cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1261
Views
0
Helpful
8
Replies
muhammad-furqan
Beginner

High CPU due to IPSec Pass Through

I can see constant ESP traffic coming from WAN and going to a VPN box connected on LAN which is causing high CPU the traffic flow is almost one way seems a replication and its around 80Mb. I check CEF and interface switching and not able to find any abnormality all traffic is taking proper switching path i am failed to find any punted and process switch traffic. The culprit is ESP traffic when i deny the ESP traffic with access-list CPU drop down to normal. I am trying to find the actual traffic in tunnel which is causing this issue

8 REPLIES 8
Joseph W. Doherty
Hall of Fame Expert

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

ESP traffic, that's just transit, shouldn't normally have any more impact than any other transit traffic.

If the VPN is passing high traffic volume, could your CPU just be related to the additional volume?

Its only 80Mb and as per document its capable to handle more than 200 Mb. Do you think it can related to huge fragments?

What model router?

3845

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Ok, yes a 3845 is rated at about 500 Kpps, for minimum size packets, but that's also for "ideal" traffic.  The same device is also rated at 35 Kpps for process switching, which provides a hint of the CPU hit for anything less than ideal traffic might cause.  (Yes, I noted you don't see high process switching, but interrupt switch is still CPU processed, it's just, in theory, very optimal at what it does.)

Again, if your VPN traffic is just transit, I wouldn't expect it to normally have any more impact than any other similar sized transit traffic.

What you might try is some traffic generator.  Shoot an additional 80 Mbps through your router, and see what's the CPU impact.  (On Windows clients, I've used PCATTCP with UDP packets for such testing.)

ACL, QOS and netflow is configured and ESP packets are not less than 1500 bytes and this router handle ACL, QOS and and netflow in software mean interrupts and as per documents if we enable these services than this router can handle upto T3/E3 traffic

I opened the TAC and got the same reply

Q. What is the performance of the 3800 series?
A. The 3800 Series routers are designed to deliver multiple concurrent services at wire-speed performance of up to T3/E3 rates. The T3/E3 value represents IMIX packet sizes in higher than typical 3800 services configurations. In less service-intense environments, actual WAN throughput will be higher. In light service environments with 64 byte packets, the 3800 series can achieve between 350-500 Kpps

http://www.cisco.com/c/en/us/products/collateral/routers/3800-series-integrated-services-routers-isr/prod_qas0900aecd8016a953.html.

 

===========================================================================

See the performance chart here by Miercom

http://www.miercom.com/pdf/reports/20090710.pdf

 

===========================================================================

 

As per following document it can handle 256 Mbs but

Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled. As you add ACL's, encryption, compression, etc - performance will decline significantly from the given numbers, unless it is a hardware-assisted platform, such as the 7600 or 12000, which process QoS, ACL's, and other features in hardware.

https://supportforums.cisco.com/sites/default/files/legacy/8/0/6/18608-routerperformance.pdf


It seems router is overloaded with traffic of full size packets and ACL and QOS applied to it