Re: turbo acl problems

lexx · ‎08-25-2006

We are using cisco 7301 with turned on compiled access-lists for a long time, cause it gives significant impact on perfomance, due to long access-list.

But recenlty we've faced a problem, that sometimes when we performing some minor changes in ACLs (usually - add or remove one or two rules in one or two ACLs) system freezes for 60-80 seconds to recompile new configuration, and during this period it inaccessible nor via telnet, nor via console, and almost all "active" services (BGP for example) also doesn't respond. So, there is a question - what can we do to avoid this issue?

Details on system below:

IOS version 12.3(14)T6 (c7301-is-mz.123-14.T6.bin)

Cisco 7301 (NPE) processor (revision E) with 983040K/65536K bytes of memory.

c7301#show access-list compiled | beg ACLs

74 ACLs, 70 active, 6288 builds, 3364 entries, 6456 ms last compile

70088163 history updates, 2000 history entries

0 mem limits, 128 Mb limit, 49 Mb max memory

0 compile failures, 0 priming failures

Overflows: L1 0, L2 0, L3 0

Table expands:[9]=0 [10]=8 [11]=8 [12]=0 [13]=6 [14]=7 [15]=2

L0: 3700Kb 6/7 16/17 3037/3038 16/17 1244/1245 6/7 8/9 4/5

L1: 2752Kb 34/150 3338/7683 2359/5122 9/50

L2: 3572Kb 1345/3415 1865/4266

L3: 13242Kb 1796/4821

Ex: 2024Kb

Tl:25291Kb 15083 equivs (10746 dynamic)

Memory chunk statistics: (number passed/number failed)

18864/0 chunk creates, 18861/n/a chunk destroys

9883454/322730* interrupt level, 8624231/0 process level allocations

* failures at interrupt level do not indicate a memory shortage

8757209/1 replenishes, 10354113/0 elements replenished *

* including element allocation at chunk creation time

0 online, 0 offline replenish suspends

MQC Turbo Classification is active.

sundar.palaniappan · ‎08-25-2006

Hi,

The symptom points to an IOS bug. It's very possible that may be the case as you are using an ED code.

See if you are seeing the same symptoms consistent with this bug. In this case the turbo ACL was modified when the ACL was applied on the ingress interface.

CSCsa72313 Bug Details

Headline Turbo ACL: SYS-2-INTSCHED with ACL-processed traffic

Product IOS

Feature OTHERS Components Duplicate of

Severity 2 Severity help Status Resolved Status help

First Found-in Version 12.0S, 12.2S, 12.1E, 12.3M, 12.2SIE07, 12.4M All affected versions First Fixed-in Version 12.2(20)S08, 12.2(27)SBA, 12.2(25)S05, 12.2(27)SBB, 12.4(3), 12.4(3.3), 12.4(3.2)T, 12.3(15.11), 12.4(3.3)T, 12.0(32.1)S07, 12.0(32)S04 Version help

Release Notes

Symptoms: The following error messages may be generated on a router that has

IP ACL enabled:

%SYS-2-INSCHED: suspend within scheduler

-Process= "", ipl= 3

-Traceback= 40525388 40628848 4060AED4 403F15BC 403F34F8 403F37EC 400901C8

4008E730 406A0EEC 40621120

Conditions: This symptom is observed on a Cisco router such as a Cisco 7200

series, Cisco 7304, and Cisco 7500 series when a Turbo ACL compilation is

configured along with an ACL on an ingress interface and when traffic passes

through the ingress interface. The symptom does not affect the Cisco 10000

series.

Workaround: There is no workaround.

If this isn't the bug then do a wider bug scrub using the bug toolkit.

Hope that helps!

Regards,

Sundar

lexx · ‎08-28-2006

No, i do not see symptoms like that you provided.

Log contains just lines about applied configs and BGP ADJCHANGE caused by that.

And i very rarely change acl applications, we just edit already applied acls - nothing else.

About ED software - in theory i can try to migrate to 12.4(10) (IP) - it has all features that i need. What do you think - whether it can helps?

sundar.palaniappan · ‎08-28-2006

Hi,

Unfortunately, I shouldn't recommend any specific IOS due to technicalities. It's always a good idea to use a GD code but if you have to use an ED code for some reason, then you are well advised to stay with the latest release in that particular train of IOS.

I am sure you know it's always a good practice to remove the ACL from the interface, if possible, before making any modifications to the ACL. This would be very applicable if the device is in the core and lot of traffic is traversing through that interface.

If bug scrub on the IOS didn't match a bug with the same symptoms you are having then engage TAC to get an answer. Assuming, there are no resource constraints or problems in the router when you are experiencing this problem then it very well may be an IOS issue.

HTH,

Sundar