6500 High CPU Utilization with NAT

Unanswered Question
Dec 13th, 2007

Hi all,

I've recently configured a destination NAT on a 6500 with Sup-720 the configuration is like this:


mls flow ip interface-full

mls rp ip input-acl

mls rp ip route-map

mls rp ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

mls ip cef rpf hw-enable-rpf-acl

interface GigabitEthernet1/1.14

description Servers

encapsulation dot1Q 14

ip address

no ip redirects

no ip proxy-arp

ip nat inside

mls rp ip

interface Vlan20

ip address

ip nat outside

ip wccp web-cache redirect in

mls rp ip

ip nat pool redirect prefix-length 24 type rotary

ip nat inside destination list notice pool redirect

ip access-list extended redirect-notice

permit ip any


The problem is that we receive something like %14 process switched for IP Input and out of surprise %82 hardware switch CPU utilization. The box starts to drop packets after that and we are forced to remove NAT. Without NAT the device is handling 300mbps traffic with just %5 CPU utilization.

CPU utilization for five seconds: 99%/82%; one minute: 22%; five minutes: 9%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

123 17024692 133043688 127 13.67% 3.64% 1.73% 0 IP Input

Another important issue is that when ever we activate the NAT the following error appears on the console.

Dec 13 10:11:21.231: %FM_EARL7-4-FEAT_FLOWMASK_REQ_CONFLICT: Feature NAT requested flowmask Intf Full Flow conflicts with other features on interface GigabitEthernet1/1.14, flowmask request Unsuccessful for the feature

Dec 13 10:11:21.251: %FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan20 have conflicting flowmask requirements, traffic may be switched in softwareDec 13 10:11:21.259: %FM_EARL7-4-MLS_FLOWMASK_CONFLICT: mls flowmask may not be honored on interface Vlan20 due to flowmask conflict

We have tried both flow ip masks of interface-full and full but no difference. Any time we use "mls ip nat netflow-frag-l4-zero" the CPU utilization drops suddenly to %5 but the NAT is not functioning and there the NAT translation table is empty. The IOS currently running on the box is "s72033-advipservicesk9_wan-mz.122-18.SXF12.bin". Does any one has any idea?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Thu, 12/20/2007 - 06:52

This message indicates that the configured features for this interface have a flow mask conflict.


This Discussion