[c-nsp] High CPU util on a 2811 with two ipsec tunnels
Lasher, Donn
DLasher at newedgenetworks.com
Thu Oct 7 14:45:02 EDT 2010
In my experience, two things hammer the CPU for IPSEC tunnels:
1. mGRE is not accelerated by the hardware.
2. Fragmenting Packets, lower MTU/MSS, CPU driven.
Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a
tunnel, in my experience.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Graebner
[VPNtranet]
Sent: Thursday, October 07, 2010 10:32 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] High CPU util on a 2811 with two ipsec tunnels
I have a 2811 w/ AIM module terminating two 10m ipsec tunnels that is
nearly always above 80% and often above 95% cpu util during the day.
Buffers show no significant number of misses. sh int switching shows
that 100% of the outbound encrypted packets are being process switched.
IOS C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1. Why would this
traffic not be fast switched?
--
James Graebner, CCNA, CCDA
VPNtranet
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list