[c-nsp] SA-VAM2+ usage problem?
Nemeth Laszlo
csirek at cooler.hu
Tue Sep 30 09:55:25 EDT 2008
Hello,
I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with
SA-VAM2+ modules.
I have a tunnel interface between this routers. If I make a ~24Mbit/sec
traffic into this tunnel, the routers CPU's goes to 90%. It was the
performance without VAM2+ too. So the VAM2+ modul doesn't use?
Our routers config same, only the IP addresses different. The Tunnel
interface very important, because i run an OSPF protokoll into them.
vpn0# sh pas vam interface
VPN Acceleration Module Version II+ in slot : 1
Statistics for Hardware VPN Module since the last clear
of counters 4294967 seconds ago
988980327 packets in 988980327 packets out
302199518411 bytes in 318057273220 bytes out
230 paks/sec in 230 paks/sec out
562 Kbits/sec in 592 Kbits/sec out
0 pkts compressed 0 pkts not compressed
0 bytes before compress 0 bytes after compress
1.0:1 compression ratio 1.0:1 overall
526096 commands out 526096 commands acknowledged
Last 5 minutes:
2854900 packets in 2854900 packets out
9516 paks/sec in 9516 paks/sec out
24058078 bits/sec in 25240088 bits/sec out
In this last line the 24058078 bit/s traffic is normal, it is the
aggregated traffic on my tunnel0 interface. But the "562 Kbit/sec in"
and "592 Kbits/sec out" is to small, i think it should ~24000 Kbit/sec.
Config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key abcabc address 192.168.1.1
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set vpn-standard esp-3des esp-sha-hmac
!
crypto map vpnmap 20 ipsec-isakmp
set peer 192.168.1.1
set transform-set vpn-standard
match address VPN
!
interface Tunnel0
description VPN0-VPN1
ip address 10.0.0.1 255.255.255.252
ip ospf cost 100
load-interval 30
keepalive 2 2
tunnel source 192.168.0.1
tunnel destination 192.168.1.1
!
interface GigabitEthernet0/1.2
description VPN1
encapsulation dot1Q 2
ip address 192.168.0.1
no ip redirects
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
crypto map vpnmap
!
ip access-list extended VPN
permit gre host 192.168.0.1 host 192.168.1.1
Any idea?
Thanks!
Regards,
Laszlo
More information about the cisco-nsp
mailing list