ISR Routers ( 2811 & 3845 ) High CPU due to Interrupts

Muhammad Kashif Siddiqui · ‎02-10-2015

We are using different ISR Router (2811 & 3845 on most cases) on branch side. We are connected to Head Office using DMVPN tunnels through MPLS Link. We are having built in VPN Integrated module in our Routers. In most of the smaller branches we have 2811 with 8Mbps WAN Link and 50Mbps (Aprx) Link on bigger branches with 3845 Routers.

Now the problem starts when our WAN consumption increases gradually. In case of 2811, CPU reaches 50-60% with only 3Mbps WAN consumption while on bigger branches where we have 3845 the CPU consumption starts growing after 15-20 Mbps even with high end Router.

In order to find the root cause I followed below document which didn't help me.

http://www.cisco.com/c/en/us/support/docs/routers/7500-series-routers/41120-highcpu-interrupts.html

I was trying to find some document which can show me the maximum throughput of these ISR routers with built in VPN Modules. Please note that this High CPU is not due to any particular process but due to interrupts.

Show Version: 2811

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)

System image file is "flash:c2800nm-advipservicesk9-mz.124-24.T5.bin"

Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Show process cpu : 2811

CPU utilization for five seconds: 99%/84%; one minute: 60%; five minutes: 62%

Show version: 3845

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)System image file is "flash:c3845-advipservicesk9-mz.124-24.T5.bin"

Cisco 3845 (revision 1.0) with 222208K/39936K bytes of memory.
Processor board ID FCZ11237546
2 Gigabit Ethernet interfaces
2 ISDN Basic Rate interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)

Show process cpu : 3560

CPU utilization for five seconds: 46%/39%; one minute: 36%; five minutes: 21%

Jose Jara · ‎02-10-2015

Hi,

I´ve tried to find information about the positioning of ISR-G1 in Cisco´s website but unfortunately did not find anything. However, I´ve found a table (from Cisco) in an old doc of the SP I´ve been working last years and saw that the 2811 with heavy services is positioned to handle 4 Mbps and the 3845 to 45 Mbps.

Hope this helps,

Jose.

Muhammad Kashif Siddiqui · ‎02-10-2015

Dear Jose,

Thanks for your response.

I will highly appreciate if you can share this table with me.

Thanks/Regards

Jose Jara · ‎02-10-2015

Muhammad,

I attach here the table.

Best Regards,

Jose.

Muhammad Kashif Siddiqui · ‎02-11-2015

Hi Jose,

This information is really very helpful. May I have the complete link where Manufacturer composed this information ?

Secondly, How can we roughly make idea of Heavy services ? As per my current scenario I am using below services. Can I consider them heavy ?

1- BGP ( 1 session with about 1200 Routes)

2- OSPF ( With about 12 neighbors)

3- HSRP (With 10-12 Interfaces)

4- DMVPN ( 2 Tunnels) Where I am having encryption and Hashing in place.

5- SNMP

Joseph W. Doherty · ‎02-10-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Usually, interrupt CPU is due to optimal packet forwarding. ISRs only have finite capacity, which is much less than their Ethernet port allow.

Encryption will reduce maximum transfer rate, more so when using the integrated encryption chip. (NB: It is usually not a huge difference.)

However, something that will also drive up CPU, when doing encryption, is packet fragmentation. Have you've done everything possible to minimize fragmentation?

BTW, good info about avoiding fragmentation: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Muhammad Kashif Siddiqui · ‎02-10-2015

Dear Joseph,