10-04-2017 01:21 PM - edited 03-05-2019 09:14 AM
I have a router that has a vam2+ VPN module running DMVPN on VTI interfaces doing about 180 Mbs of aggregated VPN traffic. When doing a show proc cpu sorted it shows something like this,
CPU utilization for five seconds: 72%/69%; one minute: 75%; five minutes: 72%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
Note that all the processes cpu utilization isn't much, I know the high CPU is due to the VPN traffic and/or interrupts. My question is shouldn't this be handled on the VAM2+? I was under the impression the VPN module would offload vpn related traffic off the main cpu. So why is so much of the main cpu till used on interrupts ? is there something i can do aside from use cef etc to take off more load off the cpu.
thanks, P
#sh interface tun 0 switching
Tunnel0 DMVPN SECONDARY HUB - Phase 2 Tunnel (no phase 3 support) Backup DR site
Throttle count 0
Drops RP 53 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 0 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 107640547 9996396439 15395773 1432308969
Cache misses 0 - - -
Fast 311355365945 427703104419288 166291219972 36575377714896
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 57650608 8120220008
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
#sh cef drop
CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 70060967 2 0 588 0 0
Solved! Go to Solution.
10-05-2017 07:29 AM - edited 10-05-2017 07:31 AM
The VAM offloads encryption and decryption, the main CPU still forwards packets, whether encrypted or not. (BTW, w/o an encryption module, your 7200 [?] might only obtain 1% of its current throughput.)
Is there anything else you can do to reduce CPU loading? Perhaps, for instance, you want to avoid fragmentation across your tunnels. Also, just like w/o tunnels, you want to use only the services you need and use in the most efficient way. For example, if using ACLs, insure the most commonly matched entries are first or if a 7200 that supports turbo-ACL, enable it, etc.
10-05-2017 07:29 AM - edited 10-05-2017 07:31 AM
The VAM offloads encryption and decryption, the main CPU still forwards packets, whether encrypted or not. (BTW, w/o an encryption module, your 7200 [?] might only obtain 1% of its current throughput.)
Is there anything else you can do to reduce CPU loading? Perhaps, for instance, you want to avoid fragmentation across your tunnels. Also, just like w/o tunnels, you want to use only the services you need and use in the most efficient way. For example, if using ACLs, insure the most commonly matched entries are first or if a 7200 that supports turbo-ACL, enable it, etc.
10-05-2017 08:35 AM
thanks Joseph, you actually answered one of my similar questions regarding this in the past. I guess I just can't believe that even with the VPN module the CPU is still being used that much. I didn't realize the 7301 main CPU would use that much % on 180+ Mbs of forwarding :(. I was under the impression this will do alot more aggregated traffic according to the cisco stats. Thanks for assuring me of that is going on.
Thanks, Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide