[c-nsp] High CPU util on a 2811 with two ipsec tunnels
Ge Moua
moua0100 at umn.edu
Thu Oct 7 18:24:18 EDT 2010
James G-
What do you see when you do:
sh ip tra
--
Regards,
Ge Moua
Network Design Engineer
University of Minnesota | OIT - NTS
--
On 10/7/10 1:45 PM, Lasher, Donn wrote:
> In my experience, two things hammer the CPU for IPSEC tunnels:
>
> 1. mGRE is not accelerated by the hardware.
> 2. Fragmenting Packets, lower MTU/MSS, CPU driven.
>
> Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a
> tunnel, in my experience.
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Graebner
> [VPNtranet]
> Sent: Thursday, October 07, 2010 10:32 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] High CPU util on a 2811 with two ipsec tunnels
>
> I have a 2811 w/ AIM module terminating two 10m ipsec tunnels that is
> nearly always above 80% and often above 95% cpu util during the day.
> Buffers show no significant number of misses. sh int switching shows
> that 100% of the outbound encrypted packets are being process switched.
>
> IOS C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1. Why would this
> traffic not be fast switched?
>
More information about the cisco-nsp
mailing list