[nsp] AS5300 loosing memory

jlewis at lewis.org jlewis at lewis.org
Sat Aug 23 12:24:04 EDT 2003

On Sat, 23 Aug 2003, Gert Doering wrote:

> Filter on *icmp echo* instead of "all ICMP".

Someone just posted to nanog, that for his MAX TNT's, turning off route 
caching seems to have solved their nachi-induced stability problems.  Is 
the problem not really all the pings, but all the pings to so many 
different destinations in such a short time causing the route-cache to 
grow out of control?  Would "no ip route-cache" on the access-server's 
ethernet interface keep our cisco's stable without having to block ping on 
the ones that can't route-map/policy route block just the 92 byte pings?

I just did this as an experiment on a 5248 running 11.3AA that was
blocking lots of ping with:

Extended IP access list 199
    permit tcp any any established (4597256 matches)
    deny icmp any any echo (15215722 matches)
    deny icmp any any echo-reply (26232 matches)
    permit ip any any (1540728 matches)

That's a pretty sick amount of echo.  Anyway, I removed the ip 
access-group 199 in from virtual-template1, waited a few seconds, saw 
Free(b) fall from over 2mb to about 1mb, then added no ip route-cache 
to eth0 and immediately went to nearly 2.5mb Free(b).

I'm not happy about re-enabling nachi to spread since it is so disruptive
to the network, so I think I'll go ahead and put the acl back for now.

This makes it seem like the fix for the problem is pretty simple though.  
IOS needs some kind of limiter for route-cache growth.  Once free memory 
drops below some threshold, the route-cache needs to be pruned more 
aggressively or IOS needs to just stop adding to it so that the 
route-cache doesn't eat all available memory and bring the system down.
I'm kind of surprised none of the previous windows worms have tickled this 

 Jon Lewis *jlewis at lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the cisco-nsp mailing list