[cisco-nas] failed PPPoE auth eats CPU

Aaron Leonard Aaron at cisco.com
Fri Oct 3 19:12:55 EDT 2003 

Some other thoughts ...

process-max-time 30 (or so) should smooth out your CPU response
somewhat in the case where some process is trying to use all 
the CPU.

A kludge would be to configure multiple RADIUS servers some of 
which are nonresponsive addresses.  Not sure if our RADIUS
client is dumb enough not to learn which servers are non-responsive
- but if you can get the runaway PPPoE authentication requests
sometimes to hit the nonexistent address, then this should slow
things down quite a bit.  Of course, this will hurt legitimate
users too, but presumably the ones with good passwords will
stay connected for a long time, so a couple-second delay once
in a blue moon might be no big deal.

Aaron

---

> What's the CPU being used in (show proc cpu)? A client which
> continously fails authentication and continuously retries will
> exercise the vtemplate cloning code quite a bit and that's likely what
> is using up most of the CPU. Vtemplate/sub-interface code in 12.3
> would handle the situation more gracefully because LCP/authentication
> is not tied to a vaccess (it only binds after authentication is
> successful) and also 12.2(15)T allows you to throttle these failing
> sessions:

> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpppthr.htm

> Dennis

> jlewis at lewis.org [jlewis at lewis.org] wrote:
> > Is it a known issue that on the 7206 platform with 12.1T code, a
> > persistent PPPoE DSL user/router with the wrong password will shoot the
> > CPU load to nearly 100% and slow the 7206 down to the point that it has
> > trouble passing normal traffic?  If so, is there an IOS that fixes this
> > problem?...or do we simply have to not let DSL users screw up their
> > passwords?
> >
> > ----------------------------------------------------------------------
> >  Jon Lewis *jlewis at lewis.org*|  I route
> >  Senior Network Engineer     |  therefore you are
> >  Atlantic Net                |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

More information about the cisco-nas mailing list