fir3net

High CPU Usage on a Cisco CSS

Issue

The Cisco CSS is showing a high level of CPU usage, even though the networking throughput does not appear excessively high nor is there a large number of EQL or DQL`s configured.

CSS11501# sh system-resources cpu
Chassis CPU Utilizations
Module Name Module 5Sec 1Min 5Min
----------------------------------------------------
CSS501-SCM-INT 1 90% 88% 75%
CSS501-SSL-C-INT 2 0% 0% 0%

Solution

Though there can be a number of causes to high CPU, within this article we look at the CPU resource consumption being due to the flow table.
Due to a high level of connections transversing the CSS the LoadBalancer uses CPU resource to build the subsequent flows within the flow table.

This can be confirmed using the following command and viewing the hit counters :

CSS11501# sh flow-state-table
    Flow-Disable Timeout: 5

    Port     Protocol   NAT-State      Flow-State     Hit-Count
    ------------------------------------------------------------
    53       TCP        ---------      flow-enable    6228       *
    53       UDP        ---------      flow-enable    6399259    *
    67       TCP        ---------      flow-disable   20         *
    67       UDP        nat-disable    flow-disable   0          *
    68       TCP        ---------      flow-disable   103        *
    68       UDP        nat-disable    flow-disable   0          *
    137      TCP        ---------      flow-disable   19         *
    137      UDP        nat-disable    flow-disable   112690     *
    138      TCP        ---------      flow-disable   71         *
    138      UDP        nat-disable    flow-disable   0          *
    161      TCP        ---------      flow-disable   13         *
    161      UDP        nat-disable    flow-disable   164570     *
    162      TCP        ---------      flow-disable   35         *
    162      UDP        nat-disable    flow-disable   0          *
    520      UDP        nat-disable    flow-disable   0          *
    5060     UDP        ---------      flow-enable    88         *
    8089     UDP        nat-disable    flow-disable   12         *

In this instance we could see a large increase in the DNS hit counters, based on this the flow state was disabled for UDP/53, and the CPU utilization returned to an acceptable level.

flow-state 53 udp flow-disable nat-enable

About the Author

RDonato

R Donato

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001