[nsp] High CPU utilization from traffic with no destination i nterface?

rpcbind at speakeasy.net rpcbind at speakeasy.net
Thu Jun 26 15:06:46 EDT 2003 

Nothing sticks out there that would disable cef, but I'd double-check 
access-list 101 and check to see if the perhaps the version you're running 
can't cef-switch NAT (I believe this showed up in 12.2T).

On Thu, 26 Jun 2003, Temkin, David wrote:

> As you see, we have unreachables turned off...  If I do a show ip cef on the
> non-existant network, it shows it as via the default route on the box, which
> is right back out the interface it came in on..
> 
> Now that the attack has stopped, CPU is back to it's normal ~30%...  
> 
> FastEthernet0/0 is up, line protocol is up
>   Internet address is x.x.x.x
>   Broadcast address is 255.255.255.255
>   Address determined by non-volatile memory
>   MTU is 1500 bytes
>   Helper address is not set
>   Directed broadcast forwarding is disabled
>   Secondary address 209.213.219.91/29
>   Outgoing access list is not set
>   Inbound  access list is 101
>   Proxy ARP is enabled
>   Security level is default
>   Split horizon is enabled
>   ICMP redirects are always sent
>   ICMP unreachables are never sent
>   ICMP mask replies are never sent
>   IP fast switching is enabled
>   IP fast switching on the same interface is enabled
>   IP Flow switching is enabled
>   IP CEF switching is enabled
>   IP CEF Flow Fast switching turbo vector
>   IP multicast fast switching is enabled
>   IP multicast distributed fast switching is disabled
>   IP route-cache flags are Fast, Flow, CEF
>   Router Discovery is disabled
>   IP output packet accounting is disabled
>   IP access violation accounting is disabled
>   TCP/IP header compression is disabled
>   RTP/IP header compression is disabled
>   Probe proxy name replies are disabled
>   Policy routing is disabled
>   Network address translation is enabled, interface in domain outside
>   WCCP Redirect outbound is disabled
>   WCCP Redirect inbound is disabled
>   WCCP Redirect exclude is disabled
>   BGP Policy Mapping is disabled
>   IP multicast multilayer switching is disabled
> 
> -----Original Message-----
> From: rpcbind at speakeasy.net [mailto:rpcbind at speakeasy.net] 
> Sent: Thursday, June 26, 2003 2:50 PM
> To: Temkin, David
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] High CPU utilization from traffic with no destination i
> nterface?
> 
> 
> 
> Ejay made the point that I overlooked -- make sure that you have 'no ip 
> unreach' on the ingress interface, otherwise you'll end up generating a pile
> 
> of icmp (though IIRC, this is ratelimited).
> 
> > There is no null interface because there's nothing statically routed 
> > that
> > way for it...
> 
> There is, irregardless of whether you configured it, ie:
> 
> sw-core3>show ip cef 70.12.0.0
> 0.0.0.0/0, version 371298, epoch 0, attached
> 0 packets, 0 bytes
>   via Null0, 0 dependencies
>     valid null adjacency
> 
> > Yup, I am running CEF...
> >
> > Show int switching shows that it's all being process switched.
> 
> This is inevitably the true root of your problem -- if CEF is enabled 
> globally, and you don't have a 'no ip route-cache cef' on the interface,
> then 
> 'sho ip int' should reveal something nasty that's forcing process switching.
> 
> Which platform and what type of interfaces are you seeing this on? If
> everything's being processed switched, then your baseline CPU is going to be
> much higher than if should be.
> 
> 
> > -----Original Message-----
> > From: rpcbind at speakeasy.net [mailto:rpcbind at speakeasy.net]
> > Sent: Thursday, June 26, 2003 2:35 PM
> > To: Temkin, David
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] High CPU utilization from traffic with no destination
> > interface?
> > 
> > 
> > 
> > Are you running CEF? If so, then there's an implicit adjaceny to the 
> > null
> > interface, so it should be handled extremely inexpensively. What does a
> > 'show 
> > ip int' of the ingress interface show -- any chance there's some features 
> > there that may have tickled things badly?
> > 
> > 
> > On Thu, 26 Jun 2003, Temkin, David wrote:
> > 
> > > Does anyone know the actual IOS architecture for handling packets 
> > > that
> > > enter the router where the router doesn't have a route for them?
> > > 
> > > I had a situation where a large amount of traffic was directed at 
> > > one
> > > of my routers that didn't have a route to the destination and the CPU 
> > > was pegged at 99%...  When I added an ACL blocking traffic to the 
> > > networks that I didn't have routes to, the utilization dropped 
> > > dramatically.
> > > 
> > > Thanks,
> > > 
> > > -Dave
> > > 
> > > 
> > > David Temkin
> > > S-I-G
> > > 401 City Avenue
> > > Bala Cynwyd, PA 19004
> > > http://www.sig.com <http://www.sig.com>
> > > 
> > > 
> > > 
> > > IMPORTANT:The information contained in this email and/or its
> > > attachments is confidential. If you are not the intended recipient, 
> > > please notify the sender immediately by reply and immediately delete 
> > > this message and all its attachments.  Any review, use, reproduction, 
> > > disclosure or dissemination of this message or any attachment by an 
> > > unintended recipient is strictly prohibited.  Neither this message nor 
> > > any attachment is intended as or should be construed as an offer, 
> > > solicitation or recommendation to buy or sell any security or other 
> > > financial instrument.  Neither the sender, his or her employer nor any 
> > > of their respective affiliates makes any warranties as to the 
> > > completeness or accuracy of any of the information contained herein or 
> > > that this message or any of its attachments is free of viruses.
> > > 
> > > 
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > 
> > 
> > 
> > IMPORTANT:The information contained in this email and/or its 
> > attachments is confidential. If you are not the intended recipient, 
> > please notify the sender immediately by reply and immediately delete 
> > this message and all its attachments.  Any review, use, reproduction, 
> > disclosure or dissemination of this message or any attachment by an 
> > unintended recipient is strictly prohibited.  Neither this message nor 
> > any attachment is intended as or should be construed as an offer, 
> > solicitation or recommendation to buy or sell any security or other 
> > financial instrument.  Neither the sender, his or her employer nor any 
> > of their respective affiliates makes any warranties as to the 
> > completeness or accuracy of any of the information contained herein or 
> > that this message or any of its attachments is free of viruses.
> > 
> > 
> > 
> 
> 
> IMPORTANT:The information contained in this email and/or its attachments is
> confidential. If you are not the intended recipient, please notify the
> sender immediately by reply and immediately delete this message and all its
> attachments.  Any review, use, reproduction, disclosure or dissemination of
> this message or any attachment by an unintended recipient is strictly
> prohibited.  Neither this message nor any attachment is intended as or
> should be construed as an offer, solicitation or recommendation to buy or
> sell any security or other financial instrument.  Neither the sender, his or
> her employer nor any of their respective affiliates makes any warranties as
> to the completeness or accuracy of any of the information contained herein
> or that this message or any of its attachments is free of viruses.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list