На циске 2811 наблюдается высокая загрузка процессора, при этом непонятно что ее так грузит.# sh processes cpu sorted 5min
CPU utilization for five seconds: 99%/96%; one minute: 92%; five minutes: 87%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
83 798166704 432415053 1845 0.97% 1.12% 1.19% 0 IP Input
5 74865556 4614885 16222 0.00% 0.18% 0.18% 0 Check heaps
211 25171748 27164628 926 0.24% 0.18% 0.17% 0 Syslog
226 253439881088223686 23 0.00% 0.10% 0.13% 0 RADIUS
89 42164 639 65984 0.56% 0.09% 0.13% 322 Virtual Exec
71 2399552 35273426 68 0.08% 0.09% 0.08% 0 Kontrol Common H
182 10893792 6640087 1640 0.40% 0.10% 0.08% 0 Crypto IKMP
228 15736036 70221232 224 0.08% 0.08% 0.08% 0 IP NAT Ager
3 16190224 91481211 176 0.08% 0.05% 0.07% 0 Spanning Tree
137 10568816 350114813 30 0.00% 0.04% 0.06% 0 RBSCP Background
38 5549216 35227421 157 0.08% 0.05% 0.06% 0 TTY Background
162 201037100 33321223 6033 0.00% 0.01% 0.04% 0 Crypto Support
39 18432656 35277899 522 0.00% 0.03% 0.04% 0 Per-Second Jobs
2 6008584 7060795 850 0.08% 0.03% 0.02% 0 Load Meter
37 4613796 51978048 88 0.08% 0.03% 0.02% 0 Logger
6 168631368 21254299 7933 0.00% 0.00% 0.01% 0 Pool Manager
93 5139052 137607964 37 0.00% 0.02% 0.01% 0 SSS Feature Time
215 16699620 595085 28062 0.00% 0.04% 0.00% 0 Per-minute Jobs
230 1875128 26271809 71 0.08% 0.00% 0.00% 0 IP VFR procЧто за фигня, что еще можно посмотреть?
замерте траф несколько раз, в основном CEF и IP Input грузит процессор.http://www.opennet.me/base/cisco/cisco_mem.txt.html возможно поможет
ок, спасибо, почитаю
>[оверквотинг удален]
> 93 5139052 137607964
> 37 0.00% 0.02%
> 0.01% 0 SSS Feature Time
> 215 16699620 595085
> 28062 0.00% 0.04% 0.00%
> 0 Per-minute Jobs
> 230 1875128 26271809
> 71 0.08% 0.00%
> 0.00% 0 IP VFR proc
> Что за фигня, что еще можно посмотреть?96% CPU уходит на прерывания.
Это либо ACL, либо IPSLA, либо IPSec, либо еще что-то без конфига и загрузки интерфейсов не сказать.
Например может быть отключен CEF. Тогда железка может загнуться и при минимальном трафике.
А вообще эта железка по нынешним временам, когда 10Мб считается минимальным подключением офиса на 10-20 человек, уже слабая.
в процессах IP SLAs ... не виден, скорее всего анамольный трафик+1 конфиг в студию
>Что за фигня, что еще можно посмотреть?sh ip traffic
+
sh int fa 0/0
sh int fa 0/1
На интерфейсе в сторону провайдера crypto map(ipsec) с двумя профилями: один для внешних пользователей (сейчас 3 человека висит), второй - туннель с головной конторой. Собственно полез смотреть почему медленно работает туннель...Этот интерфейс в сторону двух провайдеров, на интерфейсе висит два vlan-а
#sh int fa0/0
FastEthernet0/0 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0014.a925.1eb8 (bia 0014.a925.1eb8)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 42/255, rxload 7/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/19014/0 (size/max/drops/flushes); Total output drops: 122031
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2937000 bits/sec, 1064 packets/sec
5 minute output rate 16747000 bits/sec, 1647 packets/sec
2978065262 packets input, 89368498 bytes
Received 7368352 broadcasts, 4 runts, 0 giants, 1411 throttles
113141 input errors, 127 CRC, 141 frame, 0 overrun, 112869 ignored
0 watchdog
0 input packets with dribble condition detected
1613851039 packets output, 3315631982 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
1765169 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped outВ сторону локалки
#sh int fa0/1
FastEthernet0/1 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0014.a925.1eb9 (bia 0014.a925.1eb9)
Description: INSIDE
Internet address is 1.2.3.4/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 16/255, rxload 44/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 6/75/38636/0 (size/max/drops/flushes); Total output drops: 797
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 17429000 bits/sec, 1972 packets/sec
5 minute output rate 6293000 bits/sec, 1551 packets/sec
1210798376 packets input, 3137328546 bytes
Received 588545 broadcasts, 0 runts, 0 giants, 2047 throttles
633459 input errors, 0 CRC, 1 frame, 0 overrun, 633458 ignored
0 watchdog
0 input packets with dribble condition detected
3049127627 packets output, 2744917918 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
588503 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out#sh ip traf
IP statistics:
Rcvd: 2110104704 total, 40214361 local destination
0 format errors, 107 checksum errors, 4824815 bad hop count
13 unknown protocol, 78475 not a gateway
0 security failures, 0 bad options, 10226 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 10226 alert, 0 cipso, 0 ump
0 other
Frags: 201185664 reassembled, 0 timeouts, 0 couldn't reassemble
5051 fragmented, 10652 fragments, 85 couldn't fragment
Bcast: 731937 received, 0 sent
Mcast: 0 received, 0 sent
Sent: 119477457 generated, 1457218170 forwarded
Drop: 203170 encapsulation failed, 0 unresolved, 0 no adjacency
6462 no route, 0 unicast RPF, 134524 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcastICMP statistics:
Rcvd: 1365 format errors, 66 checksum errors, 0 redirects, 127206 unreachable
130180 echo, 349 echo reply, 0 mask requests, 0 mask replies, 33 quench
0 parameter, 1 timestamp, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
Sent: 0 redirects, 58985451 unreachable, 115 echo, 130180 echo reply
0 mask requests, 0 mask replies, 0 quench, 1 timestamp
0 info reply, 1382558 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisementsTCP statistics:
Rcvd: 13285451 total, 1901 checksum errors, 131164 no port
Sent: 13133762 totalBGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refreshIP-EIGRP statistics:
Rcvd: 0 total
Sent: 0 totalPIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0UDP statistics:
Rcvd: 26662807 total, 1622 checksum errors, 17521329 no port
Sent: 45876789 total, 0 forwarded broadcastsOSPF statistics:
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acksSent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acksARP statistics:
Rcvd: 2737009 requests, 4272 replies, 20 reverse, 0 other
Sent: 136991 requests, 1503882 replies (1 proxy), 0 reverse
> 5 minute input rate 2937000 bits/sec, 1064 packets/sec
> 5 minute output rate 16747000 bits/sec, 1647 packets/secIPSec это Process Switching.
Для 2811 Process Switching - 3k пакета в секунду в дефолтовой конфигурации.
Дальше продолжать?
Как-то маловато, мб ТС не включил onboard accelerator.
Или иос с функционалом хуже чем advsecurity/advip.ТС, покажите sh crypto engine brief и sh crypto engine acc st
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M)#sh crypto engine br
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: aim 0
VPN Module in slot: 0
Product Name: AIM-VPN/EPII-PLUS
Software Serial #: 55AA
Device ID: 001E - revision 0000
Vendor ID: 13A3
Revision No: 0x001E0000
VSK revision: 0
Boot version: 255
DPU version: 0
HSP version: 2.3(6) (PRODUCTION)
Time running: 2w1d
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 2000
Maximum SA index: 2000
Maximum Flow index: 4000
Maximum RSA key size: 2048crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Disabled
Location: onboard 0
Product Name: Onboard-VPN
Middleware Version: v1.2.0
Firmware Version: v2.2.0
Time running: 4294967 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0300
Maximum SA index: 0300
Maximum Flow index: 2400
Maximum RSA key size: 2048
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 2B1165F6
crypto engine state: installed
crypto engine in slot: N/A#sh crypto engine acc st
Device: AIM-VPN/EPII-PLUS
Location: AIM Slot: 0
Virtual Private Network (VPN) Module in slot : 0
Statistics for Hardware VPN Module since the last clear
of counters 4294967 seconds ago
1874939192 packets in 1874939192 packets out
1261321698746 bytes in 1253823148613 bytes out
436 paks/sec in 436 paks/sec out
2349 Kbits/sec in 2335 Kbits/sec out
854517266 packets decrypted 1020421926 packets encrypted
408532425032 bytes before decrypt 845290723581 bytes encrypted
362684564140 bytes decrypted 898637134608 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
7449227 commands out 7449227 commands acknowledged
Last 5 minutes:
109178 packets in 109178 packets out
363 paks/sec in 363 paks/sec out
2246154 bits/sec in 2271987 bits/sec out
70645444 bytes decrypted 10015162 bytes encrypted
1909336 Kbits/sec decrypted 270680 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overallErrors:
ppq full errors : 1193 ppq rx errors : 2
cmdq full errors : 0 cmdq rx errors : 0
ppq down errors : 0 cmdq down errors : 0
no buffer : 0 replay errors : 43499
dest overflow : 0 authentication errors : 7
Other error : 0 Raw Input Underrun : 0
IPSEC Unsupported Option: 0 IPV4 Header Length : 0
ESP Pad Length : 0 IPSEC Decompression : 0
AH ESP seq mismatch : 0 AH Header Length : 0
AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0
IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0
Unexpected Protocol : 0 Dest Buf overflow : 0
IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0
Invalid IP Version : 0 Unwrappable : 0
PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0
RNG self test fail : 0 DF Bit set : 0
Hash Miscompare : 0 Unwrappable object : 0
Missing attribute : 0 Invalid attrribute value: 0
Bad Attribute : 0 Verification Fail : 0
Decrypt Failure : 0 Invalid Packet : 2
Invalid Key : 0 Input Overrun : 0
Input Underrun : 0 Output buffer overrun : 0
Bad handle value : 0 Invalid parameter : 0
Bad function code : 0 Out of handles : 0
Access denied : 0 Out of memory : 0
NR overflow : 0 pkts dropped : 1202Warnings:
sessions_expired : 0 packets_fragmented : 0
general: : 0HSP details:
hsp_operations : 7449243 hsp_sessions : 24
Вроде всё норм.
А ошибок на коммутаторе нет, через который заводятся аплинки и lan на роутер?
Попробуйте убрать шейперы если есть, nbar и т.п.
Можно попробовать увеличить memory-size iomem
А не много ли ошибок на интерфейсе + ICMP подозрительные движения. А?