[nsp] High CPU utilization from traffic with no destination i nterface?

Temkin, David temkin at sig.com
Thu Jun 26 15:56:37 EDT 2003 

As you see, we have unreachables turned off...  If I do a show ip cef on the
non-existant network, it shows it as via the default route on the box, which
is right back out the interface it came in on..

Now that the attack has stopped, CPU is back to it's normal ~30%...  

FastEthernet0/0 is up, line protocol is up
  Internet address is x.x.x.x
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Secondary address 209.213.219.91/29
  Outgoing access list is not set
  Inbound  access list is 101
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is enabled
  IP CEF switching is enabled
  IP CEF Flow Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, Flow, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  IP multicast multilayer switching is disabled

-----Original Message-----
From: rpcbind at speakeasy.net [mailto:rpcbind at speakeasy.net] 
Sent: Thursday, June 26, 2003 2:50 PM
To: Temkin, David
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] High CPU utilization from traffic with no destination i
nterface?



Ejay made the point that I overlooked -- make sure that you have 'no ip 
unreach' on the ingress interface, otherwise you'll end up generating a pile

of icmp (though IIRC, this is ratelimited).

> There is no null interface because there's nothing statically routed 
> that
> way for it...

There is, irregardless of whether you configured it, ie:

sw-core3>show ip cef 70.12.0.0
0.0.0.0/0, version 371298, epoch 0, attached
0 packets, 0 bytes
  via Null0, 0 dependencies
    valid null adjacency

> Yup, I am running CEF...
>
> Show int switching shows that it's all being process switched.

This is inevitably the true root of your problem -- if CEF is enabled 
globally, and you don't have a 'no ip route-cache cef' on the interface,
then 
'sho ip int' should reveal something nasty that's forcing process switching.

Which platform and what type of interfaces are you seeing this on? If
everything's being processed switched, then your baseline CPU is going to be
much higher than if should be.


> -----Original Message-----
> From: rpcbind at speakeasy.net [mailto:rpcbind at speakeasy.net]
> Sent: Thursday, June 26, 2003 2:35 PM
> To: Temkin, David
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] High CPU utilization from traffic with no destination
> interface?
> 
> 
> 
> Are you running CEF? If so, then there's an implicit adjaceny to the 
> null
> interface, so it should be handled extremely inexpensively. What does a
> 'show 
> ip int' of the ingress interface show -- any chance there's some features 
> there that may have tickled things badly?
> 
> 
> On Thu, 26 Jun 2003, Temkin, David wrote:
> 
> > Does anyone know the actual IOS architecture for handling packets 
> > that
> > enter the router where the router doesn't have a route for them?
> > 
> > I had a situation where a large amount of traffic was directed at 
> > one
> > of my routers that didn't have a route to the destination and the CPU 
> > was pegged at 99%...  When I added an ACL blocking traffic to the 
> > networks that I didn't have routes to, the utilization dropped 
> > dramatically.
> > 
> > Thanks,
> > 
> > -Dave
> > 
> > 
> > David Temkin
> > S-I-G
> > 401 City Avenue
> > Bala Cynwyd, PA 19004
> > http://www.sig.com <http://www.sig.com>
> > 
> > 
> > 
> > IMPORTANT:The information contained in this email and/or its
> > attachments is confidential. If you are not the intended recipient, 
> > please notify the sender immediately by reply and immediately delete 
> > this message and all its attachments.  Any review, use, reproduction, 
> > disclosure or dissemination of this message or any attachment by an 
> > unintended recipient is strictly prohibited.  Neither this message nor 
> > any attachment is intended as or should be construed as an offer, 
> > solicitation or recommendation to buy or sell any security or other 
> > financial instrument.  Neither the sender, his or her employer nor any 
> > of their respective affiliates makes any warranties as to the 
> > completeness or accuracy of any of the information contained herein or 
> > that this message or any of its attachments is free of viruses.
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> 
> IMPORTANT:The information contained in this email and/or its 
> attachments is confidential. If you are not the intended recipient, 
> please notify the sender immediately by reply and immediately delete 
> this message and all its attachments.  Any review, use, reproduction, 
> disclosure or dissemination of this message or any attachment by an 
> unintended recipient is strictly prohibited.  Neither this message nor 
> any attachment is intended as or should be construed as an offer, 
> solicitation or recommendation to buy or sell any security or other 
> financial instrument.  Neither the sender, his or her employer nor any 
> of their respective affiliates makes any warranties as to the 
> completeness or accuracy of any of the information contained herein or 
> that this message or any of its attachments is free of viruses.
> 
> 
> 


IMPORTANT:The information contained in this email and/or its attachments is
confidential. If you are not the intended recipient, please notify the
sender immediately by reply and immediately delete this message and all its
attachments.  Any review, use, reproduction, disclosure or dissemination of
this message or any attachment by an unintended recipient is strictly
prohibited.  Neither this message nor any attachment is intended as or
should be construed as an offer, solicitation or recommendation to buy or
sell any security or other financial instrument.  Neither the sender, his or
her employer nor any of their respective affiliates makes any warranties as
to the completeness or accuracy of any of the information contained herein
or that this message or any of its attachments is free of viruses.

More information about the cisco-nsp mailing list