I have a 2801SEC/K9 running 12.4.22T Advanced Security code. I have a 3 T1 multilink configured. It was working fine until the other day I start getting calls about the internet being down, so I send a tech over and he reboots it and it is fixed for a while, then the problem comes back.
So I look at it and the CPU and Memory are pegged, lots of (fragment) processes and the biggest user of CPU is the "IP Input" process.
So I thought it was a router problem and replaced the 2801 with a 3620 I had that was running Firewall code. It too has the same problem - CPU maxes out quickly, even when I only inspect one protocol, like http, outbound.
If I shut down the multilink interface, the CPU usage drops to like 20% immediately.
Also, when the 2801 CPU gets maxed, I keep getting (%LINK3-UPDOWN - Interface FastEthernet 0/1 state changed to up) repeatedly every few seconds.
Anyone know how to troubleshoot this? Is it a worm or DoS attack?