Re: high CPU on Cisco 3850

giangle · ‎12-13-2018

Hi all

I have a issue when configure on Cisco 3850

In 3850, I created 6 SVI to routing on local and I apply ACL for 5 SVI as bellow:

ACL 100 have 155 rules

ACL 150 have 259 rules

ACL 107 have 188 rules

ACL 111 have 155 rules

ACL 112 have 290 rules

When I apply ACL 108 have 159 rule to SVI 108, CPU switch is high 80% but before I apply ACL 108, CPU is 4%. This is log from 3850:

<188>377: Dec 14 13:16:09.309 UTC: %ACL_ERRMSG-4-UNLOADED: 1 fed: Input IPv4 L3 ACL on interface Vl108 for label 12 on asic255 could not be programmed in hardware and traffic will be dropped.

When I remove ACL 108 from SVI 108, CPU is normal (4%). I read this article: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/118957-troubleshoot-sec-acl-tcam-cat3850.html. But I don't understand how to fix it?

Please help me

Thanks

Leo Laohoo · ‎12-14-2018

~~Raise a TAC Case. I remembered reading a bug about too many ACLs can cause high CPU.3~~

Please see additional comments below.

giangle · ‎12-14-2018

So Will I upgrade IOS for cisco 3850 or do you have any solutions for this?
For Switch: Is it ok if I use many acl in Swich
thank

Georg Pauwen · ‎12-14-2018

Hello,

what do your access lists look like, are you logging any of the entries (with the 'log' keyword) ?

giangle · ‎12-14-2018

It’s permit and deny normally, I don’t use keyword ‘logs’
It only use many entrie ACE in 3850

Leo Laohoo · ‎12-15-2018

Found it.
Raise a TAC Case. I am very sure the issue is due to CSCvk42902.

giangle · ‎12-15-2018

Hi Leo
I don’t have TAC account. But I read this link, So I only Upgrade from Nova to polaris, is it right?

Leo Laohoo · ‎12-15-2018

@giangle wrote:
But I read this link, So I only Upgrade from Nova to polaris, is it right?

Try an IOS upgrade, however, the information found in the Bug ID is not reliable especially with the Known Affected Version and the Known Fixed Version.

But for now, try upgrading the IOS of the switch stack.

Let us know how you go.

giangle · ‎12-16-2018

Hi Leo.
Because I'm using Catalyst 3850 24T-E, So can I upgrade from IOS-XE 03.06.05E to version cat3k_caa-universalk9.16.06.04a.SPA.bin (https://software.cisco.com/download/home/284455433/type/282046477/release/Everest-16.6.4a). In this release I saw this Bug ID CSCvk42902 resolved. And I am consider between cat3k_caa-universalk9.16.08.01a.SPA.bin and cat3k_caa-universalk9.16.06.04a.SPA.bin. Is it ok for 2 this version with 3850-24T-E ?
Thanks!

Leo Laohoo · ‎12-16-2018

Go with 16.6.5.

giangle · ‎12-16-2018

Hi Leo.
Is this version Release Everest-16.6.5 MD - cat3k_caa-universalk9.16.06.05.SPA.bin in this link https://software.cisco.com/download/home/284455433/type/282046477/release/Everest-16.6.5 ?
Thanks

Leo Laohoo · ‎12-17-2018

Yes. That's the one.

giangle · ‎12-17-2018

Thanks so much Leo, I will try this solution and test again. Thanks so much again.

giangle · ‎01-10-2019

Hi Leo.

I am buying Cisco C9300 to replace for 3850 and I am considering about ACL on C9300. I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?

Leo Laohoo · ‎01-10-2019

@giangle wrote:

I wonder, is there any bug about ACL in C9300 same as bug in 3850 to cause high CPU ?

Because the 3650/3850 and the 9K run on the same IOS-XE then whatever bug the 9K hit it will, most definitely, be found in the 3650/3850.

However, IOS upgrade can sometimes fix the issue.