[c-nsp] Cisco 7206 - High CPU Utilization

Church, Charles cchurc05 at harris.com
Wed Dec 17 12:35:50 EST 2008


Try removing the ACLs and NetFlow one at a time, see if any of those
help.  The NAT you probably can't get rid of I'm guessing.  Is this an
older IOS version?  Older ones couldn't do NAT in the CEF path, from
what I remember.  An upgrade might help.  Although newer ones might
complain about the NPE-225 in there.  If you really need VPN, a 2851 or
3825 would do this with ease.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Spencer Barnes
Sent: Wednesday, December 17, 2008 11:53 AM
To: E. Versaevel
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


I included several replies in this that didn't make the list because I
thought the information might be helpful.

"You are talking about disabling the VPN connection, are you only
routing traffic at that point or are you still using some form of
tunneling? (gre/ipip)"

Pure routing.  I setup a server on our external network with a big file
and uploaded it to the remote network outside of the VPN, verified by a
traceroute.  

"What type of VPN is it and what type of encryption are you using?"

Here is the VPN config.

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address xxx
crypto ipsec transform-set abc esp-des esp-md5-hmac 
crypto map myvpn 5 ipsec-isakmp 
 description === 192 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 153
crypto map myvpn 6 ipsec-isakmp 
 description === 172 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 154

"...is it possible that without a IPSec accelerator card that your
experiences is not unsurprising?"

That is what it is beginning to look like but the fact that IP input is
high even without the VPN is confusing to me.  Based on the CPU
utilization graphs and the correlating bandwidth graphs, I could upload
at half the T3s capacity and more than likely crash the router.

Configuration change since first post:  Removed outbound ACL on
Serial1/0.  No effect on CPU utilization.

--------------------------------------


Spencer


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, December 17, 2008 12:22 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption
hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT
also eats CPU), also notice that you are referring to 5 minute averages
on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface
to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip
fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing
traffic at that point or are you still using some form of tunneling?
(gre/ipip)

Kind regards,

Erik
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list