As shown above, accessing internet through USG2100 is slow.
1. cpu-usage of USG2100 is 99%
2. There are warning messages in logbuffer as below:
%Mar 22 10:36:23 2013 USG2120BSR SEC/4/ATCKDF:AttackType:Udp flood attack; Receive Interface: Ethernet0/0/0 ; proto:UDP ; from 18.104.22.168:33634 22.214.171.124:52701 126.96.36.199:44838 188.8.131.52:54497 184.108.40.206:61329 220.127.116.11:2527 18.104.22.168:14622 22.214.171.124:40696 126.96.36.199:26268 188.8.131.52:44076 184.108.40.206:25043 220.127.116.11:40963 ; to 18.104.22.168:53 ; begin time :2013/03/22 10:35:55; end time: 2013/03/22 10:36:20; total packets: 199; max speed: 1014(packet/s);
1. Check the bandwidth and sessions on USG2100, and they are in normal range.
2. There are UDP attacks to 22.214.171.124, checking route to this ip address and found the nexthop is uplink device
<USG2120BSR>display fib 126.96.36.199
Route Entry Count: 1
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
0.0.0.0/0 188.8.131.52 GSU t Eth0/0/0 -
3. Checking the configuration on USG2100, found 184.108.40.206 which belongs vlanif 5 should connect to interface Ethernet1/0/4 whose current state is down.
ip address 220.127.116.11 255.255.255.248
port access vlan 5
Ethernet1/0/4 current state : DOWN
Line protocol current state : DOWN
4. The route on uplink device to 18.104.22.168 is USG2100, but USG2100 forwards the packets back to uplink router via default route because the interface which connect 22.214.171.124 is down. So, there is a route loop between USG2100 and uplink device.
5. This problem is resolved by configuring black hole route to 126.96.36.199 on USG2100
CPU usage too high usually caused by performance insufficient:
1. bandwidth/sessions/acl rules overload
2. route loop
4. ip duplicate
CPU usage abnormal usually caused by bandwidth/sessions/acl rules overload, route loop, attack, ip address duplicate and so on. When troubleshooting, please check them one by one.