Symptom
cEdge device running DIA(Direct Internet Access) NAT and ZBFW features together can encounter High QFP due to Non-NATed traffic like a software image transfer from vmanage. The High QFP condition can also trigger BFD sessions to flap.
Sample Syslog:
*Jun 1 21:14:53.188: %IOSXE_QFP-2-LOAD_EXCEED: Slot: 0, QFP:0, Load 99% exceeds the setting threshold 80%.
5 secs traffic rate on QFP: Total Input: 3991 pps (4.0 kpps), 35702000 bps (35.7 mbps), Total Output: 6206 pps (6.2 kpps), 39666904 bps (39.7 mbps).
Cedge6_2_ASR1001HX#$rm hardware qfp active datapath utilization summary
CPP 0: 5 secs 1 min 5 min 60 min
Input: Total (pps) 3992 1068 1758 1057
(bps) 35337712 9129464 15340032 9151728
Output: Total (pps) 6085 1629 2648 1587
(bps) 40372568 10554864 17513456 10390504
Processing: Load (pct) 99 38 48 32 << QFP load 99%
Conditions
High QFP issue during binary image push is seen when NAT for DIA traffic and ZBFW configuration is present. The traffic from vManage doesn't need to be matched to NAT or ZBFW policy to trigger this issue.
Removing either NAT or ZBFW configuration resolves the issue.
Sample MINIMAL NAT & ZBFW config:
ip nat route vrf 10 global
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/0 overload
!
interface GigabitEthernet0/0/0
ip nat outside
zone security xxxx << ZBFW is only initialized.
vpn
Workaround
- Remove NAT or ZBFW config
Further Problem Description
The traffic from vmanage to device-self is non-natted but it will also use some QFP processing. nat service gatekeeper feature is used to reduce the QFP processing.
Ip nat service gatekeeper
Ip nat setting gatekeeper-size
We have further optimized nat gatekeeper service which will help reduced QFP usage on fixed releases.
