Solved

router CPU utilization 100 percent

Posted on 2009-07-02
6
1,562 Views
Last Modified: 2013-12-10
Hi there,
I had a site on which cisco router's utilization went upto 100 percent ... I've attached the relevant commands ... As you can see, IPNATAGer is the main culprite process ... I've NAT on this router with its default settings ... I reloaded the router and it is back to normal now ... any info on why exactly why ipnatager took so much CPU utilization ?
Just realized I should have done show interface dialer 1 to see the number of packets going through the router at that time !


Cairns-Router1#sh processes cpu sorted

CPU utilization for five seconds: 99%/4%; one minute: 99%; five minutes: 99%

 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process

 190    21729492   1542797      14084 93.15% 93.75% 92.78%   0 IP NAT Ager

  79     1112848   1406511        791  0.57%  0.34%  0.31%   0 IP Input

 134         284       168       1690  0.57%  0.21%  0.07%   2 Virtual Exec

 195       86632  17814582          4  0.16%  0.04%  0.03%   0 PPP Events

  31       35208    577946         60  0.16%  0.05%  0.02%   0 Per-Second Jobs

   2       17960    115579        155  0.08%  0.02%  0.00%   0 Load Meter

 117        9788     47596        205  0.08%  0.01%  0.00%   0 TCP Protocols

  41     4017136   2834643       1417  0.08%  0.08%  0.08%   0 COLLECT STAT COU

   9        4052    601865          6  0.00%  0.00%  0.00%   0 ARP Background

  10           0         2          0  0.00%  0.00%  0.00%   0 ATM Idle Timer

  11           0         2          0  0.00%  0.00%  0.00%   0 AAA high-capacit

  12           0         1          0  0.00%  0.00%  0.00%   0 AAA_SERVER_DEADT

  13           0         1          0  0.00%  0.00%  0.00%   0 Policy Manager

  14         436     19265         22  0.00%  0.00%  0.00%   0 DDR Timers

  15           0         2          0  0.00%  0.00%  0.00%   0 Entity MIB API

  16          76       656        115  0.00%  0.00%  0.00%   0 EEM ED Syslog

  17         960     57781         16  0.00%  0.00%  0.00%   0 HC Counter Timer

  18           4         2       2000  0.00%  0.00%  0.00%   0 Serial Backgroun

  19           0         1          0  0.00%  0.00%  0.00%   0 RO Notify Timers

  20           0         1          0  0.00%  0.00%  0.00%   0 RMI RM Notify Wa
 
 
 

Cairns-Router1#sh processes memory sorted

Processor Pool Total:   77588540 Used:   69917876 Free:    7670664

      I/O Pool Total:   12582912 Used:    3498896 Free:    9084016
 

 PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process

   1   0   68017452   16513524   51511164          0          0 Chunk Manager

   0   0   21979920    2412644   15855620          0          0 *Init*

   0   0   10885488   10006608    2417520     680608          0 *Dead*

  74   0     305900        804     315484          0          0 EAPoUDP Process

  16   0     264484          0     274032     113400          0 EEM ED Syslog

   5   0  100858036   34810624     144140   22518148    9174052 Pool Manager

  27   0     146172       3012     134688          0          0 Net Background

 173   0     114240       7344     120864          0          0 EEM Server

 101   0     119348        252     118132          0          0 DHCPD Receive

 196   0     111196        224      99056          0          0 PPPoA Manager

 148   0      66852          0      80088          0          0 Crypto IKEv2

 150   0      76500      11136      79132          0          0 IPSEC key engine

  90   0      66760          0      76996          0          0 IP RIB Update

  94   0      74104        232      73952          0          0 CEF process

 130   0      66416        252      73400          0          0 HTTP Process

 152   0      47308       3324      69220          0          0 Crypto ACL

  79   0   94660068    7050404      61120     115404    1143220 IP Input

  73   0      49384          0      56620          0          0 ACCT Periodic Pr

  78   0      49384          0      56620          0          0 IP ARP Retry Age

 195   0      49512       4976      42556       3120          0 PPP Events

Open in new window

0
Comment
Question by:nabeel92
  • 3
  • 3
6 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24769750
HI,

How many user behind the router?
If someone has a virus, it is able to open a lot of translation!
Please view the translation table in your route:

show ip nat translation

you able to finetuning the nat:

ip nat translation ?
  arp-ping-timeout        Specify timeout for WLAN-NAT ARP-Ping
  dns-timeout             Specify timeout for NAT DNS flows
  finrst-timeout          Specify timeout for NAT TCP flows after a FIN or RST
  icmp-timeout            Specify timeout for NAT ICMP flows
  max-entries             Specify maximum number of NAT entries
  port-timeout            Specify timeout for NAT TCP/UDP port specific flows
  pptp-timeout            Specify timeout for NAT PPTP flows
  routemap-entry-timeout  Specify timeout for routemap created half entry
  syn-timeout             Specify timeout for NAT TCP flows after a SYN and no further data
  tcp-timeout             Specify timeout for NAT TCP flows
  timeout                 Specify timeout for dynamic NAT translations
  udp-timeout             Specify timeout for NAT UDP flows


could you send here the config file?


Best Regards,
Istvan

0
 

Author Comment

by:nabeel92
ID: 24769956
It's an internet cafe with about 40 computers using internet ... any nat configuration setting you can recommend that can avoid such a situation in future ! it obviously was a virus that must have caused the DOS attack ...
Cairns-Router1#sh running-config

Building configuration...
 

Current configuration : 6310 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cairns-Router1

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

!

!

dot11 syslog

ip cef

!

!

ip name-server x.x.x.x

!

!

!

!

no spanning-tree vlan 1

username admin privilege 15 password 0 xxx

!

!

archive

 log config

  hidekeys

!

!

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 list boolean or

 object 1

 object 2

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

 dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 ip address 10.154.22.121 255.255.255.128

 ip nat inside

 ip virtual-reassembly

 glbp 1 ip 10.154.22.126

 glbp 1 preempt delay minimum 30

 glbp 1 weighting 100 lower 95

 glbp 1 load-balancing host-dependent

 glbp 1 weighting track 3 decrement 10

 glbp 1 forwarder preempt delay minimum 0

!

interface Dialer1

 description -- ADSL to Telstra --

 bandwidth 1000

 ip address negotiated

 ip mtu 1440

 ip flow ingress

 ip flow egress

 ip nat outside

 no ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer idle-timeout 0

 dialer persistent

 dialer-group 1

 ppp authentication chap callin

 ppp chap hostname xxx

 ppp chap password 0 xxx

 ppp ipcp dns request

 ppp ipcp route default

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.154.22.128 255.255.255.128 10.154.22.101

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 10.154.22.101 22 interface Dialer1 222

ip nat inside source static tcp 10.154.22.1 5900 interface Dialer1 5901

ip nat inside source static tcp 10.154.22.2 5900 interface Dialer1 5902

ip nat inside source static tcp 10.154.22.3 5900 interface Dialer1 5903

ip nat inside source static tcp 10.154.22.4 5900 interface Dialer1 5904

ip nat inside source static tcp 10.154.22.5 5900 interface Dialer1 5905

ip nat inside source static tcp 10.154.22.6 5900 interface Dialer1 5906

ip nat inside source static tcp 10.154.22.7 5900 interface Dialer1 5907

ip nat inside source static tcp 10.154.22.8 5900 interface Dialer1 5908

ip nat inside source static tcp 10.154.22.9 5900 interface Dialer1 5909

ip nat inside source static tcp 10.154.22.10 5900 interface Dialer1 5910

ip nat inside source static tcp 10.154.22.11 5900 interface Dialer1 5911

ip nat inside source static tcp 10.154.22.12 5900 interface Dialer1 5912

ip nat inside source static tcp 10.154.22.13 5900 interface Dialer1 5913

ip nat inside source static tcp 10.154.22.14 5900 interface Dialer1 5914

ip nat inside source static tcp 10.154.22.15 5900 interface Dialer1 5915

ip nat inside source static tcp 10.154.22.16 5900 interface Dialer1 5916

ip nat inside source static tcp 10.154.22.17 5900 interface Dialer1 5917

ip nat inside source static tcp 10.154.22.18 5900 interface Dialer1 5918

ip nat inside source static tcp 10.154.22.19 5900 interface Dialer1 5919

ip nat inside source static tcp 10.154.22.20 5900 interface Dialer1 5920

ip nat inside source static tcp 10.154.22.21 5900 interface Dialer1 5921

ip nat inside source static tcp 10.154.22.22 5900 interface Dialer1 5922

ip nat inside source static tcp 10.154.22.23 5900 interface Dialer1 5923

ip nat inside source static tcp 10.154.22.24 5900 interface Dialer1 5924

ip nat inside source static tcp 10.154.22.25 5900 interface Dialer1 5925

ip nat inside source static tcp 10.154.22.26 5900 interface Dialer1 5926

ip nat inside source static tcp 10.154.22.27 5900 interface Dialer1 5927

ip nat inside source static tcp 10.154.22.28 5900 interface Dialer1 5928

ip nat inside source static tcp 10.154.22.29 5900 interface Dialer1 5929

ip nat inside source static tcp 10.154.22.30 5900 interface Dialer1 5930

ip nat inside source static tcp 10.154.22.31 5900 interface Dialer1 5931

ip nat inside source static tcp 10.154.22.32 5900 interface Dialer1 5932

ip nat inside source static tcp 10.154.22.33 5900 interface Dialer1 5933

ip nat inside source static tcp 10.154.22.34 5900 interface Dialer1 5934

ip nat inside source static tcp 10.154.22.35 5900 interface Dialer1 5935

ip nat inside source static tcp 10.154.22.36 5900 interface Dialer1 5936

ip nat inside source static tcp 10.154.22.37 5900 interface Dialer1 5937

ip nat inside source static tcp 10.154.22.38 5900 interface Dialer1 5938

ip nat inside source static tcp 10.154.22.39 5900 interface Dialer1 5939

ip nat inside source static tcp 10.154.22.40 5900 interface Dialer1 5940

ip nat inside source static tcp 10.154.22.41 5900 interface Dialer1 5941

ip nat inside source static tcp 10.154.22.42 5900 interface Dialer1 5942

ip nat inside source static tcp 10.154.22.43 5900 interface Dialer1 5943

ip nat inside source static tcp 10.154.22.44 5900 interface Dialer1 5944

ip nat inside source static tcp 10.154.22.45 5900 interface Dialer1 5945

ip nat inside source static tcp 10.154.22.121 23 interface Dialer1 5001

ip nat inside source static tcp 10.154.22.120 222 interface Dialer1 2222

ip nat inside source static tcp 10.154.22.110 9000 interface ATM0 9000

ip nat inside source static tcp 10.154.22.81 5900 interface Dialer1 5981

ip nat inside source static tcp 10.154.22.87 5900 interface Dialer1 5987

ip nat inside source static tcp 10.154.22.102 5900 interface Dialer1 5999

ip nat inside source static tcp 10.154.22.103 5900 interface Dialer1 5998

ip nat inside source static tcp 10.154.22.104 5900 interface Dialer1 5997

ip nat inside source static tcp 10.154.22.111 23 interface Dialer1 5002

ip nat inside source static tcp 10.154.22.112 23 interface Dialer1 5003

!

ip sla 1

 icmp-echo 4.2.2.2 source-interface Vlan1

 frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2

 icmp-echo 4.2.2.3 source-interface Vlan1

 frequency 10

ip sla schedule 2 life forever start-time now

access-list 101 permit ip any any

!

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 exec-timeout 120 0

 privilege level 15

 password xxx

 login local

 transport input all

 transport output all

!

scheduler max-task-time 5000

end

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24770470
HI,

I  think better way to manage your computer with ipsec vpn the open direcly a lot of port from the internet! What is the type of the router, please show me:

show ver

Best regards,
Istvan
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:nabeel92
ID: 24770757
Its Cisco 877-M ... i dont have access to the router right now, will post a show version on monday .... but in the meantime, is there any suggestion what can i do when such a thing happens next time ? or how can i prevent this ?
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 24770906
I think firstly configure a basic firewall:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html

secondly:

remove pat, use ipsec vpn
0
 

Author Comment

by:nabeel92
ID: 24770916
Ok, thank you
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now