Solved

router CPU utilization 100 percent

Posted on 2009-07-02
6
1,637 Views
Last Modified: 2013-12-10
Hi there,
I had a site on which cisco router's utilization went upto 100 percent ... I've attached the relevant commands ... As you can see, IPNATAGer is the main culprite process ... I've NAT on this router with its default settings ... I reloaded the router and it is back to normal now ... any info on why exactly why ipnatager took so much CPU utilization ?
Just realized I should have done show interface dialer 1 to see the number of packets going through the router at that time !


Cairns-Router1#sh processes cpu sorted
CPU utilization for five seconds: 99%/4%; one minute: 99%; five minutes: 99%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 190    21729492   1542797      14084 93.15% 93.75% 92.78%   0 IP NAT Ager
  79     1112848   1406511        791  0.57%  0.34%  0.31%   0 IP Input
 134         284       168       1690  0.57%  0.21%  0.07%   2 Virtual Exec
 195       86632  17814582          4  0.16%  0.04%  0.03%   0 PPP Events
  31       35208    577946         60  0.16%  0.05%  0.02%   0 Per-Second Jobs
   2       17960    115579        155  0.08%  0.02%  0.00%   0 Load Meter
 117        9788     47596        205  0.08%  0.01%  0.00%   0 TCP Protocols
  41     4017136   2834643       1417  0.08%  0.08%  0.08%   0 COLLECT STAT COU
   9        4052    601865          6  0.00%  0.00%  0.00%   0 ARP Background
  10           0         2          0  0.00%  0.00%  0.00%   0 ATM Idle Timer
  11           0         2          0  0.00%  0.00%  0.00%   0 AAA high-capacit
  12           0         1          0  0.00%  0.00%  0.00%   0 AAA_SERVER_DEADT
  13           0         1          0  0.00%  0.00%  0.00%   0 Policy Manager
  14         436     19265         22  0.00%  0.00%  0.00%   0 DDR Timers
  15           0         2          0  0.00%  0.00%  0.00%   0 Entity MIB API
  16          76       656        115  0.00%  0.00%  0.00%   0 EEM ED Syslog
  17         960     57781         16  0.00%  0.00%  0.00%   0 HC Counter Timer
  18           4         2       2000  0.00%  0.00%  0.00%   0 Serial Backgroun
  19           0         1          0  0.00%  0.00%  0.00%   0 RO Notify Timers
  20           0         1          0  0.00%  0.00%  0.00%   0 RMI RM Notify Wa
 
 
 
Cairns-Router1#sh processes memory sorted
Processor Pool Total:   77588540 Used:   69917876 Free:    7670664
      I/O Pool Total:   12582912 Used:    3498896 Free:    9084016
 
 PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
   1   0   68017452   16513524   51511164          0          0 Chunk Manager
   0   0   21979920    2412644   15855620          0          0 *Init*
   0   0   10885488   10006608    2417520     680608          0 *Dead*
  74   0     305900        804     315484          0          0 EAPoUDP Process
  16   0     264484          0     274032     113400          0 EEM ED Syslog
   5   0  100858036   34810624     144140   22518148    9174052 Pool Manager
  27   0     146172       3012     134688          0          0 Net Background
 173   0     114240       7344     120864          0          0 EEM Server
 101   0     119348        252     118132          0          0 DHCPD Receive
 196   0     111196        224      99056          0          0 PPPoA Manager
 148   0      66852          0      80088          0          0 Crypto IKEv2
 150   0      76500      11136      79132          0          0 IPSEC key engine
  90   0      66760          0      76996          0          0 IP RIB Update
  94   0      74104        232      73952          0          0 CEF process
 130   0      66416        252      73400          0          0 HTTP Process
 152   0      47308       3324      69220          0          0 Crypto ACL
  79   0   94660068    7050404      61120     115404    1143220 IP Input
  73   0      49384          0      56620          0          0 ACCT Periodic Pr
  78   0      49384          0      56620          0          0 IP ARP Retry Age
 195   0      49512       4976      42556       3120          0 PPP Events

Open in new window

0
Comment
Question by:nabeel92
  • 3
  • 3
6 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24769750
HI,

How many user behind the router?
If someone has a virus, it is able to open a lot of translation!
Please view the translation table in your route:

show ip nat translation

you able to finetuning the nat:

ip nat translation ?
  arp-ping-timeout        Specify timeout for WLAN-NAT ARP-Ping
  dns-timeout             Specify timeout for NAT DNS flows
  finrst-timeout          Specify timeout for NAT TCP flows after a FIN or RST
  icmp-timeout            Specify timeout for NAT ICMP flows
  max-entries             Specify maximum number of NAT entries
  port-timeout            Specify timeout for NAT TCP/UDP port specific flows
  pptp-timeout            Specify timeout for NAT PPTP flows
  routemap-entry-timeout  Specify timeout for routemap created half entry
  syn-timeout             Specify timeout for NAT TCP flows after a SYN and no further data
  tcp-timeout             Specify timeout for NAT TCP flows
  timeout                 Specify timeout for dynamic NAT translations
  udp-timeout             Specify timeout for NAT UDP flows


could you send here the config file?


Best Regards,
Istvan

0
 

Author Comment

by:nabeel92
ID: 24769956
It's an internet cafe with about 40 computers using internet ... any nat configuration setting you can recommend that can avoid such a situation in future ! it obviously was a virus that must have caused the DOS attack ...
Cairns-Router1#sh running-config
Building configuration...
 
Current configuration : 6310 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cairns-Router1
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip name-server x.x.x.x
!
!
!
!
no spanning-tree vlan 1
username admin privilege 15 password 0 xxx
!
!
archive
 log config
  hidekeys
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 list boolean or
 object 1
 object 2
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 10.154.22.121 255.255.255.128
 ip nat inside
 ip virtual-reassembly
 glbp 1 ip 10.154.22.126
 glbp 1 preempt delay minimum 30
 glbp 1 weighting 100 lower 95
 glbp 1 load-balancing host-dependent
 glbp 1 weighting track 3 decrement 10
 glbp 1 forwarder preempt delay minimum 0
!
interface Dialer1
 description -- ADSL to Telstra --
 bandwidth 1000
 ip address negotiated
 ip mtu 1440
 ip flow ingress
 ip flow egress
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.154.22.128 255.255.255.128 10.154.22.101
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 10.154.22.101 22 interface Dialer1 222
ip nat inside source static tcp 10.154.22.1 5900 interface Dialer1 5901
ip nat inside source static tcp 10.154.22.2 5900 interface Dialer1 5902
ip nat inside source static tcp 10.154.22.3 5900 interface Dialer1 5903
ip nat inside source static tcp 10.154.22.4 5900 interface Dialer1 5904
ip nat inside source static tcp 10.154.22.5 5900 interface Dialer1 5905
ip nat inside source static tcp 10.154.22.6 5900 interface Dialer1 5906
ip nat inside source static tcp 10.154.22.7 5900 interface Dialer1 5907
ip nat inside source static tcp 10.154.22.8 5900 interface Dialer1 5908
ip nat inside source static tcp 10.154.22.9 5900 interface Dialer1 5909
ip nat inside source static tcp 10.154.22.10 5900 interface Dialer1 5910
ip nat inside source static tcp 10.154.22.11 5900 interface Dialer1 5911
ip nat inside source static tcp 10.154.22.12 5900 interface Dialer1 5912
ip nat inside source static tcp 10.154.22.13 5900 interface Dialer1 5913
ip nat inside source static tcp 10.154.22.14 5900 interface Dialer1 5914
ip nat inside source static tcp 10.154.22.15 5900 interface Dialer1 5915
ip nat inside source static tcp 10.154.22.16 5900 interface Dialer1 5916
ip nat inside source static tcp 10.154.22.17 5900 interface Dialer1 5917
ip nat inside source static tcp 10.154.22.18 5900 interface Dialer1 5918
ip nat inside source static tcp 10.154.22.19 5900 interface Dialer1 5919
ip nat inside source static tcp 10.154.22.20 5900 interface Dialer1 5920
ip nat inside source static tcp 10.154.22.21 5900 interface Dialer1 5921
ip nat inside source static tcp 10.154.22.22 5900 interface Dialer1 5922
ip nat inside source static tcp 10.154.22.23 5900 interface Dialer1 5923
ip nat inside source static tcp 10.154.22.24 5900 interface Dialer1 5924
ip nat inside source static tcp 10.154.22.25 5900 interface Dialer1 5925
ip nat inside source static tcp 10.154.22.26 5900 interface Dialer1 5926
ip nat inside source static tcp 10.154.22.27 5900 interface Dialer1 5927
ip nat inside source static tcp 10.154.22.28 5900 interface Dialer1 5928
ip nat inside source static tcp 10.154.22.29 5900 interface Dialer1 5929
ip nat inside source static tcp 10.154.22.30 5900 interface Dialer1 5930
ip nat inside source static tcp 10.154.22.31 5900 interface Dialer1 5931
ip nat inside source static tcp 10.154.22.32 5900 interface Dialer1 5932
ip nat inside source static tcp 10.154.22.33 5900 interface Dialer1 5933
ip nat inside source static tcp 10.154.22.34 5900 interface Dialer1 5934
ip nat inside source static tcp 10.154.22.35 5900 interface Dialer1 5935
ip nat inside source static tcp 10.154.22.36 5900 interface Dialer1 5936
ip nat inside source static tcp 10.154.22.37 5900 interface Dialer1 5937
ip nat inside source static tcp 10.154.22.38 5900 interface Dialer1 5938
ip nat inside source static tcp 10.154.22.39 5900 interface Dialer1 5939
ip nat inside source static tcp 10.154.22.40 5900 interface Dialer1 5940
ip nat inside source static tcp 10.154.22.41 5900 interface Dialer1 5941
ip nat inside source static tcp 10.154.22.42 5900 interface Dialer1 5942
ip nat inside source static tcp 10.154.22.43 5900 interface Dialer1 5943
ip nat inside source static tcp 10.154.22.44 5900 interface Dialer1 5944
ip nat inside source static tcp 10.154.22.45 5900 interface Dialer1 5945
ip nat inside source static tcp 10.154.22.121 23 interface Dialer1 5001
ip nat inside source static tcp 10.154.22.120 222 interface Dialer1 2222
ip nat inside source static tcp 10.154.22.110 9000 interface ATM0 9000
ip nat inside source static tcp 10.154.22.81 5900 interface Dialer1 5981
ip nat inside source static tcp 10.154.22.87 5900 interface Dialer1 5987
ip nat inside source static tcp 10.154.22.102 5900 interface Dialer1 5999
ip nat inside source static tcp 10.154.22.103 5900 interface Dialer1 5998
ip nat inside source static tcp 10.154.22.104 5900 interface Dialer1 5997
ip nat inside source static tcp 10.154.22.111 23 interface Dialer1 5002
ip nat inside source static tcp 10.154.22.112 23 interface Dialer1 5003
!
ip sla 1
 icmp-echo 4.2.2.2 source-interface Vlan1
 frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.3 source-interface Vlan1
 frequency 10
ip sla schedule 2 life forever start-time now
access-list 101 permit ip any any
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 privilege level 15
 password xxx
 login local
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24770470
HI,

I  think better way to manage your computer with ipsec vpn the open direcly a lot of port from the internet! What is the type of the router, please show me:

show ver

Best regards,
Istvan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:nabeel92
ID: 24770757
Its Cisco 877-M ... i dont have access to the router right now, will post a show version on monday .... but in the meantime, is there any suggestion what can i do when such a thing happens next time ? or how can i prevent this ?
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 24770906
I think firstly configure a basic firewall:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html

secondly:

remove pat, use ipsec vpn
0
 

Author Comment

by:nabeel92
ID: 24770916
Ok, thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question