[c-nsp] 3750 high cpu from icmp

Brian Turnbow b.turnbow at twt.it
Mon May 14 04:58:44 EDT 2007 

Wanted to post an update on this in case anyone else ever has problems.
The only way I found to resolve this issue was to move traffic onto different interfaces , removing the router on a stick routing.


Regards

Brian

-----Original Message-----
From: Brian Turnbow 
Sent: martedì 8 maggio 2007 13.25
To: 'Jared Mauch'; 'Tom Sands'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 3750 high cpu from icmp

Hello
All routed interfaces have these as well as no unreachables,( all connected routers as well) yet the process cpu is still high.
I still see the cpu controller with high icmp counters , other cpu counters appear normal.
3750E-Jenner#sh controller cpu-interface  | i icmp
icmp              1886230815 0          0          0          0
3750E-Jenner#sh controller cpu-interface  | i icmp
icmp              1886236301 0          0          0          0
3750E-Jenner#sh controller cpu-interface  | i icmp
icmp              1886239093 0          0          0          0
3750E-Jenner#sh controller cpu-interface  | i icmp
icmp              1886241081 0          0          0          0

And debugging the queue I  see these messages all for vlan 82 (a one second debug has hundreds of these messages)
ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan82 L2If:FastEthernet1/0/11
ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan82 L2If:FastEthernet1/0/6
ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan82 L2If:FastEthernet1/0/1

The addresses listed in the debugs are all correct valid addresses with valid routes.
It seems that the packets are sent to the cpu thinking that there should be a redirect , yet since it is disabled the cpu then drops the packets.


Here is the interface vlan configuration 
interface Vlan82
 ip address 82.113.194.2 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end


Any thoughts? 
I am running 12.2.35SE2

Thanks
Brian



-----Original Message-----
From: Jared Mauch [mailto:jared at puck.nether.net] 
Sent: lunedì 7 maggio 2007 20.04
To: Brian Turnbow
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 3750 high cpu from icmp

On Mon, May 07, 2007 at 05:58:02PM +0200, Brian Turnbow wrote:
> Besides redesigning to avoid icmp redirects anyone have any ideas?

	Can you make sure that all your routers have the following
on their "IP" (routed) interfaces:?

	no ip redirects
	no ip proxy-arp

	This should help solve the problem.

	These two should really be default these days.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list