Solved: ISR 2811 VPN Module AIM-VPN/SSL-2

Muhammad Kashif Siddiqui · ‎02-15-2015

With one of my 2811 Router I am having high CPU. I want to check either AIM-VPN/SSL-2 is installed or not. As per show version I can see one VPN Module is installed but when I run "show inve" or "show diag " it does not show anything.

Again if I run "show crypto engine configuration" it shows its enabled and its handling the packets

------------------ show diag ------------------

Slot 0:
        C2811 Motherboard with 2FE and integrated VPN Port adapter, 2 ports
        Port adapter is analyzed
        Port adapter insertion time 3d12h ago
        Onboard VPN             : v2.3.3
        EEPROM contents at hardware discovery:
        PCB Serial Number        : FOC12206L4M
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-26920-04
        Board Revision           : A0
        Deviation Number         : 0
        Fab Version              : 04
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Processor type           : 87
        Hardware date code       : 20080519
        Chassis Serial Number    : FCZ12237442
        Chassis MAC Address      : 001d.70a1.5108
        MAC Address block size   : 24
        CLEI Code                : COM7R00ARA
        Product (FRU) Number     : CISCO2811
        Part Number              : 73-10258-05
        Version Identifier       : V05
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF C1 8B 46 4F 43 31 32 32 30 36 4C 34 4D 40

------------------ show inventory ------------------

NAME: "2811 chassis", DESCR: "2811 chassis"
PID: CISCO2811 , VID: V05 , SN: FCZ12237442

---------------- "show crypto engine configuration" --------------------------
        crypto engine name: Virtual Private Network (VPN) Module
        crypto engine type: hardware
                     State: Enabled
                  Location: onboard 0
              Product Name: Onboard-VPN

------------------ show crypto engine accelerator statistic ------------------

Device:   NETGX
Location: Onboard: 0
        :Statistics for encryption device since the last clear
         of counters 304145 seconds ago
              174571407 packets in                   174562621 packets out
            66250393080 bytes in                   66896751634 bytes out
                    573 paks/sec in                        573 paks/sec out
                   1742 Kbits/sec in                      1759 Kbits/sec out
               78847849 packets decrypted             95714772 packets encrypted
            43732966416 bytes before decrypt       22517426664 bytes encrypted
            41127077698 bytes decrypted            25769673936 bytes after encrypt

------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)

Cisco 2811 (revision 51.46) with 247808K/14336K bytes of memory.
Processor board ID FHK0932F0H0
2 FastEthernet interfaces
1 Channelized/Clear E1/PRI port
1 Virtual Private Network (VPN) Module
1 ATM/Voice AIM
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Jon Marshall · ‎02-15-2015

I haven't worked with these routers for a while so take this as a suggestion but the 2800 series comes with a built in encryption engine and from your output I think this is what you are looking at.

If you had an AIM VPN module you should see another slot entry in your show diag command because it would take up one of the available slots and your "show crypto engine configuration" command should show the Product name of "AIM-VPN/SSL-2".

So from what I can tell no you don't have a separate VPN module installed, you are using the one that comes with the router.

Like I say I haven't used them in a while but that is how I read it.

Is there anyway you can physically check the router because that would show you if there were any additional slots being used ?

Jon

View solution in original post

Jon Marshall · ‎02-15-2015

I haven't worked with these routers for a while so take this as a suggestion but the 2800 series comes with a built in encryption engine and from your output I think this is what you are looking at.

If you had an AIM VPN module you should see another slot entry in your show diag command because it would take up one of the available slots and your "show crypto engine configuration" command should show the Product name of "AIM-VPN/SSL-2".

So from what I can tell no you don't have a separate VPN module installed, you are using the one that comes with the router.

Like I say I haven't used them in a while but that is how I read it.

Is there anyway you can physically check the router because that would show you if there were any additional slots being used ?

Jon

Muhammad Kashif Siddiqui · ‎02-15-2015

Dear Jon,

Thanks you a lot on your reply.

Can you help me finding the throughput of router using this built in encryption engine Since I am unable to find any document which can show some stress/performance test.

As per my current scenario I am using DMVPN (2 Tunnels, One is passing traffic at a time) with services like BGP, OSPF, SNMP and HSRP.

I starts facing high CPU as the WAN traffic (Encrypted) starts growing and my CPU touches 70% with 2.5-3 Mbps WAN consumptions. Everything gets normal when traffic drops.

Thanks/Regards

Jon Marshall · ‎02-15-2015

I'll have a dig around but i doubt you will get the specific figures you are looking for because it is dependant on the other things you are using on your router eg. you are running BGP and OSPF for starters which is going to have an affect.

It also depends obviously, on the amount of actual traffic being pushed through the tunnel although if you only have a single DMVPN tunnel up at any one time that certainly doesn't sound too excessive.

Let me have a look around and see if i can find any performance stats for that router using encryption.

I may not find anything and it won't be until later if i do.

Jon

Iulian Vaideanu · ‎02-15-2015

Indeed there is no AIM-VPN module in your router ("show inventory" would show it - it's an internal slot, can't visually tell from outside whether it's there or not).

3 Mbps doesn't seem too much, but maybe other processes (like routing protocols) besides encryption load the CPU too... anyway, I found these two links containing information of potential interest on the matter:

https://supportforums.cisco.com/discussion/10743306/vpn-throughput

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

Muhammad Kashif Siddiqui · ‎02-24-2015

Thanks for your answer....Please also go through the below shared Cisco document which can clearly show the on build VPN Module throughput.

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf