[c-nsp] Cisco 7206 - High CPU Utilization

Spencer Barnes spencer at ceiva.com
Thu Dec 18 11:59:42 EST 2008

Thanks for the suggestion, unfortunately it didn't have an impact on the
CPU utilization.  

I received this suggestion as well:

" If you run AES instead you'll massively reduce your CPU utilization.
I'd suggest a G1 at least for what you're doing. An 1811 would probably
run better than this router because the processor is at least somewhat
designed to handle what you're doing."

It helped reduce utilization on the VPN process by about 20% but I'm
still seeing high CPU utilization when uploading from our network and I
should have mentioned that the border router with the high CPU
utilization is connected to another Cisco 7206 with a lesser NPE-200.
All the same traffic flowing through the border router is going through
the core so you'd think it would exhibit the high CPU utilization but it
never breaks a sweat.  This seems important and seems to indicate the
border router is having a problem?  

I'm thinking downgrade the IOS on the border router ((C7200-JK9O3S-M),
Version 12.4(21)) to match the core ((C7200-IK9S-M), Version
12.3(14)T7).  Perhaps the newer IOS with the bigger feature set is too
much for the border router?

If that doesn't work I'd also be curious to see what would happen if I
moved the T3 card to the core router and see if the CPU utilization goes
up on it but I can't do that until after the holidays.  

I've followed Cisco's guide to troubleshooting high IP input utilization
and I can't think of anything else to do configuration wise on the
border router.  Thanks for all the help from everyone so far, it is very
much appreciated.


-----Original Message-----
From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] 
Sent: Wednesday, December 17, 2008 11:13 AM
To: Spencer Barnes
Cc: Church, Charles; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization

On Wed, 17 Dec 2008, Spencer Barnes wrote:

> I removed all ACLs and Netflow but that did not have an effect.  I
> I can move NAT to the core router for testing purposes, I'll try and
> that tomorrow morning.  IOS version is (C7200-JK9O3S-M), Version
> 12.4(21).

If you're tunneling over 1500 media, doing "ip tcp mss-adjust 1300" on
interface where the traffic to encrypt/tunnel is passing 
unencrypted/untunneled, might help you. Worth a try though, you don't
multiple tunnel/encrypted packets per packet in the VPN.

Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the cisco-nsp mailing list