high cpu C4948

vmcnetservices · ‎12-01-2014

Could you explain please reason first ACL,log unreach.

No log key in ACL, switch has a lot of VLAN with ACL in.

Packets Received by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
---------------------- --------------- --------- --------- --------- ----------
L2/L3Control 236758309 36 34 35 34
Host Learning 6011600 0 0 0 0
L3 Fwd Low 2424793938 2 0 1 8
L2 Fwd Low 201893895 34 33 36 43
L3 Rx Low 34737942 19 3 3 5
RPF Failure 494739 0 0 0 0
ACL log, unreach 27408733812 2770 13291 11964 6553
ACL sw processing 520 0 0 0 0

Packets Dropped by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
---------------------- --------------- --------- --------- --------- ----------
L2/L3Control 1509428 0 0 0 0
Host Learning 24358337 0 0 0 0
L3 Fwd Low 32625 0 0 0 0
L2 Fwd Low 29248805 0 0 0 0
L3 Rx Low 19362 0 0 0 0
ACL log, unreach 4465098816 5 410 345 339

Thank you

InayathUlla Sharieff · ‎12-01-2014

Looks to be like some issue iwth your ACL.

To help isolate the issue, I would request you to answer the following
questions:
1. Since how long the device has been running with high Cpu?
2. Have you made any hardware/software or configuration changes on these
devices which lead to high CPU utilization?

To isolate the issue, I would request you to send me the following:
1. Show proc cpu sorted | ex 0.00 (3-4 times)
2. Show proc cpu history
3. Show platform cpu packet statistics all
4. Show platform health

Additionally I would also like you to:

#debug platform packet all receive buffer

Wait 30 seconds and capture the command below:

#show platform cpu packet buffered (Twice)
#undebug all

Note: All these outputs should be taken while the CPU indicates high.

Please see a very handy document on handling high CPU on 4500 switches
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note0918
6a00804cef15.shtml

HTH

vmcnetservices · ‎12-02-2014

I done with all debugs. I want to know how to decrease first row if possible.

ACL log, unreach 27408733812 2770 13291 11964 6553

Will "no ip unreachable" have effect this row?

InayathUlla Sharieff · ‎12-02-2014

Yes, Give it a try.

HTH

InayathUlla Sharieff · ‎12-01-2014

"ACL log" packets been dropped by the CPU queue,
considering the numbers that we see for the ACL log packets that we receive
on the queue and then such packets been dropped, it appears to be a logging
traffic that might be trigger of the issue.

I dont have your confiugration but I believe you have configured "no ip unreachable"
on interfaces, which means for every deny match on any ACL, a
copy of packet would be punted to CPU so that CPU can generate an ICMP
unreachable.

There is no service impact with this situation, however the only concern
here would be that all unreachable, switch will not generate ICMP
unreachable messages.

HTH

Regards

Inayath

vmcnetservices · ‎12-02-2014

I understand it is deny ACL and switch generate unreachable messages so "no ip unreachable" should help. I am interested in different between rows, what does mean first and second row.

ACL log, unreach 27408733812 2770 13291 11964 6553

ACL log, unreach 4465098816 5 410 345 339