Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
6
Replies

High IP Input Process Usage?

mdonarumo
Level 1
Level 1

‎06-10-2019 10:19 AM

Hello, I have a C2900 series router deployed and we're having issues with the "IP Input" process slowly using more and more of the CPU which ends up causing problems with the phone system here. I found this other thread: https://community.cisco.com/t5/switching/ip-input/td-p/2984212 Here the person who helps out asks for a set of logs to be taken when the usage is high to get an idea of whats going on. I figured out how to do this and have the same set of logs attached to this post. Would anyone have any ideas on what I can do here?
Labels:
cisco.zip
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎06-10-2019 11:21 AM

Hello,

 

anything that is process switched uses the IP INPUT process. I can see a few 'log' entries in your access lists, remove those and check if the CPU utilization goes down. There is one line in your access list 100 that is not necessary (deny is implicit), remove the entire line:

 

access-list 1 remark INSIDE_IF=FastEthernet0/0.100
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.14.0 0.0.0.63
access-list 1 permit 192.168.14.64 0.0.0.63
access-list 10 permit 192.168.1.15
access-list 10 permit 192.168.1.14
access-list 10 permit 192.168.14.9
access-list 100 deny ip any host 119.9.86.199 log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 69.182.68.72 0.0.0.7 any
access-list 100 deny ip 192.168.14.64 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.14.0 0.0.0.63 any
--> no access-list 100 deny ip any any log
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 69.182.68.72 0.0.0.7 any
access-list 101 deny ip 192.168.14.0 0.0.0.63 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.14.0 0.0.0.63 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.14.64 0.0.0.63 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.14.64 0.0.0.63 192.168.1.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.14.0 0.0.0.63 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.14.64 0.0.0.63 any
access-list 104 permit ip 192.168.14.0 0.0.0.63 any
access-list 105 permit tcp any host 173.162.242.117 eq telnet
access-list 105 deny ip host 119.9.86.199 any log
access-list 105 permit udp any any eq ntp
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark Auto generated by SDM for NTP (123) 207.46.130.100
access-list 105 permit udp host 207.46.130.100 eq ntp any eq ntp
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.14.64 0.0.0.63
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.14.0 0.0.0.63
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 105 permit udp any any eq isakmp
access-list 105 deny ip 192.168.14.64 0.0.0.63 any
access-list 105 deny ip 192.168.14.0 0.0.0.63 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any

0 Helpful

mdonarumo
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2019 11:28 AM

You know, it's funny because I don't know a whole lot about this stuff, though I spent awhile reading about process switching, etc on Friday, but I was going through the logs and saw that same "deny ip any any log" line and questioned it. Anyway, though, thank you I will figure out how to do that and report back.
0 Helpful

Georg Pauwen
VIP
VIP
In response to mdonarumo

‎06-10-2019 12:02 PM

Hello,

 

there are a few redundancies in your access list. At the config prompt, just copy and paste the below:

 

no access-list 100
access-list 100 deny ip any host 119.9.86.199 
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 69.182.68.72 0.0.0.7 any
access-list 100 deny ip 192.168.14.64 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

0 Helpful

mdonarumo
Level 1
Level 1
In response to Georg Pauwen

‎06-11-2019 06:33 AM - edited ‎06-11-2019 07:02 AM

Alright, I went ahead and ran those commands and reloaded the router and I'm just kind of watching and waiting at the moment. Thank you for the advice. Will report back either way, I appreciate it.

 

e: IP Input is hovering around 60% and total CPU usage between 80-95%.  Doesn't look like that really changed anything.  In the thread I referenced I see mention of "After making changes to the ACL, please apply the ACL again to the interfaces Gi0/0 and Gi0/1".  Do I need to do anything besides running those commands and possibly reloading the router?  I reran the logging in putty and I see all the instances of "log" are gone.  Also I see mention of "ip route-cache cef" stuff in that thread.  Do I need to worry about that?

 

I ran "show ip interface" and I don't see interrupt switching mentioned anywhere in there, but from what I read it should be on, correct?

0 Helpful

Georg Pauwen
VIP
VIP
In response to mdonarumo

‎06-11-2019 10:05 AM

Hello,

 

can you post the current running configuration with the changes you have applied ?

0 Helpful

mdonarumo
Level 1
Level 1
In response to Georg Pauwen

‎06-12-2019 06:25 AM - edited ‎06-12-2019 06:51 AM

Absolutely.  I just ran the command, this is the current config.

 

e: This might sound ridiculous, but it turns out that one of the user machines on the network is causing the high CPU usage for the IP Input process.  As soon as the machine is shut down the CPU usage goes from 60-65% for IP input and 98% total to 0.55% for IP Input and 3% total and it comes back as soon as the machine is turned on.  Thinking of trying to replace the network adapter as a quick "fix". 

192.168.14.65-20190612-092119.log.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card