100 cpu load - help to diagnose issue

RouterOS General
1

Hi

I have a CRS328-24P-4S+

doing some downloads - google takeout about 300G of data in 2G zip files

i noticed my snmp was failing - investigating the box i notice my cpu is 100%

so i'm thinking i have something setup wrongly here

I have a bridge - multiple vlans
R ;;; New Bridge - one bridge to rule them all - per the doco for vlans and bridges
name="newBridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:34:43:54:FF protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=8 frame-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto

and my interefaces are either setup as acces ports or trunk ports
I use lists

lags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES

INTERFACE BRIDGE HW HORIZON TRUSTED FAST-LEAVE BPDU-GUARD EDGE POINT-TO-POINT PVID FRAME-TYPES

;;; new bridge link
0 H bonding1 newBridge yes none no no no auto auto 1 admit-only-vlan-tagged
1 H bonding2 newBridge yes none no no no auto auto 1 admit-only-vlan-tagged
2 I H bonding3 newBridge yes none no no no auto auto 1 admit-only-vlan-tagged
;;; This interface list includes all the ports that are part of the WAN link - NBN
3 int_list_wan newBridge yes none no no no auto auto 255 admit-all
;;; This interface list includes all the ports that are part of the WAN link - NBN
4 DH ether2 newBridge yes none no no no auto auto 255 admit-all
;;; This interface list includes all the ports that are part of the Lan direct attach network
5 int_list_lan newBridge yes none no no no auto auto 11 admit-all
;;; This interface list includes all the ports that are part of the Lan direct attach network
6 IDH ether19 newBridge yes none no no no auto auto 11 admit-all
;;; This interface list includes all the ports that are part of the Lan direct attach network
7 DH ether21 newBridge yes none no no no auto auto 11 admit-all
;;; This interface list includes all the ports that are part of the Lan direct attach network
8 IDH ether22 newBridge yes none no no no auto auto 11 admit-all

i have vlans hanging off that bridge
print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 newBridge 10 newBridge
bonding2
bonding1
1 newBridge 11 newBridge
bonding2
bonding1
2 newBridge 255 newBridge
3 newBridge 8 newBridge
4 newBridge 9 newBridge
bonding2
bonding1
;;; added by pvid
5 D newBridge 10 ether10
ether11
ether15
ether16
ether13
ether4
ether14
ether8
;;; added by pvid
6 D newBridge 11 ether21
;;; added by pvid
7 D newBridge 255 ether2
looking at the stats

settings/print
use-ip-firewall: no
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
bridge-fast-path-active: yes
bridge-fast-path-packets: 2170209385
bridge-fast-path-bytes: 1720689332225
bridge-fast-forward-packets: 0
bridge-fast-forward-bytes: 0

then vlan interfaces

/interface/vlan> print
Flags: X - DISABLED, R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE

NAME MTU ARP VLAN-ID INTERFACE

;;; another vlan
0 R vlan8 1500 enabled 8 newBridge
;;; lan2 - torrent - only use wg
1 X vlan9 1500 enabled 9 newBridge
;;; Wifi network
2 R vlan10 1500 enabled 10 newBridge
;;; LAN network
3 R vlan11 1500 enabled 11 newBridge
;;; WAN network
4 R vlan255 1500 enabled 255 newBridge

I think i have done it the new bridge way - obviously i am missing something here ....

the stats for fast forward are 0 ...

profiling shows networking process is the main user

2

You should post a properly redacted export of your configuration. See Forum rules - #5 by gigabyte091.

Are you using the device as a switch or a router? It's not a device suitable to be used as a router with NAT, because it has no L3HW support for NAT & Fasttrack and only has a single core 800MHz processor. As a router, it's only performant without firewall and without NAT, and you still need to enable L3HW.

If used as a switch, then don't add the items under /interface vlan, and don't assign addresses, except for the management VLAN. But you should still post your export for the people on the forum to be able to assist you.

3

I found this

/interface/ethernet/switch> print detail

Flags: I - invalid

0 name="switch1" type=Marvell-98DX3236 mirror-target=none rspan=no rspan-ingress-vlan-id=1 rspan-egress-vlan-id=1 l3-hw-offloading=no qos-hw-offloading=no

from the wiki page

Layer 3 Hardware Offloading (L3HW, otherwise known as IP switching or HW routing) allows offloading some router features onto the switch chip. This allows reaching wire speeds when routing packets, which would simply not be possible with the CPU.

going to give it a go

2nd try ...

tried it - broke my internet access - i think because I SNAT .. so took my internet port out of l3 hw and its all working . the test is to start the googe downloads again !

last try

I tried snmp didn't seem to make a difference

I turn on l3-hw and add a forward rule to turn it on and that seem to make a massive difference.

One thing to not I had to take my internt port out of that - it broke my internet access - I am going to guess snat

the doco also talks about ipsec as well .. so it you are going to do this look out for that as well

now I think i am saturating my internet link and my cpu is around 40-60 - sometimes higher - but not stuck at 100% and zabbix snmp polling is working so a win i think

4

So you are using it as a router. Unfortunately for this CRS model with the 98DX3236 switch chip, the hardware offload for routing is only suitable for routing between VLANs. Maybe also internet traffic with IPv6 if you don't enable connection tracking and don't need the firewall filtering (because IPv6 normally doesn't need NAT).

The L3 hardware offload cannot work for IPv4 traffic between LAN and internet, because for that NAT is normally required. You need the devices listed under the section "CCR2xxx, CRS3xx, CRS5xx: Switch 98DX8xxx and 98DX4xxx Series" of that documentation page if you want to have hardware accelerated LAN-WAN traffic. Those switch chips have the "IPv4 Fasttrack Connections" and "IPv4 NAT entries" columns in the capability table that your CRS doesn't have.

Your CRS328-24P-4S+ when routing IPv4 traffic between LAN and WAN will have to rely on the single core CPU, and for that task it is even slower than an old hEX RB750Gr3.