High CPU util on 3825 [Cisco]

Prev: Problem with VPN on ASA 5505
Next: PIX 501: DHCP on outside interface will not renew

From: Trendkill on 26 Nov 2007 17:31

On Nov 26, 3:18 pm, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
> Below is the result of "sh proc cpu" which I obtained. The current cpu
> util is not very high at the moment though.
>
> //////////////////////////////////////////////////////////////////////
> //////////////////////////////////////////////////////////////////////
>
> CPU utilization for five seconds: 72%/42%; one minute: 71%; five
> minutes: 71%
> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> 1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk
> Manager
> 2 185616 508801 364 0.00% 0.01% 0.00% 0 Load
> Meter
> 3 0 1 0 0.00% 0.00% 0.00% 0 chkpt
> message ha
> 4 4 1 4000 0.00% 0.00% 0.00% 0
> EDDRI_MAIN
> 5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check
> heaps
> 6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool
> Manager
> 7 0 2 0 0.00% 0.00% 0.00% 0 Timers
> 8 296 42399 6 0.00% 0.00% 0.00% 0 IPC
> Dynamic Cach
> 9 0 1 0 0.00% 0.00% 0.00% 0 IPC
> Zone Manager
> 10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC
> Periodic Tim
> 11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC
> Deferred Por
> 12 0 1 0 0.00% 0.00% 0.00% 0 IPC
> Seat Manager
> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC
> BackPressure
> 14 0 1 0 0.00% 0.00% 0.00% 0 OIR
> Handler
> 15 0 1 0 0.00% 0.00% 0.00% 0 Crash
> writer
> 16 139900 508563 275 0.00% 0.00% 0.00% 0
> Environmental mo
> 17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP
> Input
> 18 0 2 0 0.00% 0.00% 0.00% 0 ATM
> Idle Timer
> 19 4 72 55 0.00% 0.00% 0.00% 0 AAA
> high-capacit
> 20 0 1 0 0.00% 0.00% 0.00% 0
> AAA_SERVER_DEADT
> 21 0 1 0 0.00% 0.00% 0.00% 0 Policy
> Manager
> 22 0 2 0 0.00% 0.00% 0.00% 0 DDR
> Timers
> 23 0 2 0 0.00% 0.00% 0.00% 0 Entity
> MIB API
> 24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED
> Syslog
> 25 22488 508585 44 0.00% 0.00% 0.00% 0 HC
> Counter Timer
> 26 0 2 0 0.00% 0.00% 0.00% 0 Serial
> Backgroun
> 27 0 1 0 0.00% 0.00% 0.00% 0 RO
> Notify Timers
> 28 0 2 0 0.00% 0.00% 0.00% 0 SMART
> 29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt
> 30 0 2 0 0.00% 0.00% 0.00% 0 Dialer
> event
> 31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL
> A'detect
> 32 0 2 0 0.00% 0.00% 0.00% 0 XML
> Proxy Client
> 33 0 2 0 0.00% 0.00% 0.00% 0
> cpf_process_msg_
> 34 0 1 0 0.00% 0.00% 0.00% 0 Inode
> Table Dest
> 35 0 1 0 0.00% 0.00% 0.00% 0
> Critical Bkgnd
> 36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net
> Background
> 37 0 2 0 0.00% 0.00% 0.00% 0 IDB
> Work
> 38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger
> 39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY
> Background
> 40 241316 2544091 94 0.00% 0.01% 0.00% 0
> Per-Second Jobs
> 41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA
> Mgr
> 42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC
> HA Mgr
> 43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task
> 44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input
> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> 45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute
> load avg
> 46 845372 43011 19654 0.00% 0.03% 0.00% 0
> Per-minute Jobs
> 47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr
> Process
> 48 0 1 0 0.00% 0.00% 0.00% 0 Token
> Daemon
> 49 0 1 0 0.00% 0.00% 0.00% 0
> dev_device_inser
> 50 0 1 0 0.00% 0.00% 0.00% 0
> dev_device_remov
> 51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100
> 52 0 1 0 0.00% 0.00% 0.00% 0
> sal_dpc_process
> 53 0 1 0 0.00% 0.00% 0.00% 0 ARL
> Table Manage
> 54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM
> 55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
> Storm Con
> 56 0 2 0 0.00% 0.00% 0.00% 0
> ESWILPPM
> 57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
> Storm Con
> 58 118640 10174788 11 0.00% 0.00% 0.00% 0
> Netclock Backgro
> 59 0 2 0 0.00% 0.00% 0.00% 0 SM
> Monitor
> 60 0 2 0 0.00% 0.00% 0.00% 0 VNM
> DSPRM MAIN
> 61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM
> DSP READ
> 62 0 2 0 0.00% 0.00% 0.00% 0 FLEX
> DNLD MAIN
> 63 0 1 0 0.00% 0.00% 0.00% 0 HDV
> background
> 64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO
> IKMP IPC
> 65 0 1 0 0.00% 0.00% 0.00% 0
> RF_INTERDEV_DELA
> 66 0 1 0 0.00% 0.00% 0.00% 0
> RF_INTERDEV_SCTP
> 67 13120 2538695 5 0.00% 0.00% 0.00% 0
> Ether-Switch RBC
> 68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS
> TIMER_CU
> 69 0 1 0 0.00% 0.00% 0.00% 0 IGMP
> Snooping Pr
> 70 0 1 0 0.00% 0.00% 0.00% 0 IGMP
> Snooping Re
> 71 488 84796 5 0.00% 0.00% 0.00% 0 Call
> Management
> 72 0 1 0 0.00% 0.00% 0.00% 0 CES
> Line Conditi
> 73 0 1 0 0.00% 0.00% 0.00% 0
> RF_INTERDEV_SCTP
> 74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM
> Periodic
> 75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP
> INPUT
> 76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM
> Input
> 77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM
> TIMER
> 78 0 2 0 0.00% 0.00% 0.00% 0 Dot11
> auth Dot1x
> 79 0 1 0 0.00% 0.00% 0.00% 0 Dot11
> Mac Auth
> 80 0 2 0 0.00% 0.00% 0.00% 0 dot1x
> 81 0 2 0 0.00% 0.00% 0.00% 0 DTP
> Protocol
> 82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM
> Aging Pr
> 83 1452 254347 5 0.00% 0.00% 0.00% 0
> EtherChnl
> 84 0 2 0 0.00% 0.00% 0.00% 0 AAA
> Dictionary R
> 85 8 134 59 0.00% 0.00% 0.00% 0 AAA
> Server
> 86 0 1 0 0.00% 0.00% 0.00% 0 AAA
> ACCT Proc
> 87 0 1 0 0.00% 0.00% 0.00% 0 ACCT
> Periodic Pr
> 88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP
> Protocol
> 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP
> Input
> 90 0 1 0 0.00% 0.00% 0.00% 0 ICMP
> event handl
> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
> 91 0 74 0 0.00% 0.00% 0.00% 0
> TurboACL
> 92 0 2 0 0.00% 0.00% 0.00% 0
> TurboACL chunk
> 93 156 4237 36 0.00% 0.00% 0.00% 0 MOP
> Protocols
> 94 0 3 0 0.00% 0.00% 0.00% 0 PPP
> Hooks
> 95 212 81 2617 0.00% 0.13% 0.03% 322 SSH
> Process
> 96 0 1 0 0.00% 0.00% 0.00% 0 SSS
> Manager
> 97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS
> Test Client
> 98 0 1 0 0.00% 0.00% 0.00% 0 SSS
> Feature Mana
> 99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS
> Feature Time
> 100 0 1 0 0.00% 0.00% 0.00% 0 VPDN
> call manage
> 101 0 1 0 0.00% 0.00% 0.00% 0 L2X
> Socket proce
> 102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS
> manager
> 103 0 2 0 0.00% 0.00% 0.00% 0 L2TP
> mgmt daemon
> 104 0 1 0 0.00% 0.00% 0.00% 0 X.25
> Encaps Mana
> 105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP
> Process
> 106 0 2 0 0.00% 0.00% 0.00% 0 IP Host
> Track Pr
> 107 0 1 0 0.00% 0.00% 0.00% 0 IPv6
> RIB Redistr
> 108 0 2 0 0.00% 0.00% 0.00% 0 KRB5
> AAA
> 109 0 1 0 0.00% 0.00% 0.00% 0 IP
> Traceroute
> 110 15024 84724 177 0.00% 0.00% 0.00% 0 IP
> Background
> 111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB
> Update
> 112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP
> Route
> 113 0 2 0 0.00% 0.00% 0.00% 0 PPP
> IPCP
> 114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF
> process
> 115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket
> Timers
> 116 236 6474 36 0.00% 0.00% 0.00% 0 TCP
> Timer
> 117 56 55 1018 0.00% 0.00% 0.00% 0 TCP
> Protocols
> 118 0 1 0 0.00% 0.00% 0.00% 0 COPS
> 119 4
> ...
>
> read more >>

Do it when its high, and focus on the heavy hitters. If its NAT and
other processor intensive processes, plus the full bgp routing table
(although I only see a default route so this may be a moot point),
then you may have just exhausted the processor on this smaller
router. A 3800 should handle the internet portion with no problem,
but never used them for NAT, etc. The show proc cpu should help
determine the issue. If this is the case, I would look for any
potential config issues (which guys/gals on here should be able to
help point out), and if there are none, then you may just need more
horsepower. Hope this helps.

From: Thrill5 on 26 Nov 2007 20:27

Your problem in a nutshell is that you are running IOS Firewall, NAT and a
high speed ATM interface on a low-end router. If your interface wasn't ATM,
you would probably be OK, but ATM in this case is killing the router. The
problem is that ATM uses cells and the IP packets need to reassembled into
packets before they can be inspected and NAT performed. If this were a
packet interface, most of this processing would happen in hardware and you
be much better off. You didn't supply a "show ver" or a "show interface"
but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are
pretty high. If you add up all the numbers you only get to about 27% so the
rest of the CPU is being eaten up by hardware interrupt processing. Because
the input interface is ATM, NAT and the packet inspection are being
performed in software. Another good command is "show ip interface" which
would show how many packets are being CEF switched, which in this case I
would bet is pretty low. I would think that an ATM AIM card would help you
out quite a bit here, since this module will offload the ATM processing.

"Trendkill" <jpmason(a)gmail.com> wrote in message
news:63925ee2-8495-4e4a-b7ec-f6f5921d856d(a)j20g2000hsi.googlegroups.com...
> On Nov 26, 3:18 pm, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
>> Below is the result of "sh proc cpu" which I obtained. The current cpu
>> util is not very high at the moment though.
>>
>> //////////////////////////////////////////////////////////////////////
>> //////////////////////////////////////////////////////////////////////
>>
>> CPU utilization for five seconds: 72%/42%; one minute: 71%; five
>> minutes: 71%
>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>> 1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk
>> Manager
>> 2 185616 508801 364 0.00% 0.01% 0.00% 0 Load
>> Meter
>> 3 0 1 0 0.00% 0.00% 0.00% 0 chkpt
>> message ha
>> 4 4 1 4000 0.00% 0.00% 0.00% 0
>> EDDRI_MAIN
>> 5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check
>> heaps
>> 6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool
>> Manager
>> 7 0 2 0 0.00% 0.00% 0.00% 0 Timers
>> 8 296 42399 6 0.00% 0.00% 0.00% 0 IPC
>> Dynamic Cach
>> 9 0 1 0 0.00% 0.00% 0.00% 0 IPC
>> Zone Manager
>> 10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC
>> Periodic Tim
>> 11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC
>> Deferred Por
>> 12 0 1 0 0.00% 0.00% 0.00% 0 IPC
>> Seat Manager
>> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC
>> BackPressure
>> 14 0 1 0 0.00% 0.00% 0.00% 0 OIR
>> Handler
>> 15 0 1 0 0.00% 0.00% 0.00% 0 Crash
>> writer
>> 16 139900 508563 275 0.00% 0.00% 0.00% 0
>> Environmental mo
>> 17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP
>> Input
>> 18 0 2 0 0.00% 0.00% 0.00% 0 ATM
>> Idle Timer
>> 19 4 72 55 0.00% 0.00% 0.00% 0 AAA
>> high-capacit
>> 20 0 1 0 0.00% 0.00% 0.00% 0
>> AAA_SERVER_DEADT
>> 21 0 1 0 0.00% 0.00% 0.00% 0 Policy
>> Manager
>> 22 0 2 0 0.00% 0.00% 0.00% 0 DDR
>> Timers
>> 23 0 2 0 0.00% 0.00% 0.00% 0 Entity
>> MIB API
>> 24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED
>> Syslog
>> 25 22488 508585 44 0.00% 0.00% 0.00% 0 HC
>> Counter Timer
>> 26 0 2 0 0.00% 0.00% 0.00% 0 Serial
>> Backgroun
>> 27 0 1 0 0.00% 0.00% 0.00% 0 RO
>> Notify Timers
>> 28 0 2 0 0.00% 0.00% 0.00% 0 SMART
>> 29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt
>> 30 0 2 0 0.00% 0.00% 0.00% 0 Dialer
>> event
>> 31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL
>> A'detect
>> 32 0 2 0 0.00% 0.00% 0.00% 0 XML
>> Proxy Client
>> 33 0 2 0 0.00% 0.00% 0.00% 0
>> cpf_process_msg_
>> 34 0 1 0 0.00% 0.00% 0.00% 0 Inode
>> Table Dest
>> 35 0 1 0 0.00% 0.00% 0.00% 0
>> Critical Bkgnd
>> 36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net
>> Background
>> 37 0 2 0 0.00% 0.00% 0.00% 0 IDB
>> Work
>> 38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger
>> 39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY
>> Background
>> 40 241316 2544091 94 0.00% 0.01% 0.00% 0
>> Per-Second Jobs
>> 41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA
>> Mgr
>> 42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC
>> HA Mgr
>> 43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task
>> 44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input
>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>> 45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute
>> load avg
>> 46 845372 43011 19654 0.00% 0.03% 0.00% 0
>> Per-minute Jobs
>> 47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr
>> Process
>> 48 0 1 0 0.00% 0.00% 0.00% 0 Token
>> Daemon
>> 49 0 1 0 0.00% 0.00% 0.00% 0
>> dev_device_inser
>> 50 0 1 0 0.00% 0.00% 0.00% 0
>> dev_device_remov
>> 51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100
>> 52 0 1 0 0.00% 0.00% 0.00% 0
>> sal_dpc_process
>> 53 0 1 0 0.00% 0.00% 0.00% 0 ARL
>> Table Manage
>> 54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM
>> 55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>> Storm Con
>> 56 0 2 0 0.00% 0.00% 0.00% 0
>> ESWILPPM
>> 57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>> Storm Con
>> 58 118640 10174788 11 0.00% 0.00% 0.00% 0
>> Netclock Backgro
>> 59 0 2 0 0.00% 0.00% 0.00% 0 SM
>> Monitor
>> 60 0 2 0 0.00% 0.00% 0.00% 0 VNM
>> DSPRM MAIN
>> 61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM
>> DSP READ
>> 62 0 2 0 0.00% 0.00% 0.00% 0 FLEX
>> DNLD MAIN
>> 63 0 1 0 0.00% 0.00% 0.00% 0 HDV
>> background
>> 64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO
>> IKMP IPC
>> 65 0 1 0 0.00% 0.00% 0.00% 0
>> RF_INTERDEV_DELA
>> 66 0 1 0 0.00% 0.00% 0.00% 0
>> RF_INTERDEV_SCTP
>> 67 13120 2538695 5 0.00% 0.00% 0.00% 0
>> Ether-Switch RBC
>> 68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS
>> TIMER_CU
>> 69 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>> Snooping Pr
>> 70 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>> Snooping Re
>> 71 488 84796 5 0.00% 0.00% 0.00% 0 Call
>> Management
>> 72 0 1 0 0.00% 0.00% 0.00% 0 CES
>> Line Conditi
>> 73 0 1 0 0.00% 0.00% 0.00% 0
>> RF_INTERDEV_SCTP
>> 74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM
>> Periodic
>> 75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP
>> INPUT
>> 76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM
>> Input
>> 77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM
>> TIMER
>> 78 0 2 0 0.00% 0.00% 0.00% 0 Dot11
>> auth Dot1x
>> 79 0 1 0 0.00% 0.00% 0.00% 0 Dot11
>> Mac Auth
>> 80 0 2 0 0.00% 0.00% 0.00% 0 dot1x
>> 81 0 2 0 0.00% 0.00% 0.00% 0 DTP
>> Protocol
>> 82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM
>> Aging Pr
>> 83 1452 254347 5 0.00% 0.00% 0.00% 0
>> EtherChnl
>> 84 0 2 0 0.00% 0.00% 0.00% 0 AAA
>> Dictionary R
>> 85 8 134 59 0.00% 0.00% 0.00% 0 AAA
>> Server
>> 86 0 1 0 0.00% 0.00% 0.00% 0 AAA
>> ACCT Proc
>> 87 0 1 0 0.00% 0.00% 0.00% 0 ACCT
>> Periodic Pr
>> 88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP
>> Protocol
>> 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP
>> Input
>> 90 0 1 0 0.00% 0.00% 0.00% 0 ICMP
>> event handl
>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>> 91 0 74 0 0.00% 0.00% 0.00% 0
>> TurboACL
>> 92 0 2 0 0.00% 0.00% 0.00% 0
>> TurboACL chunk
>> 93 156 4237 36 0.00% 0.00% 0.00% 0 MOP
>> Protocols
>> 94 0 3 0 0.00% 0.00% 0.00% 0 PPP
>> Hooks
>> 95 212 81 2617 0.00% 0.13% 0.03% 322 SSH
>> Process
>> 96 0 1 0 0.00% 0.00% 0.00% 0 SSS
>> Manager
>> 97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS
>> Test Client
>> 98 0 1 0 0.00% 0.00% 0.00% 0 SSS
>> Feature Mana
>> 99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS
>> Feature Time
>> 100 0 1 0 0.00% 0.00% 0.00% 0 VPDN
>> call manage
>> 101 0 1 0 0.00% 0.00% 0.00% 0 L2X
>> Socket proce
>> 102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS
>> manager
>> 103 0 2 0 0.00% 0.00% 0.00% 0 L2TP
>> mgmt daemon
>> 104 0 1 0 0.00% 0.00% 0.00% 0 X.25
>> Encaps Mana
>> 105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP
>> Process
>> 106 0 2 0 0.00% 0.00% 0.00% 0 IP Host
>> Track Pr
>> 107 0 1 0 0.00% 0.00% 0.00% 0 IPv6
>> RIB Redistr
>> 108 0 2 0 0.00% 0.00% 0.00% 0 KRB5
>> AAA
>> 109 0 1 0 0.00% 0.00% 0.00% 0 IP
>> Traceroute
>> 110 15024 84724 177 0.00% 0.00% 0.00% 0 IP
>> Background
>> 111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB
>> Update
>> 112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP
>> Route
>> 113 0 2 0 0.00% 0.00% 0.00% 0 PPP
>> IPCP
>> 114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF
>> process
>> 115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket
>> Timers
>> 116 236 6474 36 0.00% 0.00% 0.00% 0 TCP
>> Timer
>> 117 56 55 1018 0.00% 0.00% 0.00% 0 TCP
>> Protocols
>> 118 0 1 0 0.00% 0.00% 0.00% 0 COPS
>> 119 4
>> ...
>>
>> read more >>
>
> Do it when its high, and focus on the heavy hitters. If its NAT and
> other processor intensive processes, plus the full bgp routing table
> (although I only see a default route so this may be a moot point),
> then you may have just exhausted the processor on this smaller
> router. A 3800 should handle the internet portion with no problem,
> but never used them for NAT, etc. The show proc cpu should help
> determine the issue. If this is the case, I would look for any
> potential config issues (which guys/gals on here should be able to
> help point out), and if there are none, then you may just need more
> horsepower. Hope this helps.

From: Sanal Kisi on 27 Nov 2007 16:29

How about moving the ACL, NAT, firewall operations out of the 3825 to
a new appliance ?

If this is a better solution then ;
- which box would you suggest ?
- would it be worth investing on a more clever appliance that would
also help on IPS, antivirus, URL-filtering etc ?
- if yes, then which box would you suggest ?

Regards.

On Mon, 26 Nov 2007 20:27:03 -0500, "Thrill5" <nospam(a)somewhere.com>
wrote:

>Your problem in a nutshell is that you are running IOS Firewall, NAT and a
>high speed ATM interface on a low-end router. If your interface wasn't ATM,
>you would probably be OK, but ATM in this case is killing the router. The
>problem is that ATM uses cells and the IP packets need to reassembled into
>packets before they can be inspected and NAT performed. If this were a
>packet interface, most of this processing would happen in hardware and you
>be much better off. You didn't supply a "show ver" or a "show interface"
>but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are
>pretty high. If you add up all the numbers you only get to about 27% so the
>rest of the CPU is being eaten up by hardware interrupt processing. Because
>the input interface is ATM, NAT and the packet inspection are being
>performed in software. Another good command is "show ip interface" which
>would show how many packets are being CEF switched, which in this case I
>would bet is pretty low. I would think that an ATM AIM card would help you
>out quite a bit here, since this module will offload the ATM processing.
>
>
>"Trendkill" <jpmason(a)gmail.com> wrote in message
>news:63925ee2-8495-4e4a-b7ec-f6f5921d856d(a)j20g2000hsi.googlegroups.com...
>> On Nov 26, 3:18 pm, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
>>> Below is the result of "sh proc cpu" which I obtained. The current cpu
>>> util is not very high at the moment though.
>>>
>>> //////////////////////////////////////////////////////////////////////
>>> //////////////////////////////////////////////////////////////////////
>>>
>>> CPU utilization for five seconds: 72%/42%; one minute: 71%; five
>>> minutes: 71%
>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>> 1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk
>>> Manager
>>> 2 185616 508801 364 0.00% 0.01% 0.00% 0 Load
>>> Meter
>>> 3 0 1 0 0.00% 0.00% 0.00% 0 chkpt
>>> message ha
>>> 4 4 1 4000 0.00% 0.00% 0.00% 0
>>> EDDRI_MAIN
>>> 5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check
>>> heaps
>>> 6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool
>>> Manager
>>> 7 0 2 0 0.00% 0.00% 0.00% 0 Timers
>>> 8 296 42399 6 0.00% 0.00% 0.00% 0 IPC
>>> Dynamic Cach
>>> 9 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>> Zone Manager
>>> 10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC
>>> Periodic Tim
>>> 11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC
>>> Deferred Por
>>> 12 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>> Seat Manager
>>> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>> BackPressure
>>> 14 0 1 0 0.00% 0.00% 0.00% 0 OIR
>>> Handler
>>> 15 0 1 0 0.00% 0.00% 0.00% 0 Crash
>>> writer
>>> 16 139900 508563 275 0.00% 0.00% 0.00% 0
>>> Environmental mo
>>> 17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP
>>> Input
>>> 18 0 2 0 0.00% 0.00% 0.00% 0 ATM
>>> Idle Timer
>>> 19 4 72 55 0.00% 0.00% 0.00% 0 AAA
>>> high-capacit
>>> 20 0 1 0 0.00% 0.00% 0.00% 0
>>> AAA_SERVER_DEADT
>>> 21 0 1 0 0.00% 0.00% 0.00% 0 Policy
>>> Manager
>>> 22 0 2 0 0.00% 0.00% 0.00% 0 DDR
>>> Timers
>>> 23 0 2 0 0.00% 0.00% 0.00% 0 Entity
>>> MIB API
>>> 24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED
>>> Syslog
>>> 25 22488 508585 44 0.00% 0.00% 0.00% 0 HC
>>> Counter Timer
>>> 26 0 2 0 0.00% 0.00% 0.00% 0 Serial
>>> Backgroun
>>> 27 0 1 0 0.00% 0.00% 0.00% 0 RO
>>> Notify Timers
>>> 28 0 2 0 0.00% 0.00% 0.00% 0 SMART
>>> 29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt
>>> 30 0 2 0 0.00% 0.00% 0.00% 0 Dialer
>>> event
>>> 31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL
>>> A'detect
>>> 32 0 2 0 0.00% 0.00% 0.00% 0 XML
>>> Proxy Client
>>> 33 0 2 0 0.00% 0.00% 0.00% 0
>>> cpf_process_msg_
>>> 34 0 1 0 0.00% 0.00% 0.00% 0 Inode
>>> Table Dest
>>> 35 0 1 0 0.00% 0.00% 0.00% 0
>>> Critical Bkgnd
>>> 36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net
>>> Background
>>> 37 0 2 0 0.00% 0.00% 0.00% 0 IDB
>>> Work
>>> 38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger
>>> 39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY
>>> Background
>>> 40 241316 2544091 94 0.00% 0.01% 0.00% 0
>>> Per-Second Jobs
>>> 41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA
>>> Mgr
>>> 42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC
>>> HA Mgr
>>> 43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task
>>> 44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input
>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>> 45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute
>>> load avg
>>> 46 845372 43011 19654 0.00% 0.03% 0.00% 0
>>> Per-minute Jobs
>>> 47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr
>>> Process
>>> 48 0 1 0 0.00% 0.00% 0.00% 0 Token
>>> Daemon
>>> 49 0 1 0 0.00% 0.00% 0.00% 0
>>> dev_device_inser
>>> 50 0 1 0 0.00% 0.00% 0.00% 0
>>> dev_device_remov
>>> 51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100
>>> 52 0 1 0 0.00% 0.00% 0.00% 0
>>> sal_dpc_process
>>> 53 0 1 0 0.00% 0.00% 0.00% 0 ARL
>>> Table Manage
>>> 54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM
>>> 55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>>> Storm Con
>>> 56 0 2 0 0.00% 0.00% 0.00% 0
>>> ESWILPPM
>>> 57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>>> Storm Con
>>> 58 118640 10174788 11 0.00% 0.00% 0.00% 0
>>> Netclock Backgro
>>> 59 0 2 0 0.00% 0.00% 0.00% 0 SM
>>> Monitor
>>> 60 0 2 0 0.00% 0.00% 0.00% 0 VNM
>>> DSPRM MAIN
>>> 61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM
>>> DSP READ
>>> 62 0 2 0 0.00% 0.00% 0.00% 0 FLEX
>>> DNLD MAIN
>>> 63 0 1 0 0.00% 0.00% 0.00% 0 HDV
>>> background
>>> 64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO
>>> IKMP IPC
>>> 65 0 1 0 0.00% 0.00% 0.00% 0
>>> RF_INTERDEV_DELA
>>> 66 0 1 0 0.00% 0.00% 0.00% 0
>>> RF_INTERDEV_SCTP
>>> 67 13120 2538695 5 0.00% 0.00% 0.00% 0
>>> Ether-Switch RBC
>>> 68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS
>>> TIMER_CU
>>> 69 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>>> Snooping Pr
>>> 70 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>>> Snooping Re
>>> 71 488 84796 5 0.00% 0.00% 0.00% 0 Call
>>> Management
>>> 72 0 1 0 0.00% 0.00% 0.00% 0 CES
>>> Line Conditi
>>> 73 0 1 0 0.00% 0.00% 0.00% 0
>>> RF_INTERDEV_SCTP
>>> 74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM
>>> Periodic
>>> 75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP
>>> INPUT
>>> 76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM
>>> Input
>>> 77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM
>>> TIMER
>>> 78 0 2 0 0.00% 0.00% 0.00% 0 Dot11
>>> auth Dot1x
>>> 79 0 1 0 0.00% 0.00% 0.00% 0 Dot11
>>> Mac Auth
>>> 80 0 2 0 0.00% 0.00% 0.00% 0 dot1x
>>> 81 0 2 0 0.00% 0.00% 0.00% 0 DTP
>>> Protocol
>>> 82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM
>>> Aging Pr
>>> 83 1452 254347 5 0.00% 0.00% 0.00% 0
>>> EtherChnl
>>> 84 0 2 0 0.00% 0.00% 0.00% 0 AAA
>>> Dictionary R
>>> 85 8 134 59 0.00% 0.00% 0.00% 0 AAA
>>> Server
>>> 86 0 1 0 0.00% 0.00% 0.00% 0 AAA
>>> ACCT Proc
>>> 87 0 1 0 0.00% 0.00% 0.00% 0 ACCT
>>> Periodic Pr
>>> 88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP
>>> Protocol
>>> 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP
>>> Input
>>> 90 0 1 0 0.00% 0.00% 0.00% 0 ICMP
>>> event handl
>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>> 91 0 74 0 0.00% 0.00% 0.00% 0
>>> TurboACL
>>> 92 0 2 0 0.00% 0.00% 0.00% 0
>>> TurboACL chunk
>>> 93 156 4237 36 0.00% 0.00% 0.00% 0 MOP
>>> Protocols
>>> 94 0 3 0 0.00% 0.00% 0.00% 0 PPP
>>> Hooks
>>> 95 212 81 2617 0.00% 0.13% 0.03% 322 SSH
>>> Process
>>> 96 0 1 0 0.00% 0.00% 0.00% 0 SSS
>>> Manager
>>> 97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS
>>> Test Client
>>> 98 0 1 0 0.00% 0.00% 0.00% 0 SSS
>>> Feature Mana
>>> 99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS
>>> Feature Time
>>> 100 0 1 0 0.00% 0.00% 0.00% 0 VPDN
>>> call manage
>>> 101 0 1 0 0.00% 0.00% 0.00% 0 L2X
>>> Socket proce
>>> 102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS
>>> manager
>>> 103 0 2 0 0.00% 0.00% 0.00% 0 L2TP
>>> mgmt daemon
>>> 104 0 1 0 0.00% 0.00% 0.00% 0 X.25
>>> Encaps Mana
>>> 105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP
>>> Process
>>> 106 0 2 0 0.00% 0.00% 0.00% 0 IP Host
>>> Track Pr
>>> 107 0 1 0 0.00% 0.00% 0.00% 0 IPv6
>>> RIB Redistr
>>> 108 0 2 0 0.00% 0.00% 0.00% 0 KRB5
>>> AAA
>>> 109 0 1 0 0.00% 0.00% 0.00% 0 IP
>>> Traceroute
>>> 110 15024 84724 177 0.00% 0.00% 0.00% 0 IP
>>> Background
>>> 111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB
>>> Update
>>> 112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP
>>> Route
>>> 113 0 2 0 0.00% 0.00% 0.00% 0 PPP
>>> IPCP
>>> 114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF
>>> process
>>> 115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket
>>> Timers
>>> 116 236 6474 36 0.00% 0.00% 0.00% 0 TCP
>>> Timer
>>> 117 56 55 1018 0.00% 0.00% 0.00% 0 TCP
>>> Protocols
>>> 118 0 1 0 0.00% 0.00% 0.00% 0 COPS
>>> 119 4
>>> ...
>>>
>>> read more >>
>>
>> Do it when its high, and focus on the heavy hitters. If its NAT and
>> other processor intensive processes, plus the full bgp routing table
>> (although I only see a default route so this may be a moot point),
>> then you may have just exhausted the processor on this smaller
>> router. A 3800 should handle the internet portion with no problem,
>> but never used them for NAT, etc. The show proc cpu should help
>> determine the issue. If this is the case, I would look for any
>> potential config issues (which guys/gals on here should be able to
>> help point out), and if there are none, then you may just need more
>> horsepower. Hope this helps.
>

From: Thrill5 on 27 Nov 2007 19:18

Yes, it makes better sense to move these functions to a firewall. The
firewall in IOS is not as robust, or flexible as a firewall device. If your
perfectly happy with firewall functionality in IOS, then the AIM-ATM should
fix the CPU issues you have, because the cell assembly/disassembly is done
in hardware on the AIM. Another approach is to use a 7200VXR series, or a
7300 series router and on those devices the ATM interfaces also do cell
assembly/disassembly in hardware.

"Sanal Kisi" <sanalkisi(a)yahoo.com> wrote in message
news:vo2pk3lbuldltjslr6jvd2ji6dk6fngd6l(a)4ax.com...
> How about moving the ACL, NAT, firewall operations out of the 3825 to
> a new appliance ?
>
> If this is a better solution then ;
> - which box would you suggest ?
> - would it be worth investing on a more clever appliance that would
> also help on IPS, antivirus, URL-filtering etc ?
> - if yes, then which box would you suggest ?
>
> Regards.
>
>
>
>
> On Mon, 26 Nov 2007 20:27:03 -0500, "Thrill5" <nospam(a)somewhere.com>
> wrote:
>
>>Your problem in a nutshell is that you are running IOS Firewall, NAT and a
>>high speed ATM interface on a low-end router. If your interface wasn't
>>ATM,
>>you would probably be OK, but ATM in this case is killing the router. The
>>problem is that ATM uses cells and the IP packets need to reassembled into
>>packets before they can be inspected and NAT performed. If this were a
>>packet interface, most of this processing would happen in hardware and you
>>be much better off. You didn't supply a "show ver" or a "show interface"
>>but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are
>>pretty high. If you add up all the numbers you only get to about 27% so
>>the
>>rest of the CPU is being eaten up by hardware interrupt processing.
>>Because
>>the input interface is ATM, NAT and the packet inspection are being
>>performed in software. Another good command is "show ip interface" which
>>would show how many packets are being CEF switched, which in this case I
>>would bet is pretty low. I would think that an ATM AIM card would help
>>you
>>out quite a bit here, since this module will offload the ATM processing.
>>
>>
>>"Trendkill" <jpmason(a)gmail.com> wrote in message
>>news:63925ee2-8495-4e4a-b7ec-f6f5921d856d(a)j20g2000hsi.googlegroups.com...
>>> On Nov 26, 3:18 pm, Sanal Kisi <sanalk...(a)yahoo.com> wrote:
>>>> Below is the result of "sh proc cpu" which I obtained. The current cpu
>>>> util is not very high at the moment though.
>>>>
>>>> //////////////////////////////////////////////////////////////////////
>>>> //////////////////////////////////////////////////////////////////////
>>>>
>>>> CPU utilization for five seconds: 72%/42%; one minute: 71%; five
>>>> minutes: 71%
>>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>>> 1 552 2888 191 0.00% 0.00% 0.00% 0 Chunk
>>>> Manager
>>>> 2 185616 508801 364 0.00% 0.01% 0.00% 0 Load
>>>> Meter
>>>> 3 0 1 0 0.00% 0.00% 0.00% 0 chkpt
>>>> message ha
>>>> 4 4 1 4000 0.00% 0.00% 0.00% 0
>>>> EDDRI_MAIN
>>>> 5 2788460 296095 9417 0.00% 0.07% 0.06% 0 Check
>>>> heaps
>>>> 6 1072 3916 273 0.00% 0.00% 0.00% 0 Pool
>>>> Manager
>>>> 7 0 2 0 0.00% 0.00% 0.00% 0 Timers
>>>> 8 296 42399 6 0.00% 0.00% 0.00% 0 IPC
>>>> Dynamic Cach
>>>> 9 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>>> Zone Manager
>>>> 10 19264 2538693 7 0.00% 0.00% 0.00% 0 IPC
>>>> Periodic Tim
>>>> 11 17552 2538711 6 0.00% 0.00% 0.00% 0 IPC
>>>> Deferred Por
>>>> 12 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>>> Seat Manager
>>>> 13 0 1 0 0.00% 0.00% 0.00% 0 IPC
>>>> BackPressure
>>>> 14 0 1 0 0.00% 0.00% 0.00% 0 OIR
>>>> Handler
>>>> 15 0 1 0 0.00% 0.00% 0.00% 0 Crash
>>>> writer
>>>> 16 139900 508563 275 0.00% 0.00% 0.00% 0
>>>> Environmental mo
>>>> 17 62208 299269 207 0.00% 0.00% 0.00% 0 ARP
>>>> Input
>>>> 18 0 2 0 0.00% 0.00% 0.00% 0 ATM
>>>> Idle Timer
>>>> 19 4 72 55 0.00% 0.00% 0.00% 0 AAA
>>>> high-capacit
>>>> 20 0 1 0 0.00% 0.00% 0.00% 0
>>>> AAA_SERVER_DEADT
>>>> 21 0 1 0 0.00% 0.00% 0.00% 0 Policy
>>>> Manager
>>>> 22 0 2 0 0.00% 0.00% 0.00% 0 DDR
>>>> Timers
>>>> 23 0 2 0 0.00% 0.00% 0.00% 0 Entity
>>>> MIB API
>>>> 24 7222580 93432384 77 0.24% 0.23% 0.24% 0 EEM ED
>>>> Syslog
>>>> 25 22488 508585 44 0.00% 0.00% 0.00% 0 HC
>>>> Counter Timer
>>>> 26 0 2 0 0.00% 0.00% 0.00% 0 Serial
>>>> Backgroun
>>>> 27 0 1 0 0.00% 0.00% 0.00% 0 RO
>>>> Notify Timers
>>>> 28 0 2 0 0.00% 0.00% 0.00% 0 SMART
>>>> 29 24852 2543996 9 0.00% 0.00% 0.00% 0 GraphIt
>>>> 30 0 2 0 0.00% 0.00% 0.00% 0 Dialer
>>>> event
>>>> 31 0 1 0 0.00% 0.00% 0.00% 0 SERIAL
>>>> A'detect
>>>> 32 0 2 0 0.00% 0.00% 0.00% 0 XML
>>>> Proxy Client
>>>> 33 0 2 0 0.00% 0.00% 0.00% 0
>>>> cpf_process_msg_
>>>> 34 0 1 0 0.00% 0.00% 0.00% 0 Inode
>>>> Table Dest
>>>> 35 0 1 0 0.00% 0.00% 0.00% 0
>>>> Critical Bkgnd
>>>> 36 3693876 754571 4895 0.16% 0.13% 0.14% 0 Net
>>>> Background
>>>> 37 0 2 0 0.00% 0.00% 0.00% 0 IDB
>>>> Work
>>>> 38 9345480 27043789 345 0.32% 0.26% 0.25% 0 Logger
>>>> 39 33124 2538673 13 0.00% 0.00% 0.00% 0 TTY
>>>> Background
>>>> 40 241316 2544091 94 0.00% 0.01% 0.00% 0
>>>> Per-Second Jobs
>>>> 41 0 1 0 0.00% 0.00% 0.00% 0 IKE HA
>>>> Mgr
>>>> 42 0 1 0 0.00% 0.00% 0.00% 0 IPSEC
>>>> HA Mgr
>>>> 43 4884 38 128526 0.00% 0.00% 0.00% 0 rf task
>>>> 44 4140 85313 48 0.00% 0.00% 0.00% 0 Net Input
>>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>>> 45 29456 508811 57 0.00% 0.00% 0.00% 0 Compute
>>>> load avg
>>>> 46 845372 43011 19654 0.00% 0.03% 0.00% 0
>>>> Per-minute Jobs
>>>> 47 0 1 0 0.00% 0.00% 0.00% 0 AggMgr
>>>> Process
>>>> 48 0 1 0 0.00% 0.00% 0.00% 0 Token
>>>> Daemon
>>>> 49 0 1 0 0.00% 0.00% 0.00% 0
>>>> dev_device_inser
>>>> 50 0 1 0 0.00% 0.00% 0.00% 0
>>>> dev_device_remov
>>>> 51 3860 423854 9 0.00% 0.00% 0.00% 0 mxt5100
>>>> 52 0 1 0 0.00% 0.00% 0.00% 0
>>>> sal_dpc_process
>>>> 53 0 1 0 0.00% 0.00% 0.00% 0 ARL
>>>> Table Manage
>>>> 54 0 2 0 0.00% 0.00% 0.00% 0 ESWPPM
>>>> 55 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>>>> Storm Con
>>>> 56 0 2 0 0.00% 0.00% 0.00% 0
>>>> ESWILPPM
>>>> 57 0 2 0 0.00% 0.00% 0.00% 0 Eswilp
>>>> Storm Con
>>>> 58 118640 10174788 11 0.00% 0.00% 0.00% 0
>>>> Netclock Backgro
>>>> 59 0 2 0 0.00% 0.00% 0.00% 0 SM
>>>> Monitor
>>>> 60 0 2 0 0.00% 0.00% 0.00% 0 VNM
>>>> DSPRM MAIN
>>>> 61 0 1 0 0.00% 0.00% 0.00% 0 DSPFARM
>>>> DSP READ
>>>> 62 0 2 0 0.00% 0.00% 0.00% 0 FLEX
>>>> DNLD MAIN
>>>> 63 0 1 0 0.00% 0.00% 0.00% 0 HDV
>>>> background
>>>> 64 12 192 62 0.00% 0.00% 0.00% 0 CRYPTO
>>>> IKMP IPC
>>>> 65 0 1 0 0.00% 0.00% 0.00% 0
>>>> RF_INTERDEV_DELA
>>>> 66 0 1 0 0.00% 0.00% 0.00% 0
>>>> RF_INTERDEV_SCTP
>>>> 67 13120 2538695 5 0.00% 0.00% 0.00% 0
>>>> Ether-Switch RBC
>>>> 68 0 1 0 0.00% 0.00% 0.00% 0 AAL2CPS
>>>> TIMER_CU
>>>> 69 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>>>> Snooping Pr
>>>> 70 0 1 0 0.00% 0.00% 0.00% 0 IGMP
>>>> Snooping Re
>>>> 71 488 84796 5 0.00% 0.00% 0.00% 0 Call
>>>> Management
>>>> 72 0 1 0 0.00% 0.00% 0.00% 0 CES
>>>> Line Conditi
>>>> 73 0 1 0 0.00% 0.00% 0.00% 0
>>>> RF_INTERDEV_SCTP
>>>> 74 17916 257414 69 0.00% 0.00% 0.00% 0 ATM
>>>> Periodic
>>>> 75 0 1 0 0.00% 0.00% 0.00% 0 ATM ARP
>>>> INPUT
>>>> 76 21688 257960 84 0.00% 0.00% 0.00% 0 ATM OAM
>>>> Input
>>>> 77 18348 263630 69 0.00% 0.00% 0.00% 0 ATM OAM
>>>> TIMER
>>>> 78 0 2 0 0.00% 0.00% 0.00% 0 Dot11
>>>> auth Dot1x
>>>> 79 0 1 0 0.00% 0.00% 0.00% 0 Dot11
>>>> Mac Auth
>>>> 80 0 2 0 0.00% 0.00% 0.00% 0 dot1x
>>>> 81 0 2 0 0.00% 0.00% 0.00% 0 DTP
>>>> Protocol
>>>> 82 13968 2538690 5 0.00% 0.00% 0.00% 0 PI MATM
>>>> Aging Pr
>>>> 83 1452 254347 5 0.00% 0.00% 0.00% 0
>>>> EtherChnl
>>>> 84 0 2 0 0.00% 0.00% 0.00% 0 AAA
>>>> Dictionary R
>>>> 85 8 134 59 0.00% 0.00% 0.00% 0 AAA
>>>> Server
>>>> 86 0 1 0 0.00% 0.00% 0.00% 0 AAA
>>>> ACCT Proc
>>>> 87 0 1 0 0.00% 0.00% 0.00% 0 ACCT
>>>> Periodic Pr
>>>> 88 29876 373334 80 0.00% 0.00% 0.00% 0 CDP
>>>> Protocol
>>>> 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP
>>>> Input
>>>> 90 0 1 0 0.00% 0.00% 0.00% 0 ICMP
>>>> event handl
>>>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
>>>> 91 0 74 0 0.00% 0.00% 0.00% 0
>>>> TurboACL
>>>> 92 0 2 0 0.00% 0.00% 0.00% 0
>>>> TurboACL chunk
>>>> 93 156 4237 36 0.00% 0.00% 0.00% 0 MOP
>>>> Protocols
>>>> 94 0 3 0 0.00% 0.00% 0.00% 0 PPP
>>>> Hooks
>>>> 95 212 81 2617 0.00% 0.13% 0.03% 322 SSH
>>>> Process
>>>> 96 0 1 0 0.00% 0.00% 0.00% 0 SSS
>>>> Manager
>>>> 97 2436 339153 7 0.00% 0.00% 0.00% 0 SSS
>>>> Test Client
>>>> 98 0 1 0 0.00% 0.00% 0.00% 0 SSS
>>>> Feature Mana
>>>> 99 123212 9936585 12 0.00% 0.00% 0.00% 0 SSS
>>>> Feature Time
>>>> 100 0 1 0 0.00% 0.00% 0.00% 0 VPDN
>>>> call manage
>>>> 101 0 1 0 0.00% 0.00% 0.00% 0 L2X
>>>> Socket proce
>>>> 102 0 1 0 0.00% 0.00% 0.00% 0 L2X SSS
>>>> manager
>>>> 103 0 2 0 0.00% 0.00% 0.00% 0 L2TP
>>>> mgmt daemon
>>>> 104 0 1 0 0.00% 0.00% 0.00% 0 X.25
>>>> Encaps Mana
>>>> 105 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP
>>>> Process
>>>> 106 0 2 0 0.00% 0.00% 0.00% 0 IP Host
>>>> Track Pr
>>>> 107 0 1 0 0.00% 0.00% 0.00% 0 IPv6
>>>> RIB Redistr
>>>> 108 0 2 0 0.00% 0.00% 0.00% 0 KRB5
>>>> AAA
>>>> 109 0 1 0 0.00% 0.00% 0.00% 0 IP
>>>> Traceroute
>>>> 110 15024 84724 177 0.00% 0.00% 0.00% 0 IP
>>>> Background
>>>> 111 1612 42461 37 0.00% 0.00% 0.00% 0 IP RIB
>>>> Update
>>>> 112 0 2 0 0.00% 0.00% 0.00% 0 PPP IP
>>>> Route
>>>> 113 0 2 0 0.00% 0.00% 0.00% 0 PPP
>>>> IPCP
>>>> 114 139424 3924036 35 0.00% 0.00% 0.00% 0 CEF
>>>> process
>>>> 115 23712 2535102 9 0.00% 0.00% 0.00% 0 Socket
>>>> Timers
>>>> 116 236 6474 36 0.00% 0.00% 0.00% 0 TCP
>>>> Timer
>>>> 117 56 55 1018 0.00% 0.00% 0.00% 0 TCP
>>>> Protocols
>>>> 118 0 1 0 0.00% 0.00% 0.00% 0 COPS
>>>> 119 4
>>>> ...
>>>>
>>>> read more >>
>>>
>>> Do it when its high, and focus on the heavy hitters. If its NAT and
>>> other processor intensive processes, plus the full bgp routing table
>>> (although I only see a default route so this may be a moot point),
>>> then you may have just exhausted the processor on this smaller
>>> router. A 3800 should handle the internet portion with no problem,
>>> but never used them for NAT, etc. The show proc cpu should help
>>> determine the issue. If this is the case, I would look for any
>>> potential config issues (which guys/gals on here should be able to
>>> help point out), and if there are none, then you may just need more
>>> horsepower. Hope this helps.
>>

From: Łukasz Bromirski on 29 Nov 2007 16:14

Sanal Kisi wrote:
> Below is the result of "sh proc cpu" which I obtained. The current cpu
> util is not very high at the moment though.

> CPU utilization for five seconds: 72%/42%; one minute: 71%; five
> minutes: 71%
> 89 597460472 803703371 743 20.97% 19.69% 19.88% 0 IP Input
> 155 60466848 169323130 357 5.48% 5.91% 5.57% 0 Inspect Timer

Most of the load comes from the interrupts on the interfaces (42%),
and the rest from traffic that can't be CEF-switched (IP Input shows
20% load) and firewall inspect timer (5,5%).

Try to see what's causing so high rate of not-cef-switched traffic
with:

rtr# sh cef not-cef-switched

And you'll see something like this:

CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 61336 0 0 12 11215087 0 0 0

Basically I'd target firewall (ip inspect) - for this you can check
in the stats:

rtr#sh ip inspect statistics
Packet inspection statistics [process switch:fast switch]
tcp packets: [369836:123660915]
udp packets: [64052:6836373]
packets: [235:204]
ftp packets: [4339:0]

If process switch part is high - then you should move firewall/nat
to other box and treat 3800 as router doing ATM termination.

--
"Don't expect me to cry for all the | �ukasz Bromirski
reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net

First | Prev |
Pages: 1 2
Prev: Problem with VPN on ASA 5505
Next: PIX 501: DHCP on outside interface will not renew