cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3274
Views
0
Helpful
6
Replies

ACL log, unreach is causing High CPU

ejlbarcelon
Level 1
Level 1

can anyone help, ACL log, unreach is causing High CPU but the recommendation to remove "log" keyword is not present.

Packets Received by Packet Queue

Queue                  Total           5 sec avg 1 min avg 5 min avg 1 hour avg

---------------------- --------------- --------- --------- --------- ----------

Esmp                        1417155488        42        32        26         18

L2/L3Control                1814159219        83        79        59         49

Host Learning                 17900585         0         0         0          0

L3 Fwd High                          1         0         0         0          0

L3 Fwd Low                     1150653         0         0         0          0

L2 Fwd High                          3         0         0         0          0

L2 Fwd Low                   359694293        34        24        19         14

L3 Rx High                      426897         0         0         0          0

L3 Rx Low                     10390005         3         0         0          0

ACL log, unreach           17250566513      5387      4819      3408       2149

ACL sw processing                    1         0         0         0          0

SW version is 12.2(53)

catalyst 4500

6 Replies 6

nkarpysh
Cisco Employee
Cisco Employee

Hi,

ACL log, unreach means packets that hit an ACE with the log keyword or packets that were dropped due to a deny

in an output ACL or the lack of a route to the

destination. These packets require the generation of ICMP unreachable messages.

From all this, I would say that the logging function is causing many packets to hit the

CPU and thus cause the High CPU.

To solve this the actions would be to try the following commands one by one, and monitor

the CPU to see which one affects the most:

=>Issue the "no ip unreachables" command under the interface of the ACL. Please note that for "no icmp unreachable" to take effect for an output RACL, user needs to make sure that all l3 interfaces on the switch(physical + svi) must have "no icmp unreachable" configured, o.w. RACL copyToCpu bit will still be enabled, therefore triggering matching traffic punted to cpu.

=> use the "no ip icmp redirect"

Also FYI From the Catalyst 4500 guide:

>>

The Catalyst 4500 supports logging of packets detail that hit any

specific ACL entry, but excessive logging can cause high CPU

utilization. Avoid the use of log keywords, except during the traffic

discovery stage. During the traffic discovery stage, you identify the

traffic that flows through your network for which you have not

explicitly configured ACEs. Do not use the log keyword in order to

gather statistics.<<

Hope this helps,

Nik

HTH,
Niko

I have greatly decreased the cpu usage with the no ip unreachables command.

But what are the side effects of this?

Hi,

Features, dependent on unreachables, will be affected. E.g. Path MTU discovery will be impacted when you configure no unreachables. Also Cisco traceroute could be affected, as it is based on sending UDP packets  and looking for the Port Unreachable message to indicate that the test packet has reached the destination (should not have affect if those are disabled on router in the path).

On better side, disabling unreachables hardens security as device provides less information.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

I think I do not have any links affected with the path mtu, but I do now if the unreachable is configured on the router in the path?

You think if this is configured on the my default route router?

Hi,

I did more digging in what is the packets exchange and even with "no ip unreachables" on the routers in the path, the return packets to the source are ICMP "time       exceeded" messages. The unreachables come in place when there is an ACL blocking traceroute. With "no ip unreach" configured, the router is the path silently drops the traceroute packets without notifying the source.

See this links for detailed information:

1. Using the traceroute Command on Operating Systems:

http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml

2. Good example in similar previous discussion on what is the effect with ACL applied:

https://supportforums.cisco.com/thread/7390

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

I did not set any ACL to block the traceroute.

As I understood with the no ip unreachables it is dificult to do any traceroute troubleshooting ?

Review Cisco Networking for a $25 gift card