C2821 CPU overload

Unanswered Question
Aug 18th, 2008

I use a 2821 IOSFW for internet access

It holds 14 DMZ (one Vlan / server on each)

and about 2000 internal internet daily users.

My internet access is 10Mbps symetric.

When trafic grows, CPU grows correspondingly to IP trafic, up to 50%.

I suppose that CPU load is due to IP nat, ACLs and CBAC between inside and outside.

Some external Citrix users sometimes loose their connexion.

Cisco's Commercial argue that I should migrate to ASA 5510, but I need some features like PBR which is unavailable.

I am looking for a serious diagnostic method.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 08/18/2008 - 09:16

Try checking the CPU load during low volume and high volume times.

show proc cpu | e 0.00% 0.00% 0.00%

I don't think you'll get a definitive answer but it should help point in the right direction.

Also check this-


CBAC was designed for SMBs, not really Enterprises. I understand that routers work better (and I usually suggest them to my customers), but you might have to figure out new routing techniques and put in a ASA firewall.

Hope that helps.

falain Tue, 08/19/2008 - 07:19

I find quite a lot of %FW log msgs

%FW-6-DROP_TCP_PKT: Dropping tcp pkt xxx => yyy due to Invalid Seq# -- ip ident 37313 tcpflags 0x8010 seq.no 2048715884 ack 3899465202

Is it an overload symptom ?

Joined some stat counts in attachment

falain Tue, 08/26/2008 - 07:29

Thanks for reply, but for now due to budget restrictions, I must face the problem without investments.

CPU is mainly due to outbound http traffic.

1) I moved Http PBR from 2821 to inside C3750E vlan switch.

I hope I will gain 10-20% of CPU.

2) Http outbound trafic goes to a squid proxy machine.

If I connect Squid's second Eth Int to another Internet IosFW router (using a free public IP address), may be I can reduce CPU overload of 2821.

I guess Http inspect CBAC is the most CPU consumer.

do you know if there is a better IOSFW release which runs CBAC in hardware as ASAs Asic does ?

For now, I run IosFW 12.4.16 standard train.

Best regards


This Discussion