[c-nsp] Cisco 7206 - High CPU Utilization

Spencer Barnes spencer at ceiva.com
Wed Dec 17 11:53:21 EST 2008


I included several replies in this that didn't make the list because I
thought the information might be helpful.

"You are talking about disabling the VPN connection, are you only
routing traffic at that point or are you still using some form of
tunneling? (gre/ipip)"

Pure routing.  I setup a server on our external network with a big file
and uploaded it to the remote network outside of the VPN, verified by a
traceroute.  

"What type of VPN is it and what type of encryption are you using?"

Here is the VPN config.

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address xxx
crypto ipsec transform-set abc esp-des esp-md5-hmac 
crypto map myvpn 5 ipsec-isakmp 
 description === 192 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 153
crypto map myvpn 6 ipsec-isakmp 
 description === 172 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 154

"...is it possible that without a IPSec accelerator card that your
experiences is not unsurprising?"

That is what it is beginning to look like but the fact that IP input is
high even without the VPN is confusing to me.  Based on the CPU
utilization graphs and the correlating bandwidth graphs, I could upload
at half the T3s capacity and more than likely crash the router.

Configuration change since first post:  Removed outbound ACL on
Serial1/0.  No effect on CPU utilization.

--------------------------------------


Spencer


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, December 17, 2008 12:22 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption
hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT
also eats CPU), also notice that you are referring to 5 minute averages
on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface
to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip
fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing
traffic at that point or are you still using some form of tunneling?
(gre/ipip)

Kind regards,

Erik


More information about the cisco-nsp mailing list