Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
4
Replies

C2821 CPU overload

falain
Level 1
Level 1

‎08-18-2008 06:57 AM - edited ‎03-11-2019 06:32 AM

I use a 2821 IOSFW for internet access

It holds 14 DMZ (one Vlan / server on each)

and about 2000 internal internet daily users.

My internet access is 10Mbps symetric.

When trafic grows, CPU grows correspondingly to IP trafic, up to 50%.

I suppose that CPU load is due to IP nat, ACLs and CBAC between inside and outside.

Some external Citrix users sometimes loose their connexion.

Cisco's Commercial argue that I should migrate to ASA 5510, but I need some features like PBR which is unavailable.

I am looking for a serious diagnostic method.

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎08-18-2008 09:16 AM

Try checking the CPU load during low volume and high volume times.

show proc cpu | e 0.00% 0.00% 0.00%

I don't think you'll get a definitive answer but it should help point in the right direction.

Also check this-

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t4/feature/guide/fw800.html#wp20431

CBAC was designed for SMBs, not really Enterprises. I understand that routers work better (and I usually suggest them to my customers), but you might have to figure out new routing techniques and put in a ASA firewall.

Hope that helps.

0 Helpful

falain
Level 1
Level 1
In response to Collin Clark

‎08-19-2008 07:19 AM

I find quite a lot of %FW log msgs

%FW-6-DROP_TCP_PKT: Dropping tcp pkt xxx => yyy due to Invalid Seq# -- ip ident 37313 tcpflags 0x8010 seq.no 2048715884 ack 3899465202

Is it an overload symptom ?

Joined some stat counts in attachment

Preview file
5 KB
0 Helpful

falain
Level 1
Level 1
In response to Collin Clark

‎08-26-2008 07:29 AM

Thanks for reply, but for now due to budget restrictions, I must face the problem without investments.

CPU is mainly due to outbound http traffic.

1) I moved Http PBR from 2821 to inside C3750E vlan switch.

I hope I will gain 10-20% of CPU.

2) Http outbound trafic goes to a squid proxy machine.

If I connect Squid's second Eth Int to another Internet IosFW router (using a free public IP address), may be I can reduce CPU overload of 2821.

I guess Http inspect CBAC is the most CPU consumer.

do you know if there is a better IOSFW release which runs CBAC in hardware as ASAs Asic does ?

For now, I run IosFW 12.4.16 standard train.

Best regards

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-18-2008 11:22 AM

Downgrade the router from an Advanced Sec license to lower and get an ASA :)

You are pushing the router to its limits it seems. Have you looked at the optimization for CBAC?

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftfirewl.html

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card