Loading...
Loading...
cEdge device running DIA(Direct Internet Access) NAT and ZBFW features together can encounter High QFP due to Non-NATed traffic like a software image transfer from vmanage. The High QFP condition can also trigger BFD sessions to flap. Sample Syslog: *Jun 1 21:14:53.188: %IOSXE_QFP-2-LOAD_EXCEED: Slot: 0, QFP:0, Load 99% exceeds the setting threshold 80%. 5 secs traffic rate on QFP: Total Input: 3991 pps (4.0 kpps), 35702000 bps (35.7 mbps), Total Output: 6206 pps (6.2 kpps), 39666904 bps (39.7 mbps). Cedge6_2_ASR1001HX#$rm hardware qfp active datapath utilization summary CPP 0: 5 secs 1 min 5 min 60 min Input: Total (pps) 3992 1068 1758 1057 (bps) 35337712 9129464 15340032 9151728 Output: Total (pps) 6085 1629 2648 1587 (bps) 40372568 10554864 17513456 10390504 Processing: Load (pct) 99 38 48 32 << QFP load 99%
High QFP issue during binary image push is seen when NAT for DIA traffic and ZBFW configuration is present. The traffic from vManage doesn't need to be matched to NAT or ZBFW policy to trigger this issue. Removing either NAT or ZBFW configuration resolves the issue. Sample MINIMAL NAT & ZBFW config: ip nat route vrf 10 global ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/0 overload ! interface GigabitEthernet0/0/0 ip nat outside zone security xxxx << ZBFW is only initialized. vpn
- Remove NAT or ZBFW config
The traffic from vmanage to device-self is non-natted but it will also use some QFP processing. nat service gatekeeper feature is used to reduce the QFP processing. Ip nat service gatekeeper Ip nat setting gatekeeper-size We have further optimized nat gatekeeper service which will help reduced QFP usage on fixed releases.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.