11-21-2014 12:40 PM - edited 03-10-2019 12:19 AM
Hi everybody. I got GETVPN infrastructure, with two keyservers and 32 group members. Every time the rekey process takes place, all the groupmembers present high cpu usage and the Crypto ACL consumes all of my resources. I am very lost, because is a pretty straight forward configuration. ROUTER# show process cpu history ROUTER 10:49:38 AM Tuesday Sep 30 2014 UTC 9999999999999999444441111111111 11111 11111111111111 999999999999999988888222223333399999333339999922222666662222 100 **************** 90 **************** 80 **************** 70 **************** 60 **************** 50 ********************* 40 ********************* 30 ********************* 20 ********************* ***** 10 ************************************************************ 0....5....1....1....2....2....3....3....4....4....5....5....6 0 5 0 5 0 5 0 5 0 5 0 CPU% per second (last 60 seconds) 121111121112111112121212221112111111122211121111111111112212 817295705770864893417188157650667447520279707886569543861074 100 90 80 70 60 50 40 30 * * 20 *** ********** **# #***#*#***#*** ****#*#********** ***#*# 10 ############################################################ 0....5....1....1....2....2....3....3....4....4....5....5....6 0 5 0 5 0 5 0 5 0 5 0 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 929 9 9 9 99 9 929299192939199 9 9 99 9 9 9 99 9 9 9 99 919 9 99 919 9 9 939994959599798929199496919099595949949595949959496949949495949989099999 100 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 90 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 80 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 70 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 60 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 50 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 40 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * * 30 * * * * * ** * * * ** ***** ** * * ** * * * ** * * * ** * * * ** * * * * 20 #** * * * ** * ****** ***#* ** * * ** * * * ** * * * ** * * * ** * * * * 10 ##*** **********###########******* ** ***** **** *** ** ***** ********** 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% ROUTER#show process cpu sorted | e 0.00% CPU utilization for five seconds: 99%/23%; one minute: 39%; five minutes: 19% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 251 1298116 6286 206509 74.91% 22.56% 5.21% 0 Crypto ACL 325 33652 32198 1045 0.23% 0.37% 0.43% 514 Virtual Exec 2 4428 84728 52 0.15% 0.06% 0.07% 0 Load Meter 119 356324 613777 580 0.15% 0.25% 0.27% 0 IP Input 41 10124 423671 23 0.07% 0.08% 0.07% 0 Per-Second Jobs 151 18788 601822 31 0.07% 0.18% 0.22% 0 CEF: IPv4 proces ROUTER#
Keyserver conf:
crypto isakmp policy 100 encr aes hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 ! ! crypto ipsec transform-set CRYPTO_AES esp-aes esp-sha-hmac ! crypto ipsec profile PHASE-II set security-association lifetime seconds 7200 set transform-set CRYPTO_AES ! crypto gdoi group GETVPN_CLIENT identity number 7 server local rekey lifetime seconds 43200 rekey retransmit 10 number 2 rekey authentication mypubkey rsa REKEY_CLIENT rekey transport unicast sa ipsec 1 profile PHASE-II match address ipv4 ACL no replay address ipv4 10.1.1.176 redundancy local priority 10 peer address ipv4 10.1.1.176
Thanks for your advice
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide