Re: High CPU util on 3825



Yes,

There are plenty of NAT and access lists available.

Below is a stripped version of the configuration.

Thanks in advance.


conf.
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////

Building configuration...

Current configuration : 22455 bytes
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot system flash c3825-advipservicesk9-mz.124-10b.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
clock timezone GMT 2
no ip source-route
ip cef
!
!
!
!
ip domain name domain.com
ip name-server 10.0.0.9
ip name-server 10.0.0.46
ip inspect max-incomplete high 1600
ip inspect max-incomplete low 1200
ip inspect one-minute high 2000000000
ip inspect one-minute low 1000000000
ip inspect name firewall cuseeme timeout 3600
ip inspect name firewall ftp timeout 3600
ip inspect name firewall rcmd timeout 3600
ip inspect name firewall realaudio timeout 3600
ip inspect name firewall tftp timeout 30
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 15
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
crypto pki certificate chain TP-self-signed-4150674149
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
..
..
quit
username zxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group our-vpn
key xxxxxxx23
pool SDM_POOL_1
acl 100
netmask 255.255.255.248
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
!
!
interface GigabitEthernet0/0
description FW_INSIDE
ip address 192.168.240.1 255.255.255.248
ip access-group sdm_gigabitethernet0/0_in in
ip nat inside
ip inspect firewall in
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
no keepalive
crypto map SDM_CMAP_2
!
interface GigabitEthernet0/1
description FW_DMZ
ip address external-ip
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
no keepalive
!
interface ATM1/0
bandwidth 34000
no ip address
load-interval 30
atm ilmi-keepalive
!
interface ATM1/0.32 point-to-point
description FW_OUTSIDE
ip address external-router-ip
ip access-group sdm_ATM1/0_32_in in
ip nat outside
ip inspect firewall in
ip virtual-reassembly max-reassemblies 1024
no snmp trap link-status
crypto map SDM_CMAP_1
pvc ttnet 0/32
oam-pvc manage
encapsulation aal5snap
!
!
ip local pool SDM_POOL_1 192.168.240.5 192.168.240.6
ip route 0.0.0.0 0.0.0.0 real-ip
ip route 10.0.0.0 255.0.0.0 192.168.240.2
ip route 172.16.0.0 255.255.0.0 192.168.240.2
ip route 192.168.0.0 255.255.0.0 192.168.240.2
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat log translations syslog
ip nat translation max-entries all-host 100

///////
30 lines of ip nat pool, one for each subnet
///////

///////
30 lines of ip nat translations, one for each subnet
///////


///////
50 lines of ip nat translations to real IP's
///////


!

///////
30 access lists, one per subnet
///////


///////
aprx 60-70 permit-denys
///////




!
logging trap debugging
logging facility local6
logging source-interface GigabitEthernet0/0
logging 10.0.0.66
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.240.0 0.0.0.7 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
snmp-server community xxxxxx RO
snmp-server packetsize 2048
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^C
-----------------------------------------------------------------------
Backbone Router
-----------------------------------------------------------------------

^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class management in
transport input ssh
line vty 5 15
access-class management in
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179448
ntp server real-ip
!
end

////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////

Regards.


On Mon, 26 Nov 2007 07:23:05 -0800 (PST), Trendkill
<jpmason@xxxxxxxxx> wrote:

On Nov 26, 10:10 am, Sanal Kisi <sanalk...@xxxxxxxxx> wrote:
Hi,

We have been seeing very high CPU util values which reaches the top
(result of "sh processes cpu history " copied below). which were
reaching only to 40-50% a few months ago.

This is a router which has an ATM port with a connection of 16Mbps
towards internet, and inside the ethernet port is connected to our
6500 switch with 2500 PCs throughout the campus.

Is there anything I can do about this except replacing the router with
a more powerful one ?

Regards.

********************************************************************
********************************************************************
********************************************************************
********************************************************************

RESULT OF "sh processes cpu history"

04:47:28 PM Monday Nov 26 2007 GMT

666666666666666666666666777776666666666666666666666666666666
111144444444449999977777000004444444444777776666655555888888
100
90
80
70 *************** *********************
60 ************************************************************
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)

789877777788878777677778778788787778878767677767677886777777
519077783637150362947640743711869995191090503483939618457350
100 *
90 * * * * *
80 ******** *#**** * ** ** #**#*****#*** *** ** *
70 ########################################****#**#*####*#####*
60 ############################################################
50 ############################################################
40 ############################################################
30 ############################################################
20 ############################################################
10 ############################################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%

877897443233345789998899887655333344567887888878986677433335667899878889

699604649772625762229013267622821027779769487471085392753103364883193165
100 *
*
90 * ** ***** ** * ** ** ** ***
**
80 ***** ***#****#*** ************ * *##*****#
70 #**##* *#####*####** **######****#* ** **######*##
60 #####* **###########* **############**#*
**##########
50 ######* *#############** **#################*
***##########
40 ######*** * **###############** **##################**
*############
30
########*****#################****#####################****#############
20
########################################################################
10
########################################################################

0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5
0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%

What kind of config are you running? This utilization seems high, but
need to know if its getting the full internet table, and are you
running NAT, etc?
.