[c-nsp] SA-VAM2+ usage problem?

Nemeth Laszlo csirek at cooler.hu
Tue Sep 30 09:55:25 EDT 2008


Hello,

I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with 
SA-VAM2+ modules.

I have a tunnel interface between this routers. If I make a ~24Mbit/sec 
traffic into this tunnel, the routers CPU's goes to 90%. It was the 
performance without VAM2+ too. So the VAM2+ modul doesn't use?

Our routers config same, only the IP addresses different. The Tunnel 
interface very important, because i run an OSPF protokoll into them.

vpn0# sh pas vam interface
VPN Acceleration Module Version II+ in slot : 1
	Statistics for Hardware VPN Module since the last clear
	of counters 4294967 seconds ago
    988980327 packets in                   988980327 packets out
302199518411 bytes in                  318057273220 bytes out
          230 paks/sec in                        230 paks/sec out
          562 Kbits/sec in                       592 Kbits/sec out
            0 pkts compressed                      0 pkts not compressed
            0 bytes before compress                0 bytes after compress
        1.0:1 compression ratio                1.0:1 overall
       526096 commands out                    526096 commands acknowledged
	Last 5 minutes:
         2854900 packets in                     2854900 packets out 

            9516 paks/sec in                       9516 paks/sec out 

        24058078 bits/sec in                   25240088 bits/sec out 


In this last line the 24058078 bit/s traffic is normal, it is the 
aggregated traffic on my tunnel0 interface. But the "562 Kbit/sec in" 
and "592 Kbits/sec out" is to small, i think it should ~24000 Kbit/sec.

Config:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key abcabc address 192.168.1.1
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set vpn-standard esp-3des esp-sha-hmac
!
crypto map vpnmap 20 ipsec-isakmp
  set peer 192.168.1.1
  set transform-set vpn-standard
  match address VPN
!
interface Tunnel0
  description VPN0-VPN1
  ip address 10.0.0.1 255.255.255.252
  ip ospf cost 100
  load-interval 30
  keepalive 2 2
  tunnel source 192.168.0.1
  tunnel destination 192.168.1.1
!
interface GigabitEthernet0/1.2
  description VPN1
  encapsulation dot1Q 2
  ip address 192.168.0.1
  no ip redirects
  no ip proxy-arp
  ip nat outside
  no ip virtual-reassembly
  crypto map vpnmap
!
ip access-list extended VPN
  permit gre host 192.168.0.1 host 192.168.1.1


Any idea?

Thanks!

Regards,
Laszlo


More information about the cisco-nsp mailing list