[c-nsp] Cisco 7206 - High CPU Utilization

Spencer Barnes spencer at ceiva.com
Tue Dec 16 16:44:48 EST 2008 

Greetings,

 

I have a Cisco 7206 (non-VXR) with an NPE-225.  It has a PA-T3 card with
a DS3 plugged in serving as our WAN port and a PA-FE-TX linking to
another router that serves as our core router.  The T3/Serial interface
has a VPN endpoint configured and it is connected to a remote site that
we use for off-site backups.  

 

The CPU utilization goes through the roof (90 and up) when I upload
files from our network to the remote network.  I do not see this problem
when I am downloading to our network.  I put a throttle in place on the
remote side limiting the connection to 6 Mb/s and that helped (before
the throttle it would stick at 99% when copying).  The majority of the
CPU usage is in IP input and encrypt proc.  If I take the VPN out of the
picture, CPU utilization is in the 40-50% ballpark which still seems
high to me and obviously the VPN is having a dramatic effect on CPU
usage.  The average amount of bandwidth used and the packets per second
rate are both low (less than 10 Mb/s and around 1000-1500 pps) for the
interfaces.  

 

Should this model of router be capable of handling a heavily used VPN
tunnel running at about 6 Mb/s?  

If I eliminate the VPN, shouldn't this model of router be able to handle
at least 25% of a T3's capacity? 

If the answer to either questions is no, what is the lowest end Cisco
router you would recommend?

 

Random notes:

 

Very minimal config.  IP CEF is globally enabled.  Turbo ACLs are
enabled.   Steady amount of flushes incrementing on PA-FE-TX (FA2/0)
interface but not T3.  

 

interface Serial1/0

 description [WAN]

 mtu 1500

 ip address xxx 255.255.255.252

 ip access-group 100 in

 ip access-group 103 out

 ip flow ingress

 ip nat outside

 no ip virtual-reassembly

 ip route-cache policy

 ip route-cache flow

 ipv6 enable

 dsu bandwidth 44210

 framing c-bit

 cablelength 50

 serial restart-delay 0

 no cdp enable

 crypto map myvpn

 hold-queue 1500 in

!

interface FastEthernet2/0

 description [Uplink] Connected to Core FA1/0

 ip address 10.1.1.1 255.255.255.0

 ip flow ingress

 ip nat inside

 no ip virtual-reassembly

 ip route-cache policy

 ip route-cache flow

 duplex full

 ipv6 address xxx

 ipv6 enable

 hold-queue 1500 in

 

FastEthernet2/0 is up, line protocol is up 

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 

     reliability 255/255, txload 7/255, rxload 16/255

  Full-duplex, 100Mb/s, 100BaseTX/FX

  Last clearing of "show interface" counters 02:06:23

  Input queue: 5/1500/0/8034 (size/max/drops/flushes); Total output
drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 6561000 bits/sec, 772 packets/sec

  5 minute output rate 3026000 bits/sec, 658 packets/sec

     6397481 packets input, 6506974856 bytes

     Received 171 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     5532333 packets output, 3232118493 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

 

 

 

Thank you in advance!

 

Spencer

More information about the cisco-nsp mailing list