Solved: sh proc cpu sorted doesn't show the whole picture

paul amaral · ‎10-04-2017

I have a router that has a vam2+ VPN module running DMVPN on VTI interfaces doing about 180 Mbs of aggregated VPN traffic. When doing a show proc cpu sorted it shows something like this,

CPU utilization for five seconds: 72%/69%; one minute: 75%; five minutes: 72%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

Note that all the processes cpu utilization isn't much, I know the high CPU is due to the VPN traffic and/or interrupts. My question is shouldn't this be handled on the VAM2+? I was under the impression the VPN module would offload vpn related traffic off the main cpu. So why is so much of the main cpu till used on interrupts ? is there something i can do aside from use cef etc to take off more load off the cpu.

thanks, P

#sh interface tun 0 switching
Tunnel0 DMVPN SECONDARY HUB - Phase 2 Tunnel (no phase 3 support) Backup DR site
Throttle count 0
Drops RP 53 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 0 Drops 0

Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 107640547 9996396439 15395773 1432308969
Cache misses 0 - - -
Fast 311355365945 427703104419288 166291219972 36575377714896
Auton/SSE 0 0 0 0

Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 57650608 8120220008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0

NOTE: all counts are cumulative and reset only after a reload.

#sh cef drop
CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 70060967 2 0 588 0 0

Joseph W. Doherty · ‎10-05-2017

The VAM offloads encryption and decryption, the main CPU still forwards packets, whether encrypted or not. (BTW, w/o an encryption module, your 7200 [?] might only obtain 1% of its current throughput.)

Is there anything else you can do to reduce CPU loading? Perhaps, for instance, you want to avoid fragmentation across your tunnels. Also, just like w/o tunnels, you want to use only the services you need and use in the most efficient way. For example, if using ACLs, insure the most commonly matched entries are first or if a 7200 that supports turbo-ACL, enable it, etc.

View solution in original post

Joseph W. Doherty · ‎10-05-2017

The VAM offloads encryption and decryption, the main CPU still forwards packets, whether encrypted or not. (BTW, w/o an encryption module, your 7200 [?] might only obtain 1% of its current throughput.)

Is there anything else you can do to reduce CPU loading? Perhaps, for instance, you want to avoid fragmentation across your tunnels. Also, just like w/o tunnels, you want to use only the services you need and use in the most efficient way. For example, if using ACLs, insure the most commonly matched entries are first or if a 7200 that supports turbo-ACL, enable it, etc.

paul amaral · ‎10-05-2017

thanks Joseph, you actually answered one of my similar questions regarding this in the past. I guess I just can't believe that even with the VPN module the CPU is still being used that much. I didn't realize the 7301 main CPU would use that much % on 180+ Mbs of forwarding :(. I was under the impression this will do alot more aggregated traffic according to the cisco stats. Thanks for assuring me of that is going on.

Thanks, Paul