02-15-2015 05:10 AM - edited 03-07-2019 10:39 PM
With one of my 2811 Router I am having high CPU. I want to check either AIM-VPN/SSL-2 is installed or not. As per show version I can see one VPN Module is installed but when I run "show inve" or "show diag " it does not show anything.
Again if I run "show crypto engine configuration" it shows its enabled and its handling the packets
------------------ show diag ------------------
Slot 0:
C2811 Motherboard with 2FE and integrated VPN Port adapter, 2 ports
Port adapter is analyzed
Port adapter insertion time 3d12h ago
Onboard VPN : v2.3.3
EEPROM contents at hardware discovery:
PCB Serial Number : FOC12206L4M
Hardware Revision : 1.0
Top Assy. Part Number : 800-26920-04
Board Revision : A0
Deviation Number : 0
Fab Version : 04
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Processor type : 87
Hardware date code : 20080519
Chassis Serial Number : FCZ12237442
Chassis MAC Address : 001d.70a1.5108
MAC Address block size : 24
CLEI Code : COM7R00ARA
Product (FRU) Number : CISCO2811
Part Number : 73-10258-05
Version Identifier : V05
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF C1 8B 46 4F 43 31 32 32 30 36 4C 34 4D 40
------------------ show inventory ------------------
NAME: "2811 chassis", DESCR: "2811 chassis"
PID: CISCO2811 , VID: V05 , SN: FCZ12237442
---------------- "show crypto engine configuration" --------------------------
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
------------------ show crypto engine accelerator statistic ------------------
Device: NETGX
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 304145 seconds ago
174571407 packets in 174562621 packets out
66250393080 bytes in 66896751634 bytes out
573 paks/sec in 573 paks/sec out
1742 Kbits/sec in 1759 Kbits/sec out
78847849 packets decrypted 95714772 packets encrypted
43732966416 bytes before decrypt 22517426664 bytes encrypted
41127077698 bytes decrypted 25769673936 bytes after encrypt
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Cisco 2811 (revision 51.46) with 247808K/14336K bytes of memory.
Processor board ID FHK0932F0H0
2 FastEthernet interfaces
1 Channelized/Clear E1/PRI port
1 Virtual Private Network (VPN) Module
1 ATM/Voice AIM
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Solved! Go to Solution.
02-15-2015 05:32 AM
I haven't worked with these routers for a while so take this as a suggestion but the 2800 series comes with a built in encryption engine and from your output I think this is what you are looking at.
If you had an AIM VPN module you should see another slot entry in your show diag command because it would take up one of the available slots and your "show crypto engine configuration" command should show the Product name of "AIM-VPN/SSL-2".
So from what I can tell no you don't have a separate VPN module installed, you are using the one that comes with the router.
Like I say I haven't used them in a while but that is how I read it.
Is there anyway you can physically check the router because that would show you if there were any additional slots being used ?
Jon
02-15-2015 05:32 AM
I haven't worked with these routers for a while so take this as a suggestion but the 2800 series comes with a built in encryption engine and from your output I think this is what you are looking at.
If you had an AIM VPN module you should see another slot entry in your show diag command because it would take up one of the available slots and your "show crypto engine configuration" command should show the Product name of "AIM-VPN/SSL-2".
So from what I can tell no you don't have a separate VPN module installed, you are using the one that comes with the router.
Like I say I haven't used them in a while but that is how I read it.
Is there anyway you can physically check the router because that would show you if there were any additional slots being used ?
Jon
02-15-2015 05:59 AM
Dear Jon,
Thanks you a lot on your reply.
Can you help me finding the throughput of router using this built in encryption engine Since I am unable to find any document which can show some stress/performance test.
As per my current scenario I am using DMVPN (2 Tunnels, One is passing traffic at a time) with services like BGP, OSPF, SNMP and HSRP.
I starts facing high CPU as the WAN traffic (Encrypted) starts growing and my CPU touches 70% with 2.5-3 Mbps WAN consumptions. Everything gets normal when traffic drops.
Thanks/Regards
02-15-2015 06:19 AM
I'll have a dig around but i doubt you will get the specific figures you are looking for because it is dependant on the other things you are using on your router eg. you are running BGP and OSPF for starters which is going to have an affect.
It also depends obviously, on the amount of actual traffic being pushed through the tunnel although if you only have a single DMVPN tunnel up at any one time that certainly doesn't sound too excessive.
Let me have a look around and see if i can find any performance stats for that router using encryption.
I may not find anything and it won't be until later if i do.
Jon
02-15-2015 12:17 PM
Indeed there is no AIM-VPN module in your router ("show inventory" would show it - it's an internal slot, can't visually tell from outside whether it's there or not).
3 Mbps doesn't seem too much, but maybe other processes (like routing protocols) besides encryption load the CPU too... anyway, I found these two links containing information of potential interest on the matter:
https://supportforums.cisco.com/discussion/10743306/vpn-throughput
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf
02-24-2015 05:28 AM
Thanks for your answer....Please also go through the below shared Cisco document which can clearly show the on build VPN Module throughput.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide