[c-nsp] Weird OSPF meltdown

Rubens Kuhl Jr. rubensk at gmail.com
Tue Sep 23 16:46:38 EDT 2008


On Tue, Sep 23, 2008 at 4:40 PM, Rodney Dunn <rodunn at cisco.com> wrote:
> On Fri, Sep 19, 2008 at 02:45:48AM -0300, Rubens Kuhl Jr. wrote:
>> Every once in a while one of ME6524 routers starts getting hammered by
>> one customer or the other... the symptom is that all adjacencies go
>> down and stay stuck at EXCHANGE phase.
>
> hammered by what?

We could not get packet traces of all the mishaps, but in one of them
there was a flood of mDNS(Multicast DNS) packets.

>
>> CPU doesn't go up, and CoPP is applied; OSPF is authenticated on every
>> adjacency (which are all point-to-point on SVIs), and we don't see any
>> strange neighbors.
>
> Why are the neighbors going down? Hold time expired? If so you have to figure
> out why those frames are dropped.

Yes, hold time expired.
Our current theory is CoPP itself dropping the packets. We have some
large ACLs describing critical, normal and undesired traffic; if some
OSPF frames don't flow thru the critical ACL, the normal category
would only fill up during floods. There are terms on the critical ACL
to match OSPF packets, but may be it's not matching all of them.


>> It occurs more often with Internet access static connected route
>> customers, but has now happened on a VRF as well.
>>
>> The only solution is disconnecting the customer; provisioning the
>> customer on SVI or on routerport doesn't seem to have any effect.
>
> Is it OSPF going down on an interface other than where this "hammering"
> is coming from? I'm assuming you mean it's a flood of traffic.

The inbound interface for the flood doesn't run OSPF, only the
upstream links to other routers.


Rubens


More information about the cisco-nsp mailing list