[c-nsp] Cisco 7206 - High CPU Utilization

Łukasz Bromirski lukasz at bromirski.net
Thu Dec 18 18:51:09 EST 2008

On 2008-12-18 17:59, Spencer Barnes wrote:

> It helped reduce utilization on the VPN process by about 20% but I'm
> still seeing high CPU utilization when uploading from our network and
> I should have mentioned that the border router with the high CPU
> utilization is connected to another Cisco 7206 with a lesser
> NPE-200. All the same traffic flowing through the border router is
> going through the core so you'd think it would exhibit the high CPU
> utilization but it never breaks a sweat.  This seems important and
> seems to indicate the border router is having a problem?

For VPNs on 7200 there are SA-VAMs which offload crypto to
hardware - it was mentioned already in this and in the past threads.

Also, there was a suggestion to do MSS adjust on internal interface
accepting the traffic to be encrypted, to minimze chances of hitting
fragmentation, which will kill CPU right away. You didn't mentioned
it in this mail - were You capable of making this change?

The high IP Input process means something is processed in
software switching, not CEF switching - so either some of the
features (You mention other, smaller NPE doing fine with the
traffic, which strongly suggests services are the key), or the
12.4(21) isn't the right choice - and you should stick with 12.3(14)T7.

One way or the other - don't do a VPNs on border 7200 without VAMs.
And even with them - look for ASA, or ISR with VPN hardware to do
the offload without threatening the stability of the border platform.

"Don't expect me to cry for all the     |               Łukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

More information about the cisco-nsp mailing list