Is my ACL or Syslogging affecting my performance? Connections timing out...

Unanswered Question
Apr 5th, 2010

All,


I suspect that my ACL length of the amount of syslogging I'm doing is causing my computer connections to drop / timeout.  I'm logging both to buffered and to a syslog server.  The syslog server is my preference.


Would somebody mind taking a look at my configuration and tell me what I've done to cause this to myself?


James


=========


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging userinfo
logging buffered 24096 informational
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXXXXX

!
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication login userauthen local
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
aaa authorization network default local if-authenticated
aaa authorization network groupauthor local if-authenticated
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name Router
ip host Router 10.10.10.1
ip name-server 205.152.144.23
ip name-server 205.152.132.23
no ip bootp server
ip flow-cache timeout active 1
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 3 within 60
login on-failure log
login on-success log
!
!
!
username YYYYYYY password 7 XXXXXXXXXXXXXXXXXXXXX
archive
log config
  logging enable
  notify syslog
  hidekeys
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group FromLAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
hold-queue 100 out
!
interface ATM0
bandwidth 384
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
  vbr-nrt 384 384
  max-reserved-bandwidth 80
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
shutdown
duplex auto
speed auto
!
interface FastEthernet3
shutdown
duplex auto
speed auto
!
interface FastEthernet4
shutdown
duplex auto
speed auto
!
interface Dialer1
bandwidth 384
ip address negotiated
ip access-group FromInternet in
ip verify unicast reverse-path
ip mtu 1492
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname

ppp chap password 7 XXXXXXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXX
ppp ipcp dns request
ppp ipcp wins request
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 23 interface Dialer1 overload
!
!
ip access-list extended FromInternet
permit ip 66.175.107.192 0.0.0.31 any log
permit ip host 74.233.236.14 any log
  permit ip host 205.152.144.23 any log
permit ip host 204.152.132.23 any log
  permit ip 65.25.8.224 0.0.0.31 any log
permit ip 69.25.240.224 0.0.0.31 any log
permit ip host 66.165.74.175 any log
  permit ip host 67.51.255.195 any log
permit ip host 66.165.74.195 any log
permit ip host 204.245.225.195 any log
  permit ip host 204.245.227.39 any log
  permit ip 65.215.93.0 0.0.0.255 any log
permit ip host 192.92.91.53 any log
  permit ip 67.151.126.192 0.0.0.31 any log
permit ip host 66.38.151.217 any log
  permit ip host 93.184.71.27 any log
permit ip 89.202.149.32 0.0.0.31 any log
permit ip 89.202.157.224 0.0.0.31 any log
permit ip 89.202.157.192 0.0.0.31 any log
permit ip host 90.183.101.10 any log
permit ip 62.67.184.64 0.0.0.31 any log
permit ip host 93.184.71.10 any log
permit ip host 93.184.71.21 any log
  permit tcp host 69.173.64.15 any eq 123 log
permit udp host 69.173.64.15 any eq ntp log
permit tcp host 66.254.57.165 any eq 123 log
permit udp host 66.254.57.165 any eq ntp log
  deny   ip host 0.0.0.0 any log
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 66.252.232.0 0.0.1.255 any
deny   ip 216.89.237.0 0.0.0.255 any
  deny   udp any any eq netbios-ns log-input
deny   udp any any eq netbios-dgm log-input
deny   tcp any any eq 135 log-input
deny   tcp any any eq 139 log-input
deny   tcp any any eq 443 log-input
deny   tcp any any eq 445 log-input
deny   udp any any eq 1434 log-input
deny   tcp any any eq 3389 log-input
deny   tcp any any eq 4444 log-input
  deny   tcp any any eq telnet log-input
deny   tcp any any eq www log-input
  deny   icmp any any echo log-input
  permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any source-quench
  deny   ip any any
ip access-list extended FromLAN
  permit udp any host 205.152.144.23 eq domain
permit udp any host 204.152.132.23 eq domain
permit udp any host 10.10.10.1 eq domain
permit tcp any host 205.152.144.23 eq domain
permit tcp any host 204.152.132.23 eq domain
permit tcp any host 10.10.10.1 eq domain
  permit ip any 65.25.8.224 0.0.0.31 log
permit ip any 69.25.240.224 0.0.0.31 log
permit ip any host 66.165.74.175 log
  permit ip any host 67.51.255.195 log
permit ip any host 66.165.74.195 log
permit ip any host 204.245.225.195 log
  permit ip any host 204.245.227.39 log
  permit ip any 67.151.126.192 0.0.0.31 log
permit ip any host 66.38.151.217 log
  permit ip any 65.215.93.0 0.0.0.255 log
permit ip any host 192.92.91.53 log
  permit ip any host 66.165.171.186 log
  permit ip any host 93.184.71.27 log
permit ip any 89.202.149.32 0.0.0.31 log
permit ip any 89.202.157.192 0.0.0.31 log
permit ip any 89.202.157.224 0.0.0.31 log
permit ip any host 90.183.101.10 log
permit ip any 62.67.184.64 0.0.0.31 log
permit ip any host 93.184.71.10 log
permit ip any host 93.184.71.21 log
  permit ip any host 72.3.254.86 log
  permit ip any host 12.34.65.180 log
permit ip any 64.28.78.160 0.0.0.31 log
permit ip any host 198.171.138.207 log
permit ip any host 209.161.16.30 log
permit ip any host 82.165.61.145 log
  permit ip any 12.34.65.0 0.0.0.255 log
  permit udp any any eq bootps bootpc
permit udp any any eq bootps bootps
  permit ip any 171.128.0.0 0.63.255.255 log
permit ip any 171.192.0.0 0.7.255.255 log
permit ip any 171.200.0.0 0.3.255.255 log
permit ip any 171.204.0.0 0.1.255.255 log
permit ip any 171.206.0.0 0.1.255.255 log
  permit ip any 66.175.107.192 0.0.0.31 log
  permit tcp any host 140.239.191.10 log
permit udp any host 140.239.191.10 log
  permit tcp any host 12.148.220.160 log
permit udp any host 12.148.220.160 log
  permit tcp any 209.46.44.0 0.0.0.255 log
permit udp any 209.46.44.0 0.0.0.255 log
  deny   ip any host 64.4.20.174 log
deny   ip any host 64.4.20.169 log
deny   ip any host 64.4.20.184 log
deny   ip any host 64.4.20.186 log
deny   ip any host 80.12.96.17 log
deny   ip any host 80.12.96.64 log
deny   ip any host 192.204.11.25 log
deny   ip any host 192.204.11.35 log
deny   ip any host 192.204.11.49 log
deny   ip any host 192.204.11.80 log
deny   ip any host 198.64.174.41 log
deny   ip any host 198.64.174.64 log
deny   ip any host 209.107.220.27 log
deny   ip any host 209.107.220.35 log
deny   ip any host 209.107.220.59 log
deny   ip any host 209.107.220.82 log
  deny   ip any host 65.54.165.136 log
deny   ip any host 65.54.165.137 log
deny   ip any host 65.54.165.175 log
deny   ip any host 65.54.165.177 log
deny   ip any host 65.54.186.17 log
deny   ip any host 65.54.186.19 log
deny   ip any host 65.54.186.47 log
deny   ip any host 65.54.186.49 log
deny   ip any host 65.54.186.77 log
deny   ip any host 65.54.186.79 log
deny   ip any host 65.54.186.107 log
deny   ip any host 65.54.186.109 log
  deny   ip any host 65.55.17.25 log
deny   ip any host 65.55.17.26 log
deny   ip any host 65.55.17.27 log
  permit tcp any 62.67.184.64 0.0.0.31 eq www 443 log
permit tcp any 64.0.0.0 0.0.255.255 eq www 443 log
permit tcp any 64.4.0.0 0.0.63.255 eq www 443 log
permit tcp any 64.94.0.0 0.1.255.255 eq www 443 log
permit tcp any 64.142.64.0 0.0.63.255 eq www 443 log
permit tcp any 64.158.0.0 0.0.255.255 eq www 443 log
permit tcp any 64.211.0.0 0.0.127.255 eq www 443 log
permit tcp any 64.211.128.0 0.0.63.255 eq www 443 log
permit tcp any 64.211.192.0 0.0.31.255 eq www 443 log
permit tcp any 64.212.0.0 0.3.255.255 eq www 443 log
permit tcp any 65.48.0.0 0.7.255.255 eq www 443 log
permit tcp any 65.59.0.0 0.0.255.255 eq www 443 log
permit tcp any 68.142.64.0 0.0.63.255 eq www 443 log
permit tcp any 207.46.0.0 0.0.255.255 eq www 443 log
permit tcp any 207.138.0.0 0.0.255.255 eq www 443 log
permit tcp any 208.73.208.0 0.0.7.255 eq www 443 log
permit tcp any 208.172.0.0 0.0.255.255 eq www 443 log
permit tcp any 213.138.128.0 0.0.31.255 eq www 443 log
permit ip any host 74.233.55.33 log
deny   ip any any
logging history debugging
logging trap debugging
logging origin-id hostname
logging source-interface Dialer1
logging 74.233.236.14
access-list 23 permit 10.10.10.0 0.0.0.255 log
access-list 23 deny   any log
access-list 24 permit 74.233.55.33 log
access-list 24 permit 66.175.107.192 0.0.0.31 log
access-list 24 deny   any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner motd ^CCC
*** Unauthorized access is strictly prohibited.  ALL connections are monitored.
***^C
!
line con 0
exec-timeout 15 0
no modem enable
stopbits 1
line aux 0
exec-timeout 15 0
stopbits 1
line vty 0 4
access-class 24 in
exec-timeout 120 0
password 7 XXXXXXXXXXXXXXXX
length 0
transport input ssh
!
scheduler max-task-time 5000
ntp logging
ntp authenticate
ntp clock-period 17179896
ntp source Dialer1
ntp server 69.173.64.15
ntp server 66.254.57.165
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 04/05/2010 - 08:26

Hi,


The best way to make sure if the logs are the resposible of the performance issues is to cancel logging to the router's buffer and just leave syslogging to the syslog server.

See if there are any changes.


Also, check the CPU of the router and which process is causing the maximum consumption.


Federico.

jaesposito Mon, 04/05/2010 - 08:28

Federico,


Thanks.


Would you mind providing me with the IOS command to do so?


Also, what commands can I run to check the utilitization of the CPU by any processes?  What should I look for in particular if I suspect that syslogging is responsible for any performance impact?


Thanks!


JAmes

Federico Coto F... Mon, 04/05/2010 - 08:35

James,


Use the following commands:


show processes cpu
show processes cpu history

sh processes cpu | i log


The last one is particular to logging.

The first one will give you a list of all the active processes interacting with the CPU.

The middle one shows the performance in the last minutes or days.


Federico.

jaesposito Mon, 04/05/2010 - 08:38

Federico,


Thanks.  I only want to log to my Syslog server.  What command(s) can I run to disable all other logging?


James

Federico Coto F... Mon, 04/05/2010 - 08:44

Do a ''show log''


It will show you exactly where are you sending logs to (console, buffer, syslog)


Then, for example to remove logging to the buffer, you do:  no logging buffered


Federico.

jaesposito Mon, 04/05/2010 - 08:44

Federico,


I think we are making some progress.  Here is the output from the "sh processes cpu history".  How can I track down these spikes?


---------------------------


    222171212222121122222222212212112112211221212282221121221211
    974778495266933967112114101582774662766617293351256748257197
100
90                                               *
80     *                                         *
70     *                                         *
60     *                                         *
50     *                                         *
40     *                                         *
30 **  *   * **    **         *        *  *      *  *     *
20 ************** ********** **********************************
10 ##**#*******************************#*********#*************
   0....5....1....1....2....2....3....3....4....4....5....5....6
             0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%


    862222222222226829722222222222222222222282222222222222222222222922222222
    597767666766779975677866677777677776776747776777777687676766778367776677
100                  *
90 *              * *                                             *
80 *              * **                     *                      *
70 **            ** **                     *                      *
60 **            ** **                     *                      *
50 **            ** **                     *                      *
40 **            ** **                     *                      *
30 ************************************************************************
20 ************************************************************************
10 ***************#**#*****************************************************
   0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
             0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

Federico Coto F... Mon, 04/05/2010 - 08:55

The ''show processes cpu'' only gives you information about the last 5 seconds, one minute and last five minutes.


Continue to monitor the processes with the above command to see which process is consuming more of the CPU.

Pay special attention to the logging processes.


Federico.

jaesposito Mon, 04/05/2010 - 09:09

Federico,


Thanks a lot for the help.  One last question:


What is the name of the logging processes?  Is it:


Logger

Syslog

Syslog Traps


Thanks


James

Federico Coto F... Mon, 04/05/2010 - 09:18

I'm not 100% sure but I think is like this:


Logger is the process of logging locally on the router.

Syslog is the process of sending logs to the syslog server (these are solicited messages, poll messages)

Syslog traps are the unsolicited messages that are send to the syslog server from the router


Anyway, keep an eye on the three processes to make sure logging is not eating up the CPU.


Federico.

Actions

This Discussion