Mailing List Archive

What's the CPU being used in (show proc cpu)? A client which
continously fails authentication and continuously retries will
exercise the vtemplate cloning code quite a bit and that's likely what
is using up most of the CPU. Vtemplate/sub-interface code in 12.3
would handle the situation more gracefully because LCP/authentication
is not tied to a vaccess (it only binds after authentication is
successful) and also 12.2(15)T allows you to throttle these failing
sessions:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpppthr.htm

Dennis

jlewis@lewis.org [jlewis@lewis.org] wrote:
> Is it a known issue that on the 7206 platform with 12.1T code, a
> persistent PPPoE DSL user/router with the wrong password will shoot the
> CPU load to nearly 100% and slow the 7206 down to the point that it has
> trouble passing normal traffic? If so, is there an IOS that fixes this
> problem?...or do we simply have to not let DSL users screw up their
> passwords?
>
> ----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

Some other thoughts ...

process-max-time 30 (or so) should smooth out your CPU response
somewhat in the case where some process is trying to use all
the CPU.

A kludge would be to configure multiple RADIUS servers some of
which are nonresponsive addresses. Not sure if our RADIUS
client is dumb enough not to learn which servers are non-responsive
- but if you can get the runaway PPPoE authentication requests
sometimes to hit the nonexistent address, then this should slow
things down quite a bit. Of course, this will hurt legitimate
users too, but presumably the ones with good passwords will
stay connected for a long time, so a couple-second delay once
in a blue moon might be no big deal.

Aaron

---

> What's the CPU being used in (show proc cpu)? A client which
> continously fails authentication and continuously retries will
> exercise the vtemplate cloning code quite a bit and that's likely what
> is using up most of the CPU. Vtemplate/sub-interface code in 12.3
> would handle the situation more gracefully because LCP/authentication
> is not tied to a vaccess (it only binds after authentication is
> successful) and also 12.2(15)T allows you to throttle these failing
> sessions:

> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftpppthr.htm

> Dennis

> jlewis@lewis.org [jlewis@lewis.org] wrote:
> > Is it a known issue that on the 7206 platform with 12.1T code, a
> > persistent PPPoE DSL user/router with the wrong password will shoot the
> > CPU load to nearly 100% and slow the 7206 down to the point that it has
> > trouble passing normal traffic? If so, is there an IOS that fixes this
> > problem?...or do we simply have to not let DSL users screw up their
> > passwords?
> >
> > ----------------------------------------------------------------------
> > Jon Lewis *jlewis@lewis.org*| I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

On Fri, 3 Oct 2003, Dennis Peng wrote:

> What's the CPU being used in (show proc cpu)? A client which

196 32452716 881214041 36 36.04% 18.64% 5.95% 0 PPPOE discovery
237 20169036 171305 117738 20.76% 10.23% 3.59% 0 VTEMPLATE Backgr

In 12.1T, this is a crippling problem. All it takes is 1 user who's
messed up their password and latency for other traffic going through that
7206 is quite noticable.

> continously fails authentication and continuously retries will
> exercise the vtemplate cloning code quite a bit and that's likely what
> is using up most of the CPU. Vtemplate/sub-interface code in 12.3
> would handle the situation more gracefully because LCP/authentication
> is not tied to a vaccess (it only binds after authentication is
> successful) and also 12.2(15)T allows you to throttle these failing
> sessions:

It looks like the features I'm currently using in 12.1T are available in
12.3 and 12.2T. Between the two, would you recommend either over the
other? This router currently does T3 (PA-T3), T1 (PA-MCT3), full BGP,
OSPF, dot1q, PPPoE (over dot1q), and MPLS VPN. I've been asking to get
the DSL (PPPoE) offloaded to a dedicated 7206, and I suspect that's going
to happen real soon now.


----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

jlewis@lewis.org [jlewis@lewis.org] wrote:
> On Fri, 3 Oct 2003, Dennis Peng wrote:
>
> > What's the CPU being used in (show proc cpu)? A client which
>
> 196 32452716 881214041 36 36.04% 18.64% 5.95% 0 PPPOE discovery
> 237 20169036 171305 117738 20.76% 10.23% 3.59% 0 VTEMPLATE Backgr
>
> In 12.1T, this is a crippling problem. All it takes is 1 user who's
> messed up their password and latency for other traffic going through that
> 7206 is quite noticable.
>
> > continously fails authentication and continuously retries will
> > exercise the vtemplate cloning code quite a bit and that's likely what
> > is using up most of the CPU. Vtemplate/sub-interface code in 12.3
> > would handle the situation more gracefully because LCP/authentication
> > is not tied to a vaccess (it only binds after authentication is
> > successful) and also 12.2(15)T allows you to throttle these failing
> > sessions:
>
> It looks like the features I'm currently using in 12.1T are available in
> 12.3 and 12.2T. Between the two, would you recommend either over the
> other?

I don't think I should recommend anything to you anymore. ;) Standard
answer is that 12.3 will have a lot more bug fixes over any version of
12.2T. 12.3(3) is the latest maintennance release of 12.3.

Dennis

> This router currently does T3 (PA-T3), T1 (PA-MCT3), full BGP,
> OSPF, dot1q, PPPoE (over dot1q), and MPLS VPN. I've been asking to get
> the DSL (PPPoE) offloaded to a dedicated 7206, and I suspect that's going
> to happen real soon now.
>
>
> ----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

On Fri, 3 Oct 2003, Dennis Peng wrote:

> > It looks like the features I'm currently using in 12.1T are available in
> > 12.3 and 12.2T. Between the two, would you recommend either over the
> > other?
>
> I don't think I should recommend anything to you anymore. ;) Standard

I was surprised/impressed you replied at all :) [sorry...most of you
readers won't get these inside jokes]

> answer is that 12.3 will have a lot more bug fixes over any version of
> 12.2T. 12.3(3) is the latest maintennance release of 12.3.

I guess I'll give 12.3 a try on disk0. I'll be sure to keep the 12.1T
version handy on slot1 as a fall-back just in case there are "issues" with
the new code.

----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Hey,

We're running NPE-400's on 12.2(15)B for PPPoE aggregation and haven't seen
this type of behavior for CPU utilization on these boxes. Should I be
concerned with this and is there a specific bug ID related to this issue?
Let me know how your upgrade has gone to the 12.3 release in case I have to
upgrade soon... ;-)

Thanks,
Charles


At 08:14 PM 10/3/2003 -0400, jlewis@lewis.org wrote:
>On Fri, 3 Oct 2003, Dennis Peng wrote:
>
> > > It looks like the features I'm currently using in 12.1T are available in
> > > 12.3 and 12.2T. Between the two, would you recommend either over the
> > > other?
> >
> > I don't think I should recommend anything to you anymore. ;) Standard
>
>I was surprised/impressed you replied at all :) [sorry...most of you
>readers won't get these inside jokes]
>
> > answer is that 12.3 will have a lot more bug fixes over any version of
> > 12.2T. 12.3(3) is the latest maintennance release of 12.3.
>
>I guess I'll give 12.3 a try on disk0. I'll be sure to keep the 12.1T
>version handy on slot1 as a fall-back just in case there are "issues" with
>the new code.
>
>----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nas

On Fri, 3 Oct 2003 jlewis@lewis.org wrote:

> > answer is that 12.3 will have a lot more bug fixes over any version of
> > 12.2T. 12.3(3) is the latest maintennance release of 12.3.
>
> I guess I'll give 12.3 a try on disk0. I'll be sure to keep the 12.1T
> version handy on slot1 as a fall-back just in case there are "issues" with
> the new code.

I finally got around to trying 12.3 again today. First time (about a week
ago), the CF disk I'd prepared in another router apparently didn't work
properly in the router I put it in (after bootup, it complained that the
card had been formatted on a different platform, just a different 7206,
and I found that files could not reliably be read from it. I'm surprised
it worked at all, and the only problem I saw was radius auth broken in
really strange ways).

Anyway, I reformatted the card in the router and recopied 12.3(3a) to it.
This time radius works properly, but 12.3 doesn't have PPPoE connection
throttling. Guess I may have to try 12.2T for that.

On a 7206vxr NPE300 that was at 0-1% CPU, knocking off one user with a
locked password will still shoot the CPU load up to as much as 50%, though
it bounces around between around 6% and the mid 30's most of the time.

PPP manager and PPP Events seem to be whats eating it.

170 116988 405398 288 16.36% 8.39% 6.53% 0 PPP manager
171 404060 428303 943 25.37% 16.54% 16.03% 0 PPP Events

I noticed that virtual-templates now have a dampening option, and there's
a carrier restart-delay option...but since auth happens before virtual
interface cloning now, those don't seem to be of any help. I wonder if
the carrier restart-delay option would have helped under 12.1T (which
doesn't have dampening). I may reboot later and find out.

----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

jlewis@lewis.org [jlewis@lewis.org] wrote:
> On Fri, 3 Oct 2003 jlewis@lewis.org wrote:
>
> > > answer is that 12.3 will have a lot more bug fixes over any version of
> > > 12.2T. 12.3(3) is the latest maintennance release of 12.3.
> >
> > I guess I'll give 12.3 a try on disk0. I'll be sure to keep the 12.1T
> > version handy on slot1 as a fall-back just in case there are "issues" with
> > the new code.
>
> I finally got around to trying 12.3 again today. First time (about a week
> ago), the CF disk I'd prepared in another router apparently didn't work
> properly in the router I put it in (after bootup, it complained that the
> card had been formatted on a different platform, just a different 7206,
> and I found that files could not reliably be read from it. I'm surprised
> it worked at all, and the only problem I saw was radius auth broken in
> really strange ways).
>
> Anyway, I reformatted the card in the router and recopied 12.3(3a) to it.
> This time radius works properly, but 12.3 doesn't have PPPoE connection
> throttling. Guess I may have to try 12.2T for that.

12.3(3a) *should* have PPPoE connection throttling. How did you make
the determination that it doesn't have it?

> On a 7206vxr NPE300 that was at 0-1% CPU, knocking off one user with a
> locked password will still shoot the CPU load up to as much as 50%, though
> it bounces around between around 6% and the mid 30's most of the time.
>
> PPP manager and PPP Events seem to be whats eating it.
>
> 170 116988 405398 288 16.36% 8.39% 6.53% 0 PPP manager
> 171 404060 428303 943 25.37% 16.54% 16.03% 0 PPP Events
>
> I noticed that virtual-templates now have a dampening option, and there's
> a carrier restart-delay option...but since auth happens before virtual
> interface cloning now, those don't seem to be of any help. I wonder if
> the carrier restart-delay option would have helped under 12.1T (which
> doesn't have dampening). I may reboot later and find out.

I doubt the carrier restart-delay will have any effect on the
vtemplate.

Dennis

> ----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Hi,

On Tue, Oct 28, 2003 at 12:06:39PM -0500, jlewis@lewis.org wrote:
> Anyway, I reformatted the card in the router and recopied 12.3(3a) to it.
> This time radius works properly, but 12.3 doesn't have PPPoE connection
> throttling. Guess I may have to try 12.2T for that.

That's weird. "Per the specs" 12.3 should have all features from 12.2T.

What does the feature navigator say about this?

gert
--
Gert Doering
Mobile communications ... right now writing from * Italy, Sardinia *