cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2775
Views
0
Helpful
6
Replies

Should I disable ICMP Redirect on my C4500 core switches or not?

iliastsoukalis
Level 1
Level 1

Hi all,

I have 2 C4503 core switches with HSRP enabled.

I have noticed the CPU go up filling "Adj SameIf Fail" queue, when accessing the internet from my servers, so I traced the packets.

 

I saw a lot of ICMP Redirects, from the core switches to the servers, indicating to use the dsl router as the gateway (sounds legit, since the internal ip of the router is on the same subnet with the servers), so according to this guide: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html I suppose I have to disable icmp redirects to the specific VLAN (no ip redirect command).

 

My question is, since I use HSRP on the specific VLAN,is there a case the deactivation of ICMP Redirect to mess up the HSRP operation?

 

I'm on a production environment.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

Yes, you can do 2 simple routes - any unknown send to 10.20.60.1 - known network you can mention to send 10.20.60.24 (if 60.24 processing any internal route network) - sometimes we need to tweak to get end results, try this one, this not going to make any major downtime - let us know how that works and is this reduced any CPU headroom?

 

can you capture the below information and post here :

 

show process CPU sort | ex 0.00 before and after

show version  - which was missing we have asked in the before post.

 

 

some tips to troubleshoot high cpu

 

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/213549-troubleshoot-high-cpu-usage-in-catalyst.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

no ip redirects--this disables icmp redirect messages. Redirects happen when a router recognizes a packet arriving on an interface and the best route is out that same interface. In that case the router sends an icmp redirect back to the source telling them about a better router on the same subnet. Subsequent packets take the optimal path. If you disable this, the packets would have continued using the sub optimal path

 

based on the design you will have side effect disabling redirect while using HSRP. Also can you show us show process cpu sort  | ex 0.00 to understand the issue, also post configuration.

 

have you checked any bugs against your code you running ?

 

 

read this below :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-icmp.html#GUID-AB8DE78C-AEE6-4327-B3BF-3C7B1443F7E7

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

So, the issue with your design is that HSRP is not providing the level of redundancy you need if the default gateway for the servers is the DSL router. To remedy this, change the 4500 switches to layer-2 only (no HSRP) or terminate the vlans on the 4500 with HSRP and then make the connection between the 4500 and the DSL router layer-3. If you want to keep the same design you have today, you would have to make these changes during non-production hours and see if the behavior changes.

 

Here are a couple of posts to look at: 

 

https://community.cisco.com/t5/switching/cisco-4500-sup-6e-high-cpu-utilization/td-p/1790349

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-icmp.html#:~:text=ICMP%20redirect%20messages%20are%20automatically,an%20HSRP%20virtual%20IP%20address.

 

HTH

 

iliastsoukalis
Level 1
Level 1

Thanks for the replies, below my CPU results (I am posting only non-zero values):

 

Packets Dropped In Processing by CPU event

Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
----------------- -------------------- --------- --------- --------- ----------
Sa Miss 1461184 0 0 0 0
Input ACl Copy 108957 0 0 0 0


Packets Dropped In Processing by Priority

Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
----------------- -------------------- --------- --------- --------- ----------
Unknown 0 0 0 0 0
Normal 100945 0 0 0 0
Medium 1461184 0 0 0 0
High 8012 0 0 0 0
Crucial 0 0 0 0 0
Super Crucial 0 0 0 0 0


Packets Dropped In Processing by Reason

Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
------------------ -------------------- --------- --------- --------- ----------
STPDrop 27 0 0 0 0
Tx Mode Drop 1570114 0 0 0 0


Packets Received by Packet Queue

Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
---------------------- --------------- --------- --------- --------- ----------
Input ACL fwd(snooping) 1041 0 0 0 0
Host Learning 1462240 0 0 0 0
L2 Control 9685807 14 3 1 0
Input ACL log, unreach 108955 0 0 0 0
L3 Glean 1258825 0 0 0 0
L3 Receive 529644 6 0 0 0
Ttl Expired 372 0 0 0 0
Bfd 79 0 0 0 0
Adj SameIf Fail 109392892 520 823 628 346
L2 router to CPU, 7 17879625 32 24 21 15


Packets Dropped by Packet Queue

Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
---------------------- --------------- --------- --------- --------- ----------
Adj SameIf Fail 1617423 3 0 0 0


Core 0: CPU utilization for five seconds: 13%; one minute: 13%; five minutes: 13%
Core 1: CPU utilization for five seconds: 29%; one minute: 25%; five minutes: 22%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
4866 1139681 163690823 181 21.3 19.3 17.5 0 iosd

 


%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
VSI slot-02 6.00 8.85 6 12 100 500 9 9 7 1293:26
VSI slot-03 6.00 2.09 6 6 100 500 2 2 1 318:31
K5CpuMan Review 30.00 10.47 30 11 100 500 12 12 6 539:57
K5ForerunnerPacketMa 2.00 4.77 4 4 100 500 5 5 2 256:11
GalGlmLinecardVp(2) 5.00 3.93 20 55 100 500 4 4 3 553:20
GlmBridgeMan(1) revi 0.50 1.16 2 4 100 500 1 1 1 171:47
SfpController(1) 0.50 2.61 0 5 100 500 2 2 2 360:38
-------------
%CPU Totals 337.19 38.64

 

HSRP works just fine right now, my fear is I might broke it if I disable icmp redirects.

 

Some info about the network:

Servers' VLAN subnet is 10.20.60.0/25 and HSRP StandBy IP is 10.20.60.1, so the default gateway is 10.20.60.1 on my servers.

DSL router internal ip is 10.20.60.24.

So when I access the internet from my servers I get ICMP redirects indicating that I should use 10.20.60.24 instead of 10.20.60.1.

One thought was to add static routes in all my servers routing all internal networks to 10.20.60.1, leaving 0.0.0.0 to 10.20.60.24. The other that seems simplest was disabling ICMP Redirects for the specific VLAN.

balaji.bandi
Hall of Fame
Hall of Fame

Yes, you can do 2 simple routes - any unknown send to 10.20.60.1 - known network you can mention to send 10.20.60.24 (if 60.24 processing any internal route network) - sometimes we need to tweak to get end results, try this one, this not going to make any major downtime - let us know how that works and is this reduced any CPU headroom?

 

can you capture the below information and post here :

 

show process CPU sort | ex 0.00 before and after

show version  - which was missing we have asked in the before post.

 

 

some tips to troubleshoot high cpu

 

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/213549-troubleshoot-high-cpu-usage-in-catalyst.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I checked the specific servers which have the most ICMP redirects and added a static route for internert traffic to 10.20.60.24. I already see CPU dropping!

 

I will go with static routing instead if disabling icmp redirects.

 

Thanks!!!

balaji.bandi
Hall of Fame
Hall of Fame

Thank you for the input, yes we need to tweak as per the requirement and monitor, and move to next tweak if required or else stay with the solution what applied. good to know CPU process coming to normal as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card