Every 18-24 hours the 6500's- the 6500 go to 100 % CPU

geraldjacksontx · ‎06-20-2011

6504 Sup720 ----Dot1q Trunk ----6504 Sup270

VPN SPA VLAN 20,30 VPN SPA VLAN 20,30

Normal VLAN 10,40 Normal VLAN 10,40

Every 18-24 hours the 6500's- the 6500 go to 100 % CPU - the work around is to reboot one of the switches. Then they will run 18-24 hours.

The fix was to only trunk VLAN 10,40 (Networks that needed to see each other) between the switches. If the vlans that the VPN SPA was trunked you would Every 18-24 hours the 6500's- the 6500 go to 100 % CPU.

Simple design GRE IPSEC tunnels that work fine and the latest SXI code. It appears that if you trunk the VPN SPA trunks and they are the same VLAN that it going into some kind bridging loop. No errors. Just unresponsive.

I not sure it this a design feature or bug.

fsebera · ‎06-20-2011

Hi Cecil,

I had a similar issue a little while back but turned out to be a slow growing routing loop.

I checked the "AGE" of my routes on a near-by switch and discovered the age of routes just kept updating.

:

If you are sure it is a layer -2 issue, check the spanning-tree timers for last update I.E. "AGE" of update.

If you are experiencing a loop, the update times should indicate this.

Hope this helps!

Frank

geraldjacksontx · ‎06-20-2011

I think working with TAC a warning that is in the design guide said:

Caution Do not enter the switchport trunk allowed vlan all command on a secured trunk port. In addition, do not set the IPsec VPN SPA inside and outside ports to "all VLANs allowed."

Which I think is a design issue of me not reading all the warning.

Thanks