter
116 6286520 7952493 790 0.07% 0.15% 0.12% 0 IP Input
251 19372 764109 25 0.07% 0.00% 0.00% 0 PPPoE Background
295 118140 148952256 0 0.07% 0.05% 0.05% 0 PPP Events
9 16 905 17 0.00% 0.00% 0.00% 0 WATCH_AFS
=============================
Now I understand that the reason why no process is showing with high CPU utilisation is because the usage is due to interrupt CPU utilisation. I have followed the guide for troubleshooting high CPU utilisation due to interrupts and got as far as looking at the "show cef not-cef-switched" after confirming that "ip cef" was enabled and active on the interfaces.
=============================
sh cef not-cef-switched
% Command accepted but obsolete, see 'show (ip|ipv6) cef switching statistics [feature]'
IPv4 CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 0 0 5211 0 293 0 0 0
=============================
sh ip cef switching statistics feature
IPv4 CEF input features:
Feature Drop Consume Punt Punt2Host Gave route
Dialer i/f overr 0 373876 1693 0 0
NAT Outside 0 0 0 1583 0
Total 0 373876 1693 1583 0
IPv4 CEF output features:
Feature Drop Consume Punt Punt2Host New i/f
Post-routing NAT 0 0 0 1760 0
Firewall (firewa 2 0 0 14 0
Total 2 0 0 1774 0
IPv4 CEF post-encap features:
Feature Drop Consume Punt Punt2Host New i/f
Total 0 0 0 0 0
IPv4 CEF for us features:
Feature Drop Consume Punt Punt2Host New i/f
CCE Firewall 115 0 0 0 0
Total 115 0 0 0 0
IPv4 CEF punt features:
Feature Drop Consume Punt Punt2Host New i/f
Total 0 0 0 0 0
IPv4 CEF local features:
Feature Drop Consume Punt Punt2Host Gave route
Total 0 0 0 0 0
=============================================
Now from this information I don't know whether this is a problem or how big of a problem. I have looked at some stats from a "show ip nat stat" command but there aren't that many translations happening when the CPU is so high and the CEF translated packets looks much higher than the CEF punted packets.
=============================================
sh ip nat stat
Total active translations: 85 (0 static, 85 dynamic; 85 extended)
Peak translations: 91, occurred 00:12:08 ago
Outside interfaces:
Dialer1, Virtual-Access3
Inside interfaces:
Vlan5
Hits: 1483141 Misses: 0
CEF Translated packets: 1477467, CEF Punted packets: 5212
Expired translations: 576
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer1 refcount 85
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
=============================================
Are there some other commands that I can run to get a better picture of the problem? I don't really want to have to resort to researching whether I can run the router in some bridge mode so NAT can be performed on my firewall that is 1 step behind the router. I only have 1 public IP address.
Can someone please provide some help or direction in how I can get to the bottom of this? Configuration is attached.
11-07-2011 02:26 PM
You have NAT plus ZBFW configured on the router and then another firewall behind the router? Why the need for two firewalls?
High CPU due to interrups is almost always a combination of traffic and features configured. Remove the firewall config and either the cpu will go down or the performance will improve.
11-11-2011 12:46 PM
Thanks for replying George. I had the ZBFW enabled mainly for learning purposes, I don't need it on. I thought I might be able to run some commands in order to see which features are having the most impact on the router. I wanted to go through the process of finding out the problem using show commands before turning them off to see the impact. Turning off the ZBFW does drop it down to 70 - 75% CPU utilisation.
10-17-2014 07:41 PM
I'm using the same router with ADSL2+ Annex A. I don't have the same CPU problem but my router causes a lot of latency even while idle. My router has only a basic configuration as I only just got it connected and functioning. Since swapping to this router I've noticed my connection latency has increase by an average of 5ms which is significant when the latency was 12ms previously. There was no change in line speed, only latency.
Is this router just under-powered?
============================================================================
Cisco_887#sh ip nat stat
Total active translations: 243 (2 static, 241 dynamic; 243 extended)
Peak translations: 1334, occurred 01:59:15 ago
Outside interfaces:
Dialer1, Virtual-Access2
Inside interfaces:
Vlan1
Hits: 13635094 Misses: 0
CEF Translated packets: 13530513, CEF Punted packets: 104584
Expired translations: 87257
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer1 refcount 240
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Cisco_887#
============================================================================
Cisco_887#sh proc cpu sort
CPU utilization for five seconds: 5%/0%; one minute: 6%; five minutes: 6%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
70 11391512 1707939 6669 3.43% 3.31% 3.31% 0 COLLECT STAT COU
1 52 175 297 0.00% 0.00% 0.00% 0 Chunk Manager
2 208 68272 3 0.00% 0.00% 0.00% 0 Load Meter
3 4 2 2000 0.00% 0.00% 0.00% 0 VTEMPLATE Backgr
4 303508 40606 7474 0.00% 0.08% 0.06% 0 Check heaps
5 8 76 105 0.00% 0.00% 0.00% 0 Pool Manager
6 0 2 0 0.00% 0.00% 0.00% 0 Timers
7 68 2 34000 0.00% 0.00% 0.00% 0 License Client N
8 20 2 10000 0.00% 0.00% 0.00% 0 Image License br
9 183604 5687 32284 0.00% 0.06% 0.03% 0 Licensing Auto U
10 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
11 19808 104223 190 0.00% 0.06% 0.01% 0 ARP Input
12 96 355850 0 0.00% 0.00% 0.00% 0 ARP Background
13 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
14 0 2 0 0.00% 0.00% 0.00% 0 AAA high-capacit
15 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
16 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
17 116 11365 10 0.00% 0.00% 0.00% 0 DDR Timers
18 0 2 0 0.00% 0.00% 0.00% 0 Entity MIB API
19 4 79 50 0.00% 0.00% 0.00% 0 EEM ED Syslog
20 260 69310 3 0.00% 0.00% 0.00% 0 HC Counter Timer
--More--
============================================================================
Cisco_887#sh cef not-cef-switched
% Command accepted but obsolete, see 'show (ip|ipv6) cef switching statistics [feature]'
IPv4 CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 0 0 251946 10 100011 0 0 0
Cisco_887#
==========================================================================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide