[nsp] NAT spiking CPU
MPuras at solunet.com
MPuras at solunet.com
Mon Sep 8 16:39:39 EDT 2003
If you know which user is infected then you can limit the number of NAT
translations by using the command:
ip nat translation max-entries host <ip-address> <max_entries>
If you are not sure, use netflow (show ip cache flow) and you would
typically many entries for a particular user as well as the destination
protocol being 1 indicating ICMP.
Which process is hugging the CPU?
I ran into a very similar issue the other day and NAT Translations were
causing my CPU to spike to 100% mainly because a lot of the traffic that was
being translated was being processed switch so that is why IP input was
peaked.
Hope this helps.
Thanks,
Mario Puras
SoluNet Technical Support
Mailto: mpuras at solunet.com
Direct: (321) 309-1410
888.449.5766 (USA) / 888.SOLUNET (Canada)
>-----Original Message-----
>From: Christopher J. Wolff [mailto:chris at bblabs.com]
>Sent: Monday, September 08, 2003 2:53 PM
>To: cisco-nsp at puck.nether.net
>Subject: RE: [nsp] NAT spiking CPU
>
>
>Bob, I found an IOS bug, however there is no workaround presented.
>
>CSCdw04843
>
>Regards,
>Christopher J. Wolff, VP CIO
>Broadband Laboratories, Inc.
>http://www.bblabs.com
>
>-----Original Message-----
>From: Bob Collie [mailto:bob at ena.com]
>Sent: Monday, September 08, 2003 11:22 AM
>To: Streiner, Justin; Christopher J. Wolff
>Cc: cisco-nsp at puck.nether.net
>Subject: RE: [nsp] NAT spiking CPU
>
>We're seeing this same trouble with our network and have not
>yet found a
>way to limit NAT translations. What we're seeing specifically
>is that a
>site with a 2610 where we're running NAT gets infected by one of the
>DDOS attacks (be it ICMP, etc.) and the sheer volume of dynamic,
>outbound NAT translations makes the router unusable.
>
>Has anyone found a way to limit this? We tried using CAR but it didn't
>make much of a difference when applied against excessive and randomized
>ICMP traffic.
>
>-Bob
>
>-----Original Message-----
>From: Streiner, Justin [mailto:streiner at stargate.net]
>Sent: Monday, September 08, 2003 12:04 PM
>To: Christopher J. Wolff
>Cc: cisco-nsp at puck.nether.net
>Subject: Re: [nsp] NAT spiking CPU
>
>
>On Mon, 8 Sep 2003, Christopher J. Wolff wrote:
>
>> Just ran into an interesting situation where, when the
>public side of
>> a NAT connection goes down, the router CPU spikes to 100%,
>effectively
>
>> restricting all traffic flow inside the network. This is a 2611XM
>> router. Has anyone seen this happen? Thank you in advance.
>
>I've seen things like this happen in the past on a variety of
>platforms,
>all had CEF or dCEF fully enabled. 6400/NRP2 7507 2650 3640
>
>To me, it appears that the router can handle NAT without major issues
>until some threshold is crossed. That could be total number of active
>NAT translations, translations per second, bits/packets per second, I
>don't know. Below this limit, the router would operate normally, but
>once it was crossed, the CPU would almost immediately spike to near
>100%, but I recall the amount of time spent handling interrupt requests
>to be fairly low.
>
>As the opportunity permits, I'm trying to chip away at the NAT issue,
>but it's pretty slow going...
>
>jms
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list