High CPU load on 2811

kasper123 · ‎02-15-2015

Hi,

We have a 2811 router and we are facing high CPU load but show proc cpu does not show processes with high CPU utilisation.

RT#show proc cpu sorted | exclude 0.00%
CPU utilization for five seconds: 99%/94%; one minute: 99%; five minutes: 98%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
95     2157484   1814314       1189 3.29% 4.76% 4.68%   0 IP Input
   2       14624     44123        331 0.94% 0.64% 0.63%   0 Load Meter
   5      154552      2451      63056 0.37% 0.97% 0.91%   0 Pool Manager
38      126116    682626        184 0.18% 0.23% 0.24%   0 Net Background
185      142660    545202        261 0.09% 0.08% 0.08%   0 Crypto PAS Proc
88       58804   6821262          8 0.09% 0.01% 0.01%   0 ACCT Periodic Pr
102        4548       395      11513 0.09% 0.11% 0.03% 514 SSH Process
42       12480    220592         56 0.09% 0.03% 0.02%   0 Per-Second Jobs

This does not happed outside working hours. The router is used only for VPN's (No NATing). It terminates around 25 tunnels but there is not a lot of traffic through the tunnels.

The extremly high load started mondat morning and continues this morning. During the weekend it was fine. Earlier we would have situations when the CPU would spike but it would soon be down to normal values.

From what I read the above output means that the CPU load is caused by interrupts. What is the best way to troubleshoot this?

Regards.

Joseph W. Doherty · ‎02-16-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

It's difficult to "debug" interrupt CPU because it normally deals with optimal packet forwarding through the router.

Please define "not a lot of traffic".

What kind of tunnels?

Any chance your tunnels are fragmenting traffic?

kasper123 · ‎02-16-2015

>Please define "not a lot of traffic".

There are several computers at each of the 25 subsidiaries and they are not using a lot of services from the central location.

>What kind of tunnels?

The remote locations have dynamic IP addresses and are building site to site VPN with tunnel interfaces.

>Any chance your tunnels are fragmenting traffic?

Not sure. How can I check this?

Regards.

Joseph W. Doherty · ‎02-17-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Sorry I wasn't clear, but when I was asking about "not a lot of traffic", I was wondering about actual volume passing through the 2811.

When I asked about "kind of tunnels", I was wondering about how they are configured. E.g. GRE or IPSec/GRE or VTI, encryption options, other tunnel interface options.

Perhaps the easiest way to check for fragmentation, is packet analyze the traffic passing through the 2811.