High CPU Usage on a Cisco CSS

Issue

The Cisco CSS is showing a high level of CPU usage, even though the networking throughput does not appear excessively high nor is there a large number of EQL or DQL`s configured.

CSS11501# sh system-resources cpu
Chassis CPU Utilizations
Module Name Module 5Sec 1Min 5Min
—————————————————-
CSS501-SCM-INT 1 90% 88% 75%
CSS501-SSL-C-INT 2 0% 0% 0%

Solution

Though there can be a number of causes to high CPU, within this article we look at the CPU resource consumption being due to the flow table.
Due to a high level of connections transversing the CSS the LoadBalancer uses CPU resource to build the subsequent flows within the flow table.

This can be confirmed using the following command and viewing the hit counters :

CSS11501# sh flow-state-table
    Flow-Disable Timeout: 5

    Port     Protocol   NAT-State      Flow-State     Hit-Count
    ————————————————————
    53       TCP        ———      flow-enable    6228       *
    53       UDP        ———      flow-enable    6399259    *
    67       TCP        ———      flow-disable   20         *
    67       UDP        nat-disable    flow-disable   0          *
    68       TCP        ———      flow-disable   103        *
    68       UDP        nat-disable    flow-disable   0          *
    137      TCP        ———      flow-disable   19         *
    137      UDP        nat-disable    flow-disable   112690     *
    138      TCP        ———      flow-disable   71         *
    138      UDP        nat-disable    flow-disable   0          *
    161      TCP        ———      flow-disable   13         *
    161      UDP        nat-disable    flow-disable   164570     *
    162      TCP        ———      flow-disable   35         *
    162      UDP        nat-disable    flow-disable   0          *
    520      UDP        nat-disable    flow-disable   0          *
    5060     UDP        ———      flow-enable    88         *
    8089     UDP        nat-disable    flow-disable   12         *

In this instance we could see a large increase in the DNS hit counters, based on this the flow state was disabled for UDP/53, and the CPU utilization returned to an acceptable level.

flow-state 53 udp flow-disable nat-enable

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial