Hi everybody.
I got GETVPN infrastructure, with two keyservers and 32 group members.
Every time the rekey process takes place, all the groupmembers present high cpu usage and the Crypto ACL consumes all of my resources.
I am very lost, because is a pretty straight forward configuration.
ROUTER# show process cpu history
ROUTER 10:49:38 AM Tuesday Sep 30 2014 UTC
9999999999999999444441111111111 11111 11111111111111
999999999999999988888222223333399999333339999922222666662222
100 ****************
90 ****************
80 ****************
70 ****************
60 ****************
50 *********************
40 *********************
30 *********************
20 ********************* *****
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
121111121112111112121212221112111111122211121111111111112212
817295705770864893417188157650667447520279707886569543861074
100
90
80
70
60
50
40
30 * *
20 *** ********** **# #***#*#***#*** ****#*#********** ***#*#
10 ############################################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
929 9 9 9 99 9 929299192939199 9 9 99 9 9 9 99 9 9 9 99 919 9 99 919 9 9
939994959599798929199496919099595949949595949959496949949495949989099999
100 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
90 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
80 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
70 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
60 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
50 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
40 * * * * * ** * * * ** * * * ** * * ** * * * ** * * * ** * * * ** * * * *
30 * * * * * ** * * * ** ***** ** * * ** * * * ** * * * ** * * * ** * * * *
20 #** * * * ** * ****** ***#* ** * * ** * * * ** * * * ** * * * ** * * * *
10 ##*** **********###########******* ** ***** **** *** ** ***** **********
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
ROUTER#show process cpu sorted | e 0.00%
CPU utilization for five seconds: 99%/23%; one minute: 39%; five minutes: 19%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
251 1298116 6286 206509 74.91% 22.56% 5.21% 0 Crypto ACL
325 33652 32198 1045 0.23% 0.37% 0.43% 514 Virtual Exec
2 4428 84728 52 0.15% 0.06% 0.07% 0 Load Meter
119 356324 613777 580 0.15% 0.25% 0.27% 0 IP Input
41 10124 423671 23 0.07% 0.08% 0.07% 0 Per-Second Jobs
151 18788 601822 31 0.07% 0.18% 0.22% 0 CEF: IPv4 proces
ROUTER#
Keyserver conf:
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set CRYPTO_AES esp-aes esp-sha-hmac
!
crypto ipsec profile PHASE-II
set security-association lifetime seconds 7200
set transform-set CRYPTO_AES
!
crypto gdoi group GETVPN_CLIENT
identity number 7
server local
rekey lifetime seconds 43200
rekey retransmit 10 number 2
rekey authentication mypubkey rsa REKEY_CLIENT
rekey transport unicast
sa ipsec 1
profile PHASE-II
match address ipv4 ACL
no replay
address ipv4 10.1.1.176
redundancy
local priority 10
peer address ipv4 10.1.1.176
Thanks for your advice
