[c-nsp] Cisco 7206 - High CPU Utilization

E. Versaevel erik at infopact.nl
Wed Dec 17 03:21:39 EST 2008 

Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT also eats CPU), also notice that you are referring to 5 minute averages on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip)

Kind regards,

Erik


Spencer Barnes schreef:
> Greetings,
> 
>  
> 
> I have a Cisco 7206 (non-VXR) with an NPE-225.  It has a PA-T3 card with
> a DS3 plugged in serving as our WAN port and a PA-FE-TX linking to
> another router that serves as our core router.  The T3/Serial interface
> has a VPN endpoint configured and it is connected to a remote site that
> we use for off-site backups.  
> 
>  
> 
> The CPU utilization goes through the roof (90 and up) when I upload
> files from our network to the remote network.  I do not see this problem
> when I am downloading to our network.  I put a throttle in place on the
> remote side limiting the connection to 6 Mb/s and that helped (before
> the throttle it would stick at 99% when copying).  The majority of the
> CPU usage is in IP input and encrypt proc.  If I take the VPN out of the
> picture, CPU utilization is in the 40-50% ballpark which still seems
> high to me and obviously the VPN is having a dramatic effect on CPU
> usage.  The average amount of bandwidth used and the packets per second
> rate are both low (less than 10 Mb/s and around 1000-1500 pps) for the
> interfaces.  
> 
>  
> 
> Should this model of router be capable of handling a heavily used VPN
> tunnel running at about 6 Mb/s?  
> 
> If I eliminate the VPN, shouldn't this model of router be able to handle
> at least 25% of a T3's capacity? 
> 
> If the answer to either questions is no, what is the lowest end Cisco
> router you would recommend?
> 
>  
> 
> Random notes:
> 
>  
> 
> Very minimal config.  IP CEF is globally enabled.  Turbo ACLs are
> enabled.   Steady amount of flushes incrementing on PA-FE-TX (FA2/0)
> interface but not T3.  
> 
>  
> 
> interface Serial1/0
> 
>  description [WAN]
> 
>  mtu 1500
> 
>  ip address xxx 255.255.255.252
> 
>  ip access-group 100 in
> 
>  ip access-group 103 out
> 
>  ip flow ingress
> 
>  ip nat outside
> 
>  no ip virtual-reassembly
> 
>  ip route-cache policy
> 
>  ip route-cache flow
> 
>  ipv6 enable
> 
>  dsu bandwidth 44210
> 
>  framing c-bit
> 
>  cablelength 50
> 
>  serial restart-delay 0
> 
>  no cdp enable
> 
>  crypto map myvpn
> 
>  hold-queue 1500 in
> 
> !
> 
> interface FastEthernet2/0
> 
>  description [Uplink] Connected to Core FA1/0
> 
>  ip address 10.1.1.1 255.255.255.0
> 
>  ip flow ingress
> 
>  ip nat inside
> 
>  no ip virtual-reassembly
> 
>  ip route-cache policy
> 
>  ip route-cache flow
> 
>  duplex full
> 
>  ipv6 address xxx
> 
>  ipv6 enable
> 
>  hold-queue 1500 in
> 
>  
> 
> FastEthernet2/0 is up, line protocol is up 
> 
>   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
> 
>      reliability 255/255, txload 7/255, rxload 16/255
> 
>   Full-duplex, 100Mb/s, 100BaseTX/FX
> 
>   Last clearing of "show interface" counters 02:06:23
> 
>   Input queue: 5/1500/0/8034 (size/max/drops/flushes); Total output
> drops: 0
> 
>   Queueing strategy: fifo
> 
>   Output queue: 0/40 (size/max)
> 
>   5 minute input rate 6561000 bits/sec, 772 packets/sec
> 
>   5 minute output rate 3026000 bits/sec, 658 packets/sec
> 
>      6397481 packets input, 6506974856 bytes
> 
>      Received 171 broadcasts, 0 runts, 0 giants, 0 throttles
> 
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> 
>      0 watchdog
> 
>      0 input packets with dribble condition detected
> 
>      5532333 packets output, 3232118493 bytes, 0 underruns
> 
>      0 output errors, 0 collisions, 0 interface resets
> 
>      0 unknown protocol drops
> 
>      0 babbles, 0 late collision, 0 deferred
> 
>      0 lost carrier, 0 no carrier
> 
>      0 output buffer failures, 0 output buffers swapped out
> 
>  
> 
>  
> 
>  
> 
> Thank you in advance!
> 
>  
> 
> Spencer
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

More information about the cisco-nsp mailing list