I have an issue that looks to be cef related.

Design is essentially a private L2 cloud to multiple customers. Head end router then creates an encrypted tunnel via a virtual template, and vrf lite.

Design runs smooth on a 3945 but with about 10 meg sustained I noticed about 30% cpu utilization for the ip input process alone.

After doing some checking I believe it is all related to packets being process switched instead of CEF due to unsupported features.

I'm trying to deterine if that is the case, and if so, what the unsupported feature may be so I can fix the design.

some relevent information -

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M4, REL

System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M4.bin"

"sh cef drop" -

IPv4 CEF Drop Statistics

Slot  Encap_fail  Unresolved Unsupported    No_route      No_adj  ChkSum_Err

RP             0           0  2798289680          99           0           0

*** Interface Template and an associated virtual access interface

interface Virtual-Template1 type tunnel

ip vrf forwarding BLUE

ip unnumbered Loopback1

ip access-group vrf_traffic_filter_2 in

load-interval 30

tunnel source Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

!

service-policy output mpls-shape

end

interface Virtual-Access3

ip unnumbered Loopback1

ip access-group vrf_traffic_filter_2 in

load-interval 30

tunnel source Loopback0

tunnel mode ipsec ipv4

tunnel destination 172.16.3.49

tunnel protection ipsec profile P1

no tunnel protection ipsec initiate

!

service-policy output mpls-shape

end

MPLS-HE#sh int Virtual-Access3

Virtual-Access3 is up, line protocol is up

  Hardware is Virtual Access interface

  Interface is unnumbered. Using address of Loopback1 (172.16.2.1)

  MTU 17888 bytes, BW 100000 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL

  CDMA vaccess, cloned from Virtual-Template1

  Vaccess status 0x4, loopback not set

  Keepalive not set

  Tunnel source 192.168.22.201 (Loopback0), destination 172.16.3.49

   Tunnel Subblocks:

      src-track:

         Virtual-Access3 source tracking subblock associated with Loopback0

          Set of tunnels with source Loopback0, 27 members (includes iterators), on interface <OK>

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Tunnel transport MTU 1448 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "P1")

  Last input never, output never, output hang never

  Last clearing of "show interface" counters 2w1d

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  30 second input rate 25000 bits/sec, 60 packets/sec

  30 second output rate 222000 bits/sec, 61 packets/sec

     30488660 packets input, 2061222615 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     29446885 packets output, 11700198786 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

MPLS-HE#

MPLS-HE#sh cef int virtual-access 3

Virtual-Access3 is up (if_number 19)

  Corresponding hwidb fast_if_number 19

  Corresponding hwidb firstsw->if_number 19

  Internet address is 0.0.0.0/0

  Unnumbered interface. Using address of Loopback1 (172.16.2.1)

  ICMP redirects are never sent

  Per packet load-sharing is disabled

  IP unicast RPF check is disabled

  Input features: Access List

  Output features: CCE Post NAT Classification, AF Policing, Post-Ingress-NetFlow

  Post encapsulation features: IPSEC Post-encap output classification

  IP policy routing is disabled

  BGP based policy accounting on input is disabled

  BGP based policy accounting on output is disabled

  Interface is marked as point to point interface

  Interface is marked as tunnel interface

  Hardware idb is Virtual-Access3

  Fast switching type 14, interface type 21

  IP CEF switching enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  VPN Forwarding table "BLUE"

  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized

  Input fast flags 0x21, Output fast flags 0x4008

  ifindex 22(22)

  Slot  Slot unit 3 VC -1

  IP MTU 1448

  Real output interface is GigabitEthernet0/1

MPLS-HE#

Truncated cef information from the vrf :

MPLS-HE#sh ip cef vrf BLUE

Prefix               Next Hop             Interface

10.160.49.0/24       172.16.2.49          Virtual-Access3

172.16.2.49/32       172.16.2.49          Virtual-Access3

192.168.1.128/25     10.95.0.1            GigabitEthernet0/0

                              10.95.0.9            GigabitEthernet0/2

192.168.1.240/28     10.95.0.1            GigabitEthernet0/0

                              10.95.0.9            GigabitEthernet0/2

172.16.2.1/32        receive              Loopback1

                           10.95.0.9            GigabitEthernet0/2

192.168.190.0/24     10.95.0.1            GigabitEthernet0/0

                              10.95.0.9            GigabitEthernet0/2

MPLS-HE#

I have the design running in a test lab (2900 instead of 3900) so I can test.

So far, I have tested by removing the tunnel, and placing all interfaces into the same vrf. In that case the cef unsupported drops no longer increments.

Can anyone provide and ideas what I should look at, and/or a link to unsupported features in cef?