[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1406
  • Last Modified:

Cisco 2621 Router CPU utilization keeps hitting 97% & response time as high as 1200 ms

I'm using a Cisco router 2621 as my corporate firewall with ACLs, and to router traffic between 3 VLANs.  Recently my network monitoring software has been alerting me that the router CPU utilization has reached 97%, and the response time has gotten as high as 1250 ms.  CPU util. hung around 40% before, but now it peak several times a day.T  his has started happening periodically thought the day.  What can I check to try to determine the cause of these events.  
0
myin68
Asked:
myin68
  • 4
  • 3
  • 2
  • +1
2 Solutions
 
Galtar99Commented:
This might help you

http://www.cisco.com/warp/public/121/hybridge.html

Particularly, show process cpu

This process that's showing the highest utilization might be your culprit.

You might be on a buggy IOS ver.  Check our your version on Cisco and see if a rev up might be more stable.

0
 
Galtar99Commented:
Sorry, that was the wrong article, although it had a couple of good points.

Look at the High CPU Utilization section of this article:

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_tech_notes_list.html
0
 
lrmooreCommented:
I'll bet you have worm or virus. Particulary Storm infection.
Use NTOP to see what kind of traffic is hitting the router.
http://www.openxtra.co.uk/freestuff/ntop-xtra.php
Enable netflow and export the netflow to NTOP

Also, block ICMP on all the interfaces as a temporary measure.

Example:
 access-list 109 deny icmp any any log
 access-list 109 permit ip any any
access-list 110 deny icmp any any log
 access-list 110 permit ip any any
access-list 111 deny icmp any any log
 access-list 111 permit ip any any

interface Fast 0/0
  access-group 109 in
interface Fast0/0.1
  access-group 110 in
interface Fast0/0.2
  access-group 111 in

Etc. The log keywork will alert you to the primary source if the traffic is icmp. Just by using 'show access-list 1xx' you can see hitcounters increase. The acl with the most hitcounts will show you the interface/vlan generating the most traffic and help you track down the culprit.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
lrmooreCommented:
Also block SMTP outbound for all except your mail server itself. Storm botnets are used as mass mailers.
0
 
myin68Author Commented:
The processes with the highest percentages of CPU util are: IP Input 79%, and IP NAT Ager 15%.  The other processes have < 1%.  Does this mean anything other than maybe the traffic load on this router is too much now?
0
 
lrmooreCommented:
A traffic load by itself should not increase the CPU utilization. Tons and tons of small packets going to different places will cause this. Same thing we saw during the Blaster outbreak a couple years ago.
Another thing could be dns lookups when internal users hit myspace pages with all the external links on those pages, it causes massive DNS querries.
You need to classify the traffic that is going through it so you know what is happening. NTOP will tell you.
0
 
Galtar99Commented:
You'll have to debug some packets, but you can log directly to the console screen.  Follow this troubleshooting guide to isolate what's causing this:

http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
0
 
Jan SpringerCommented:
If 'IP Input' is that high, then packets are being punted to the processor causing the high load.

An example of this would be 'log' entries in ACLs.  Can you post a sanitized config for review?
0
 
Galtar99Commented:
Any updates?
0
 
myin68Author Commented:
Thursday I moved some client servers from this network to its own network segment behind a different firewall.  Since then the CPU util.  and response times have returned to normal.  Thanks for your input.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now