This article covers some troubleshooting tips to resolve high CPU load conditions in the Vigor3900 router.

  1. High number of login attempts

This can be caused by a high number of failed login attempts. This can be seen as many Login Failures in the syslog (telnet, dropbear -> ssh, vpn authentication failure) as in the example below:

In this case review the management settings. Consider if it is necessary to access the router management console from the Internet.

To strengthen security

  • Ensure the use of secure passwords
  • Change the default service port.

For example, the default ssh port is 22 so change to a different value such as port number 51022 and so on.

  • Always use https and ssh instead of http and telnet.
  • Add IP Access List for the remote management.
  1. Syslog has FPP detects flooding logs.

An example of this type of log is:
<13>Jul 6 13:19:46 WH_Vigor3900: FPP detect Flooding from WAN port (2) wan2 type:(src IP X.X.151.120)

When the Vigor3900 detects a high number of abnormal packets, it will pop-up FPP detects Flooding packet logs. The log may only contain the port number or the partial IP address.
To verify if the packets are the abnormal, it is recommended to capture the data from the corresponding interface by using Wireshark.

– If the packets that causing the FPP detects flooding log are normal, then try  using Fast Route (for VPN) or Fast NAT (For outgoing NAT sessions) function to pass the packets and check if  CPU load is reduced.
-If the packets that cause the FPP detects flooding log are abnormal, you will need to find the source and remove it.

 

3.Syslog shows high number of user Access logs with abnormal outgoing sessions.

You may see an abnormally high number of outgoing sessions to destination port 445 or 1433 from the same source IP. This usually indicates that a LAN PC may be infected with a virus.
The solution here is to removing the computer from the network or use IP Filter or MAC Block to block the specific IP or MAC until the virus is removed.

4. WAN Inbound Load Balance function enabled incorrectly
Enabling the WAN Inbound Load Balance function will make the Vigor3900 respond to DNS queries from its WAN interface.

This can happen when no WAN Inbound Load Balance profile is configured. This may cause Vigor3900 to receive many DNS queries from the Internet resulting in increasing CPU load. An example of this syslog is:

<30>Oct 25 16:16:43 VIVIAN2960: named[30526]: no longer listening on 220.132.x.x#53

If none of the steps described improves the high CPU load condition, it is recommended to collect the following information and forward to support@draytek.com.au

  1. Syslog
  2. The output of the following CLI commands:
  • -status system
  • -status process
  1. Remote Access to the Vigor3900