[c-nsp] CEF Scanner eating CPU in Supervisor 720

Peter Salanki peter.salanki at bahnhof.net
Fri Jun 9 02:56:47 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think the problem s not at all MPLS related. I did a perl hack that  
paresed the output of sh ip cef event new and added static arp on the  
hosts which flapped rapidly, 7 IPs had abnormal activity. The load is  
now down to a more acceptable level of 20% avg. I could remove the  
statics and isable MPLS on the core facing interfaces just to make  
sure that MPLS has nothing to do with it if you want. Do you have any  
case about this, and/or any plans of "fixing" it? I don't like the  
thought of directly connected kiddies being able to drain all cpu  on  
my (imo. not cheap) sup720-3bxl by just stealing eachothers IP  
addresses.

9 jun 2006 kl. 00.32 skrev Rodney Dunn:

> One trick is you can do a 'sh ip cef ev new' and do it over and
> over. See which ones are flapping.
>
> How many routes do you have?
>
> Can you turn off logging to the console: no logg con
>
> and run a couple of mpls debugs and let's see what that says:
>
> debug mpls lfib cef
> debug mpls lfib enc
>
> Set the lot to a couple of meg.
>
> Rodney
>
> On Thu, Jun 08, 2006 at 11:13:02PM +0200, Peter Salanki wrote:
>> The CEF Scanner is now eating almost all CPU :/
>>
>> The events table doesn't look any particular to me,
>> --SNAP--
>>
>> +00:00:00.000:           81.170.148.226/32     ADJ (Vl4001) update
>> [OK]
>> +00:00:00.024:           195.178.160.138/32    ADJ (Vl19) update
>> [OK]
>> +00:00:00.052:           81.170.138.13/32      ADJ (Vl604) update
>> [OK]
>> +00:00:00.232:           81.170.152.129/32     ADJ (Vl4003) update
>> [OK]
>> +00:00:00.240:           81.170.148.118/32     ADJ (Vl4001) update
>> [OK]
>> +00:00:00.304:           81.170.149.246/32     ADJ (Vl4001) update
>> [OK]
>> +00:00:00.320:           81.170.152.50/32      ADJ (Vl4003) update
>> [OK]
>> +00:00:00.380:           81.170.154.117/32     ADJ (Vl4004) update
>> [OK]
>> +00:00:00.388:           213.136.56.90/32      ADJ (Vl39) update
>> [OK]
>> +00:00:00.400:           81.170.136.79/32      ADJ (Vl504) update
>> [OK]
>> +00:00:00.416:           195.178.160.173/32    ADJ (Vl19) update
>> [OK]
>> +00:00:00.512:           81.170.164.163/32     ADJ (Vl4009) update
>> [OK]
>> +00:00:00.728:           81.170.130.75/32      ADJ (Vl204) update
>> [OK]
>> +00:00:00.736: [Default] 199.3.108.0/24        NBD modified
>> [OK]
>> +00:00:00.736: [Default] 199.3.109.0/24        NBD modified
>> [OK]
>> +00:00:00.820:           195.178.186.24/32     ADJ (Vl666) update
>> [OK]
>> +00:00:00.832:           81.170.160.3/32       ADJ (Vl4007) update
>> [OK]
>> +00:00:00.868:           81.170.164.33/32      ADJ (Vl4009) update
>> [OK]
>> +00:00:00.944:           81.170.132.159/32     ADJ (Vl304) update
>> [OK]
>> +00:00:00.952:           81.170.128.77/32      ADJ (Vl104) update
>> [OK]
>> +00:00:01.008:           81.170.149.246/32     ADJ (Vl4001) update
>> [OK]
>> +00:00:01.128:           194.68.123.141/32     ADJ (Vl15) update
>> [OK]
>> --More--
>>
>>
>> 8 jun 2006 kl. 19.40 skrev Rodney Dunn:
>>
>>> Are you running MPLS on the box?
>>>
>>> Check the sh ip cef event outut and see if you have a /32 ADJ
>>> for a mac constantly changing. That's the most common trigger
>>> I've seen for the scanner running high.
>>>
>>> You are forcing CEF to constantly reresolve prefixes.
>>>
>>> Rodney
>>>
>>> On Thu, Jun 08, 2006 at 02:23:22PM +0200, Peter Salanki wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hello,
>>>>
>>>> Process "CEF Scanner" is eating average 60% of the CPU on one of my
>>>> Sup720-3BXL. This leads to snmp responses being delayed and full  
>>>> BGP
>>>> updates taking a long time. I have not seen this on any of my other
>>>> sup720s. What differs this box from the rest is that this one has a
>>>> lot of directly connected hosts ~10 SVIs with 300 hosts each  
>>>> (on /23
>>>> subnets). I have tried setting arp timeout to 1200 on those SVIs,
>>>> which resulted in a small CPU utilization decrease. What can I  
>>>> do to
>>>> calm down the CEF Scanner? I'm running 12.2(18)SXF4.
>>>>
>>>> CPU utilization for five seconds: 44%/4%; one minute: 38%; five
>>>> minutes: 38%
>>>> PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY  
>>>> Process
>>>> 119   103495040    719635     143819 35.40% 23.87% 21.54%   0 CEF
>>>> Scanner
>>>>
>>>> Sincerely
>>>>
>>>> Peter Salanki
>>>> Chief Network Engineer
>>>> Bahnhof AB (AS8473)
>>>> www.bahnhof.se
>>>> Office: +46855577132
>>>> Cell: +46709174932
>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.2.2 (Darwin)
>>>>
>>>> iD8DBQFEiBa7iQKhdiFGiogRAr9aAJ9W+rryMPcg5qnAYrYTU9jbRg8PFgCdHDA3
>>>> QjIpm/Yk7kuf4VjZN5MqDq8=
>>>> =O029
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> Med vänliga hälsningar
>>
>> Peter Salanki
>> Nätansvarig
>> Bahnhof AB (AS8473)
>> www.bahnhof.se
>> Kontor: +46855577132
>> Mobil: +46709174932
>>

Sincerely

Peter Salanki
Chief Network Engineer
Bahnhof AB (AS8473)
www.bahnhof.se
Office: +46855577132
Cell: +46709174932


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEiRuviQKhdiFGiogRApBTAJ9wZqTm+iAVcO4AgccM7OUvfCjlyACgltZ3
Mzw94W8HEF7+RGBjmObwqXc=
=EAim
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list