Cisco 2811 high cpu load

Pascal Faucher · ‎10-06-2011

hi,

I'm facing a cpu load issue on cisco 2811.

you can see the configuration, there is nothing extra exhausting for the cpu.

Each time the traffic start to increase, the cpu load increase to 80 or 90% to reach 100%

each time a user start a download on for exemple fa0/1.50 the cpu increase up to 90%

In the sh process cpu sorted, there is nothing showing that something is wrong.

sh proc cpu sort | excl 0.00

CPU utilization for five seconds: 84%/75%; one minute: 74%; five minutes: 49%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

111 131960796 143316176 920 4.59% 4.71% 4.39% 0 IP Input

177 1767464 342056427 5 0.98% 1.18% 1.19% 0 HQF Shaper Backg

19 8909968 23942550 372 0.65% 0.57% 0.57% 0 ARP Input

304 575244 44231492 13 0.32% 0.32% 0.32% 0 PPP manager

305 407260 44473628 9 0.24% 0.19% 0.18% 0 PPP Events

268 5208776 20651063 252 0.24% 0.07% 0.08% 0 CCP manager

2 124544 286211 435 0.16% 0.16% 0.10% 0 Load Meter

152 14188 54467 260 0.16% 0.06% 0.02% 0 TCP Protocols

300 499012 3859685 129 0.16% 0.16% 0.12% 0 IP NAT Ager

211 37756 28283 1334 0.16% 0.03% 0.05% 0 Crypto Support

110 251624 43851348 5 0.16% 0.14% 0.14% 0 IP ARP Retry Age

104 252316 43851416 5 0.16% 0.15% 0.16% 0 ACCT Periodic Pr

42 837160 1446317 578 0.16% 0.16% 0.14% 0 Per-Second Jobs

145 176976 2185576 80 0.08% 0.08% 0.08% 0 CEF: IPv4 proces

----------------------

CEF is enable on all interface

ICMP unreachables are always sent on all interface

I think but not sure Trunk with Dot1q interface are not support in CEF

and I think is a switching problem

---------------------

fa/0/0 is my outgoing interface:

FastEthernet0/0 is up, line protocol is up

Internet address is x.x.x.x/26

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF, Full Flow

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain outside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, IPSec input classification, NAT Outside, MCI Check

Output features: CCE Output Classification, Post-routing NAT Outside, Stateful Inspection, IPSec output classification, Firewall (NAT), Firewall (inspect), Post-Ingress-NetFlow, IPSec: to crypto engine, Post-encryption output features

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

---------------

interface FastEthernet0/0

description WAN-INTERNET

mac-address 0020.40ff.f184

ip address x.x.x.x. 255.255.255.192

no ip redirects

ip flow ingress

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map vpnmap

------------------------------

Fa0/1 is a trunk interface with 10 subinterface.

FastEthernet0/1.150 is up, line protocol is up

Internet address is x.x.x.x/23

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is enabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF, Full Flow

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain inside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, MCI Check

Output features: NAT Inside, Stateful Inspection, Firewall (NAT), Firewall (inspect), Post-Ingress-NetFlow

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

-----------

interface FastEthernet0/1.150

description LB-MGMT

encapsulation dot1Q 150

ip address x.x.x.x 255.255.254.0

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly

--------------

Any idea how this issue can be resolved

Thanks

Pascal

Joseph W. Doherty · ‎10-12-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

A 2811 is a software based router, so as you push traffic through it the CPU has to process it. I.e. as traffic throughput increase so does CPU load.

Most of the ISRs are oriented for WAN routing, not LAN routing. The difference being, WAN routing often works with lower bandwidth links than typically found on a LAN. I recall (?) Cisco's recommendation for the 2811 was no more than dual T1s. (I've seen a 2811 on a full T3 max its CPU out at about 20 Mbps, duplex.)

Since you're using FastE interface, how much bandwidth are you pushing through the 2811 when you see the CPU load you've documented?

Pascal Faucher · ‎10-12-2011

Hi Joseph,

Thanks for your answer,

Not more than 15Mb and the cpu increase, maybe I should put a 3750 behind for the lan routing and let the 2811 do wan routing only.

Or maybe a 1941/2901 should do the job or put a 1811,

1811 will do more throughput than the 2811 in the real world because of its much more powerfull processor.

Pascal.

Joseph W. Doherty · ‎10-12-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

For small LANs with WANs, I often suggest a small L3 switch and a WAN router.

If you're seeing this high CPU at only 15 Mbps, might also be due to other sevices. Looks to me you might also being doing NAT and VPN.(?)

As to relative performances of the routers you've noted, Cisco lists their performance as:

1811 70 Kpps

2811 120 Kpps

1941 299 Kpps

2901 327 Kpps

Pascal Faucher · ‎10-12-2011

Yes

Other service like VPN and NAT are running.

I'm looking for 1941/2901 , I have around 150pc behind and 20 server or put 3750G behind and keep my 2811

Joseph W. Doherty · ‎10-12-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The 3750G will only really help if it keeps some traffic from needing to go to the 2811. If all your 150 PCs and 20 servers on the same subnet, traffic between them doesn't need to be routed. If they are on different subnets, then a 3750G should support much, much more throughput among them.