route loop causes USG2100 cpu-usage abnormal and internet accessing slow

Publication Date:  2013-08-31 Views:  301 Downloads:  0
Issue Description

As shown above, accessing internet through USG2100 is slow.
Alarm Information
1. cpu-usage of USG2100 is 99%
2. There are warning messages in logbuffer as below:
%Mar 22 10:36:23 2013 USG2120BSR SEC/4/ATCKDF:AttackType:Udp flood attack; Receive Interface: Ethernet0/0/0 ; proto:UDP ; from 91.121.175.40:33634 91.121.175.40:52701 91.121.175.40:44838 91.121.175.40:54497 91.121.175.40:61329 91.121.175.40:2527 91.121.175.40:14622 91.121.175.40:40696 91.121.175.40:26268 91.121.175.40:44076 91.121.175.40:25043 91.121.175.40:40963 ; to 27.124.24.210:53 ; begin time :2013/03/22 10:35:55; end time: 2013/03/22 10:36:20; total packets: 199; max speed: 1014(packet/s);
Handling Process
1. Check the bandwidth and sessions on USG2100, and they are in normal range.
2. There are UDP attacks to 27.124.24.210, checking route to this ip address and found the nexthop is uplink device
<USG2120BSR>display fib 27.124.24.210                                                                                                  
  Route Entry Count: 1                                                                                                             
Destination/Mask   Nexthop         Flag TimeStamp     Interface       TunnelID                                                     
0.0.0.0/0          125.19.31.233   GSU  t[0]          Eth0/0/0        -                                                            
<USG2120BSR>    
3. Checking the configuration on USG2100, found 27.124.24.210 which belongs vlanif 5 should connect to interface Ethernet1/0/4 whose current state is down.
#
interface Vlanif5
ip address 27.124.24.209 255.255.255.248
#
interface Ethernet1/0/4
port access vlan 5
#
Ethernet1/0/4 current state : DOWN  
Line protocol current state : DOWN
4. The route on uplink device to 27.124.24.210 is USG2100, but USG2100 forwards the packets back to uplink router via default route because the interface which connect 27.124.24.20 is down. So, there is a route loop between USG2100 and uplink device.
5. This problem is resolved by configuring black hole route to 27.124.24.210 on USG2100
Root Cause
CPU usage too high usually caused by performance insufficient:
1. bandwidth/sessions/acl rules overload
2. route loop
3. attack
4. ip duplicate
Suggestions
CPU usage abnormal usually caused by bandwidth/sessions/acl rules overload, route loop, attack, ip address duplicate and so on. When troubleshooting, please check them one by one.

END