Network measurements indicate that a slow or overloaded CPU may be present at a particular mid-path node.

Recommended action

If an overloaded router is suspected, check the router CPU. Note that using Access Control Lists (ACL) normally associated with firewall functionality can often result in an overloaded router. Reorder or remove ACLs to reduce router CPU load.

Detailed explanation

Certain hops on the path to a target host, where the target is assumed to be a typical workstation (not a router for example), may respond more slowly to test packets sent directly to them, than to packets they pass to the target host. This is because when responding to test packets, the device's CPU is invoked, whereas passing packets to the target host is done using ASICs (Application Specific Integrated Circuits).

The slower response by the intermediate device's CPU can be either deliberate, as a rate-limited response, or incidental, due to the fact that the CPU is, for one reason or another, slow. The typical indication of a CPU-limited response is a Total Capacity measure that is less than a hop that follows it, especially if the hop is the target host. Since it is not possible for Delivery monitoring to measure higher capacities further down the path after a bottleneck has occurred, it can be concluded that the lower value preceding a higher one indicates a CPU-limited response.

All measurements from a hop that show CPU limiting should be considered suspect with regard to their relationship to the target host. On the other hand, a limited response provides other information about that hop that may be of interest.

Possible secondary messages

  • "May be a slow CPU or a deliberate limiting mechanism"
  • "May be an overloaded router"

Related Topics