[nsp] 7200 "ARP Input" CPU utilization

Wed Sep 10 22:02:55 EDT 2003

Looks more like IP input could be the problem .. I would bet that if you
apply the following ACL and what the routers log you will see what the
problem is .. 

access-list 130 deny   tcp any any eq 4444 log-input
access-list 130 deny   tcp any any eq 707
access-list 130 deny   tcp any any eq 135
access-list 130 deny   tcp any any eq 137
access-list 130 deny   tcp any any eq 138
access-list 130 deny   tcp any any eq 139
access-list 130 deny   tcp any any eq 193
access-list 130 deny   tcp any any eq 445
access-list 130 deny   tcp any any eq 593
access-list 130 deny   icmp any any log-input
access-list 130 permit ip any any

We have noted that if IP input goes to 15% or more router CPU is @ 90% or
more .. ICMP pings have been a major problem for all of our core and edge
routers across the USA .. 

This is the kind of traffic you will see 

534403: 2w0d: %SEC-6-IPACCESSLOGDP: list 130 denied icmp 64.135.194.220
(ATM3/0.20 ) -> 216.234.148.34 (3/3), 1 packet
534405: 2w0d: %SEC-6-IPACCESSLOGDP: list 130 denied icmp 67.11.188.80
(ATM3/0.20 ) -> 63.173.179.93 (8/0), 1 packet
534406: 2w0d: %SEC-6-IPACCESSLOGDP: list 130 denied icmp 12.33.198.137
(ATM3/0.20 ) -> 64.84.22.18 (8/0), 1 packet
534407: 2w0d: %SEC-6-IPACCESSLOGDP: list 130 denied icmp 67.34.124.70
(ATM3/0.20 ) -> 64.84.21.97 (8/0), 1 packet

Note the TYPE 8 ICMP traffic .. This kills routers and eats memory .. Much
of this traffic is IP unreachable .. 

Hope this helps .. At the very least you can use this to rule out what might
be going on ..

Brian R. Watters
Senior Director
http://www.americanbroadbandservice.com
brwatters at abs-internet.com
866-827-4638 ext. 0205
559-420-0205 direct
559-272-5266 fax

This message and any attachment(s) are solely for the use of intended
recipients. They may contain privileged and/or confidential information
legally protected from disclosure. If you are not the intended recipient,
you are hereby notified that you received this e-mail in error and that any
review, dissemination, distribution or copying of this e-mail and any
attachment(s) is strictly prohibited. If you have received this e-mail in
error, please contact the sender and delete the message and any
attachment(s) from your system. Thank you for your cooperation.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Stewart
Sent: Wednesday, September 10, 2003 8:18 PM
To: cisco-nsp at puck.nether.net

Hello,

I'm having some trouble with a 7206 that has been running pretty flawlessly
for almost a year now, no recent major config or network changes.  Historic
CPU utilization was running between 1% - 4%, but now is bouncing between 15%
and 60%, peaking at 80%, with performance fluctuating between "OK" to
"chunky".  The router in question is *NOT* pushing much traffic, about 1.5m
to 3.0m in/out through the FastEthernet interfaces (f0/0 and f2/0) and an
ATM DS3 on a PA-T3-A3+ and should not be experiencing the performance
slowdowns I'm seeing.

I've sifted http://www.cisco.com/warp/public/63/queue_drops.html#before
through my clue sponge (brain) but nothing suggested there seems to help.

Looking at the process list suggests ARP seems to be the culprit.

CPU utilization for five seconds: 48%/3%; one minute: 48%; five minutes:
49%
  16    13493288   4354803       3098 12.53% 26.44% 25.75%   0 ARP Input
  35          32      1625         19  0.00%  0.00%  0.00%   0 ATM OAM
Input
  42     6133028  10307755        594 15.64% 15.16% 17.19%   0 IP Input

Hopefully, someone can suggest some troubleshooting steps or tips, or maybe
someone has had a similar problem that they resolved successfully and can
offer some advice.  No suggestion to simple at this point.
Thanks in advance to anyone who can help me figure this out.

Jay Stewart

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
---
[Scanned for viruses & SPAM with safE-Mail by American Broadband Services]
---