Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
1
Replies

6500 High CPU Utilization with NAT

alibashivan
Level 1
Level 1

‎12-13-2007 02:16 AM - edited ‎03-03-2019 07:54 PM

Hi all,

I've recently configured a destination NAT on a 6500 with Sup-720 the configuration is like this:

--------------------------------------------------------------------------

mls flow ip interface-full

mls rp ip input-acl

mls rp ip route-map

mls rp ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

mls ip cef rpf hw-enable-rpf-acl

interface GigabitEthernet1/1.14

description Servers

encapsulation dot1Q 14

ip address 11.11.11.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

mls rp ip

interface Vlan20

ip address 10.10.10.1 255.255.255.240

ip nat outside

ip wccp web-cache redirect in

mls rp ip

ip nat pool redirect 11.11.11.2 11.11.11.2 prefix-length 24 type rotary

ip nat inside destination list notice pool redirect

ip access-list extended redirect-notice

permit ip 192.168.224.0 0.0.31.255 any

-------------------------------------------------------------------------

The problem is that we receive something like %14 process switched for IP Input and out of surprise %82 hardware switch CPU utilization. The box starts to drop packets after that and we are forced to remove NAT. Without NAT the device is handling 300mbps traffic with just %5 CPU utilization.

CPU utilization for five seconds: 99%/82%; one minute: 22%; five minutes: 9%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

123 17024692 133043688 127 13.67% 3.64% 1.73% 0 IP Input

Another important issue is that when ever we activate the NAT the following error appears on the console.

Dec 13 10:11:21.231: %FM_EARL7-4-FEAT_FLOWMASK_REQ_CONFLICT: Feature NAT requested flowmask Intf Full Flow conflicts with other features on interface GigabitEthernet1/1.14, flowmask request Unsuccessful for the feature

Dec 13 10:11:21.251: %FM-2-FLOWMASK_CONFLICT: Features configured on interface Vlan20 have conflicting flowmask requirements, traffic may be switched in softwareDec 13 10:11:21.259: %FM_EARL7-4-MLS_FLOWMASK_CONFLICT: mls flowmask may not be honored on interface Vlan20 due to flowmask conflict

We have tried both flow ip masks of interface-full and full but no difference. Any time we use "mls ip nat netflow-frag-l4-zero" the CPU utilization drops suddenly to %5 but the NAT is not functioning and there the NAT translation table is empty. The IOS currently running on the box is "s72033-advipservicesk9_wan-mz.122-18.SXF12.bin". Does any one has any idea?

Labels:
0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎12-20-2007 06:52 AM

This message indicates that the configured features for this interface have a flow mask conflict.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card