High CPU usage + Kernel option

High CPU usage + Kernel option

[Vlad Adomnicai]

Hi,
   I have a K6/2 333 machine with 64Mb of RAM and two network cards. 
(3c509 and an Intel one both with TCP cheksum offloading and Cpu )
   I use Fedora Core 1 with the default kernel    and iptables 1.2.9.

   At high traffic through the router (6-7Mbytes/second) the CPU goes to 
100% and I can't even log on to it through SSH:
[root@root web]# ssh 192.168.200.1 -C -v
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be 
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
    and stands there until a timeout occures.
   On the network behind the router are aproxymately 200 users for which 
I have about 200 iptables rules  like this iptables -A FORWARD -s <ip> 
-m mac --mac-source <mac> -j ACCEPT and 200   iptables -A FORWARD -d 
<ip> -j ACCEPT, to allow passage only for the machines with the corect 
pair of ip/mac. I could give up the last 200 rules, as they don't serve 
a real purpose in limiting the access but they are used only for 
bandwidth monitoring / ip.
   Does anyone know how to lower the cpu usage with this configuration? 
tweaks of any kind? Would a 2.6 kernel improve the situation? I have 
also seen an option in the 2.4 kernels CONFIG_NET_HW_FLOWCONTROL 
(Forwarding between high speed interfaces) but there it is written that 
it supports only some network devices and I don't know about 3coms or 
intel ones.

  Any one has any ideas? another way of setting the rules? another 
filtering method? tweaking parameters? or at least what kind of system 
will it be necessary for this setup to be able to at least log on to the 
machine and do something on it. Also, would a FreeBSD be more suitable 
for this on the same configuration?

Thanks in advance for any informations.
Vlad Adomnicai

Re: High CPU usage + Kernel option

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2808 bytes --]

On Tue, 2004-04-06 at 15:35, Vlad Adomnicai wrote:
> Hi,
>    I have a K6/2 333 machine with 64Mb of RAM and two network cards. 
> (3c509 and an Intel one both with TCP cheksum offloading and Cpu )
>    I use Fedora Core 1 with the default kernel    and iptables 1.2.9.
> 
>    At high traffic through the router (6-7Mbytes/second) the CPU goes to 
> 100% and I can't even log on to it through SSH:
> [root@root web]# ssh 192.168.200.1 -C -v
> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Rhosts Authentication disabled, originating port will not be 
> trusted.
> debug1: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
> debug1: Connection established.
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_dsa type -1
>     and stands there until a timeout occures.
>    On the network behind the router are aproxymately 200 users for which 
> I have about 200 iptables rules  like this iptables -A FORWARD -s <ip> 
> -m mac --mac-source <mac> -j ACCEPT and 200   iptables -A FORWARD -d 
> <ip> -j ACCEPT, to allow passage only for the machines with the corect 
> pair of ip/mac. I could give up the last 200 rules, as they don't serve 
> a real purpose in limiting the access but they are used only for 
> bandwidth monitoring / ip.
>    Does anyone know how to lower the cpu usage with this configuration? 
It should be very low ...

> tweaks of any kind? Would a 2.6 kernel improve the situation? I have 
> also seen an option in the 2.4 kernels CONFIG_NET_HW_FLOWCONTROL 
> (Forwarding between high speed interfaces) but there it is written that 
> it supports only some network devices and I don't know about 3coms or 
> intel ones.
> 
>   Any one has any ideas? another way of setting the rules? another 
> filtering method? tweaking parameters? or at least what kind of system 
> will it be necessary for this setup to be able to at least log on to the 
> machine and do something on it. Also, would a FreeBSD be more suitable 
> for this on the same configuration?
> 
Run something like sar, vmstat, top on the machine during high usage to
see if there is another proc running that may be causing the high cpu
usage. Do you run squid on that machine? If so, check the memory config
...

> Thanks in advance for any informations.
> Vlad Adomnicai
> 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: High CPU usage + Kernel option

[Vlad Adomnicai]

With vmstat the sys is at 100%. User process is 1-2%.
The machine doesn't do anything except routing and filtering with iptables.
There is also a script that runs every minute that updates the iptables 
rules, but it only lasts for about 1 second under medium cpu load.

Vlad Adomnicai


Ray Leach wrote:

>On Tue, 2004-04-06 at 15:35, Vlad Adomnicai wrote:
>  
>
>>Hi,
>>   I have a K6/2 333 machine with 64Mb of RAM and two network cards. 
>>(3c509 and an Intel one both with TCP cheksum offloading and Cpu )
>>   I use Fedora Core 1 with the default kernel    and iptables 1.2.9.
>>
>>   At high traffic through the router (6-7Mbytes/second) the CPU goes to 
>>100% and I can't even log on to it through SSH:
>>[root@root web]# ssh 192.168.200.1 -C -v
>>OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
>>debug1: Reading configuration data /etc/ssh/ssh_config
>>debug1: Applying options for *
>>debug1: Rhosts Authentication disabled, originating port will not be 
>>trusted.
>>debug1: ssh_connect: needpriv 0
>>debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
>>debug1: Connection established.
>>debug1: identity file /root/.ssh/identity type -1
>>debug1: identity file /root/.ssh/id_rsa type -1
>>debug1: identity file /root/.ssh/id_dsa type -1
>>    and stands there until a timeout occures.
>>   On the network behind the router are aproxymately 200 users for which 
>>I have about 200 iptables rules  like this iptables -A FORWARD -s <ip> 
>>-m mac --mac-source <mac> -j ACCEPT and 200   iptables -A FORWARD -d 
>><ip> -j ACCEPT, to allow passage only for the machines with the corect 
>>pair of ip/mac. I could give up the last 200 rules, as they don't serve 
>>a real purpose in limiting the access but they are used only for 
>>bandwidth monitoring / ip.
>>   Does anyone know how to lower the cpu usage with this configuration? 
>>    
>>
>It should be very low ...
>
>  
>
>>tweaks of any kind? Would a 2.6 kernel improve the situation? I have 
>>also seen an option in the 2.4 kernels CONFIG_NET_HW_FLOWCONTROL 
>>(Forwarding between high speed interfaces) but there it is written that 
>>it supports only some network devices and I don't know about 3coms or 
>>intel ones.
>>
>>  Any one has any ideas? another way of setting the rules? another 
>>filtering method? tweaking parameters? or at least what kind of system 
>>will it be necessary for this setup to be able to at least log on to the 
>>machine and do something on it. Also, would a FreeBSD be more suitable 
>>for this on the same configuration?
>>
>>    
>>
>Run something like sar, vmstat, top on the machine during high usage to
>see if there is another proc running that may be causing the high cpu
>usage. Do you run squid on that machine? If so, check the memory config
>...
>
>  
>
>>Thanks in advance for any informations.
>>Vlad Adomnicai
>>
>>    
>>

Re: High CPU usage + Kernel option

[danyvip (at) pattco.ro]

you could always use arp -f filename to have few rules in iptables.. 
alitle bit less cpu consumtion..
if the main problem is ssh logging try port shaping and alocate 5kbfor 
ssh..
hope it helps,

danyvip
-- 



Vlad Adomnicai wrote:

> With vmstat the sys is at 100%. User process is 1-2%.
> The machine doesn't do anything except routing and filtering with 
> iptables.
> There is also a script that runs every minute that updates the 
> iptables rules, but it only lasts for about 1 second under medium cpu 
> load.
>
> Vlad Adomnicai
>
>
> Ray Leach wrote:
>
>> On Tue, 2004-04-06 at 15:35, Vlad Adomnicai wrote:
>>  
>>
>>> Hi,
>>>   I have a K6/2 333 machine with 64Mb of RAM and two network cards. 
>>> (3c509 and an Intel one both with TCP cheksum offloading and Cpu )
>>>   I use Fedora Core 1 with the default kernel    and iptables 1.2.9.
>>>
>>>   At high traffic through the router (6-7Mbytes/second) the CPU goes 
>>> to 100% and I can't even log on to it through SSH:
>>> [root@root web]# ssh 192.168.200.1 -C -v
>>> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Applying options for *
>>> debug1: Rhosts Authentication disabled, originating port will not be 
>>> trusted.
>>> debug1: ssh_connect: needpriv 0
>>> debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /root/.ssh/identity type -1
>>> debug1: identity file /root/.ssh/id_rsa type -1
>>> debug1: identity file /root/.ssh/id_dsa type -1
>>>    and stands there until a timeout occures.
>>>   On the network behind the router are aproxymately 200 users for 
>>> which I have about 200 iptables rules  like this iptables -A FORWARD 
>>> -s <ip> -m mac --mac-source <mac> -j ACCEPT and 200   iptables -A 
>>> FORWARD -d <ip> -j ACCEPT, to allow passage only for the machines 
>>> with the corect pair of ip/mac. I could give up the last 200 rules, 
>>> as they don't serve a real purpose in limiting the access but they 
>>> are used only for bandwidth monitoring / ip.
>>>   Does anyone know how to lower the cpu usage with this 
>>> configuration?   
>>
>> It should be very low ...
>>
>>  
>>
>>> tweaks of any kind? Would a 2.6 kernel improve the situation? I have 
>>> also seen an option in the 2.4 kernels CONFIG_NET_HW_FLOWCONTROL 
>>> (Forwarding between high speed interfaces) but there it is written 
>>> that it supports only some network devices and I don't know about 
>>> 3coms or intel ones.
>>>
>>>  Any one has any ideas? another way of setting the rules? another 
>>> filtering method? tweaking parameters? or at least what kind of 
>>> system will it be necessary for this setup to be able to at least 
>>> log on to the machine and do something on it. Also, would a FreeBSD 
>>> be more suitable for this on the same configuration?
>>>
>>>   
>>
>> Run something like sar, vmstat, top on the machine during high usage to
>> see if there is another proc running that may be causing the high cpu
>> usage. Do you run squid on that machine? If so, check the memory config
>> ...
>>
>>  
>>
>>> Thanks in advance for any informations.
>>> Vlad Adomnicai
>>>
>>>   
>>
>
>
>