05-15-2016 07:17 AM
Hello!
I have I large VPN hub and spoke topology with 2 hubs
1) ASR1001 primary
2) Cisco 7206VXR NPE-G2 –VSA backup
I have no problem with Cisco ASR1001, but when I have switch to 7200VXR NPE-G2 VSA performance mach slow than expected.
I have 90% cpu with 75 Mbit traffic.
My configuration is the following:
!
ip vrf Inet
rd 10:54
!
flow exporter Net-Mon-Flow-export
destination 192.168.x.y
dscp 8
!
flow monitor Tunnel-flowmon-in
exporter Net-Mon-Flow-export
statistics packet protocol
statistics packet size
record netflow ipv4 original-input
!
flow monitor Tunnel-flowmon-out
exporter Net-Mon-Flow-export
statistics packet protocol
statistics packet size
record netflow ipv4 original-output
!
crypto pki trustpoint priv.ca2016
enrollment retry count 5
enrollment retry period 3
enrollment url http://c.d.e.f:80
fingerprint [del]
revocation-check crl none
auto-enroll 90
!
redundancy
no crypto engine software ipsec
!
!
controller ISA 0/1
!
crypto isakmp policy 100
encr aes
group 2
lifetime 28800
!
crypto ipsec transform-set Entry-transform-AES esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile Tun-ipsec-profile
set security-association lifetime seconds 28800
set transform-set Entry-transform-AES
set pfs group2
!
interface Loopback0
ip address 10.255.0.111 255.255.255.255
end
!
Interface Tunnel1
ip unnumbered Loopback0
no ip unreachables
ip mtu 1342
ip flow monitor Tunnel-flowmon-in input
ip flow monitor Tunnel-flowmon-out output
delay 400
keepalive 10 3
tunnel source GigabitEthernet0/1.54
tunnel mode ipsec ipv4
tunnel destination a.b.c.d
tunnel vrf Inet
tunnel protection ipsec profile Tun-ipsec-profile
crypto ipsec df-bit clear
!
Tunnel500
[same conf]
!
interface GigabitEthernet0/1.54
encapsulation dot1Q 54
ip vrf forwarding Inet
ip address N.V.M.K 255.255.255.240
no ip proxy-arp
!
ip route vrf Inet 0.0.0.0 0.0.0.0 N.V.M.L
!
interface GigabitEthernet0/2
bandwidth 600000
ip address 10.254.31.111 255.255.255.128
!
Router eigrp 1
network 10.254.0.0 0.0.1.255
!
==
sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine VSA details: state = Active
Capability : DES, 3DES, AES, RSA, GDOI, FAILCLOSE, HA
IKE-Session : 501 active, 5120 max, 0 failed
DH : 9 active, 5120 max, 0 failed
IPSec-Session : 984 active, 10230 max, 0 failed
--
d1-gw1#sh ver
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.2(4)M10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 07-Mar-16 07:08 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
d1-gw1 uptime is 4 days, 14 hours, 41 minutes
System returned to ROM by reload at 02:02:46 EEST Wed May 11 2016
System restarted at 02:06:09 EEST Wed May 11 2016
System image file is "disk2:c7200p-adventerprisek9-mz.152-4.M10.bin"
Last reload reason: Reload Command
[del]
Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 36043518
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.11
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
---
sh diag 0
Slot 0:
VSA IPsec Card Port adapter
Port adapter is analyzed
Port adapter insertion time 4d14h ago
EEPROM contents at hardware discovery:
PCB Serial Number : JAF1324ALNP
Hardware Revision : 1.0
Part Number : 73-10220-05
Board Revision : B1
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Deviation Number : 0
Product (FRU) Number : C7200-VSA
Version Identifier : V01
Top Assy. Part Number : 68-2578-05
CLEI Code : CNUCAFNAAA
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF C1 8B 4A 41 46 31 33 32 34 41 4C 4E 50 40
0x10: 05 0D 41 01 00 82 49 27 EC 05 42 42 31 03 00 81
0x20: 00 00 00 00 04 00 88 00 00 00 00 CB 94 43 37 32
0x30: 30 30 2D 56 53 41 20 20 20 20 20 20 20 20 20 20
0x40: 20 89 56 30 31 20 D9 03 C1 40 CB 87 44 0A 12 05
0x50: C6 8A 43 4E 55 43 41 46 4E 41 41 41 FF FF FF FF
0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
The most interesting out is in
Inbound always 0!
d1-gw1#sh crypto engine accelerator statistic 0
Inbound rate: 0pps 0kb/s all time,
Device: VSA
Location: Service Adapter: 0
VSA Traffic Statistics
Inbound rate: 0pps 0kb/s Outbound rate: 486pps 3069kb/s
TRAFFIC Transmitted Received
-------------------------------------------------------------------------------
Message Count: 3104384 3104384
Message Byte Count: 703766103 1165241340
Message Overflow: 0
Outbound Count: 243709246 243709246
Outbound Byte Count: 189911685128 214589899308
Outbound Overflow: 0
Inbound Count: 259135109 424038588
Inbound Byte Count: 146391096870 234318153545
Inbound Overflow: 0
Reassembled Pkt: 0
Fragments Dropped: 0
IPPE: 0
EPPE: 0
FIFO: 0
RAE: 0
Inbound Traffic:
-------------------------------------------------------------------------------
Decrypted Pkt: 0
Passthrough Pkt: 259133568
IKE Pkt: 4
SPI Error: 1537
Policy Violation: 0
Fail-Close Policy Violation: 0
Outbound Traffic: Route cache Processor
-------------------------------------------------------------------------------
Encrypted Pkt: 203220599 40240370
Passthrough Pkt: 0 140648
Policy Violation: 107629
Fail-Close Policy Violation: 0
SSL Session Info:
-------------------------------------------------------------------------------
Total SSL Session Created: 0
Total SSL Session Deleted: 0
Active SSL Sessions: 0
Decrypted SSL Record: 0
Encrypted SSL Record: 0
Queue Depth:
------------------------------------------------------------------------------
TXRing Current Queue Depth:
High Priority : 0.0 %
Medium Priority : 0.0 %
Low Priority : 0.0 %
VSA RX Exception statistics:
Invalid SA : 0 Enc Dec mismatch : 0
Next Header mismatch : 0 Pad mismatch : 0
MAC mismatch : 0 Anti replay failed : 0
Enc Seq num overflow : 0 Dec IPver mismatch : 0
Enc IPver mismatch : 0 TTL Decr : 0
Selector checks : 0 UDP mismatch : 0
IP Parse error : 0 Fragmentation Error : 0
IB Selector check : 0 TimeBased Replay Err : 0
SSL Unsupported suite : 0 SSL MAC Miscompare : 0
SSL CTX Invalid : 0 SSL Verify Data Miscomp : 0
SSL Invalid Padlen : 0 SSL Bad Record : 0
SSL Segmentation Error : 0 Misc. Exceptions : 0
Tnx for any help!
05-15-2016 12:42 PM
The 7206 is very old, so it doesn't surprise me. What what does the 7206 report as using the most CPU?
Have you considered a 4000 series router? Much cheaper than an ASR, and will be the pants off a 7206.
05-15-2016 12:44 PM
As a bonus, the 4000 series also runs IOS-XE, like the ASR1001.
05-15-2016 01:00 PM
>The 7206 is very old, so it doesn't surprise me.
Yes it is old, but doc http://www.cisco.com/c/en/us/products/collateral/routers/7200-series-routers/prod_qas0900aecd80471935.html
say:
The VSA supports up to 960Mbps for 1400-byte packets with 1000 active tunnels.
30% should be enough for backup for my case.
So I want to try to get 30% of this performance, before purchase some new equipment. It is a hard time in Ukraine.
My be some config error can fix my performance?
sh crypto engine accelerator statistic 0
Inbound rate: 0pps 0kb/s
Inbound Traffic:
-------------------------------------------------------------------------------
Decrypted Pkt: 0
Passthrough Pkt: 259133568
>What what does the 7206 report as using the most CPU?
'IP Input' was at the top of 'sh proc cpu so'
05-15-2016 01:04 PM
Hmm, "IP Input" is a pretty normal packet processing process. So that sounds normal to me.
The throughput quoted is based on 1400 byte packets. Any chance your average packet size is much smaller than this?
05-15-2016 01:28 PM
Sum of the no zero process less then total
d1-gw1#sh proc cpu sorted 1min
CPU utilization for five seconds: 44%/23%; one minute: 39%; five minutes: 18%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
113 10938556 245861649 44 15.67% 13.70% 5.86% 0 IP Input
370 1092068 39968666 27 0.15% 1.82% 1.51% 0 EIGRP-IPv4
371 635400 77144157 8 0.63% 0.63% 0.54% 0 EIGRP-IPv4 Hello
351 26064 104886738 0 0.39% 0.35% 0.28% 0 IP SLAs XOS Even
70 1014464 422212 2402 1.43% 0.29% 0.24% 0 Per-Second Jobs
267 558324 3589190 155 0.15% 0.16% 0.15% 0 Crypto IKMP
345 3200 422121 7 0.15% 0.16% 0.06% 0 FNF Cache Ager P
6 593768 71480 8306 1.03% 0.16% 0.12% 0 Check heaps
51 8248 3952243 2 0.15% 0.13% 0.10% 0 Net Background
374 3768 6783 555 0.15% 0.09% 0.05% 2 SSH Process
146 7108 655288 10 0.07% 0.08% 0.07% 0 CEF: IPv4 proces
68 344412 84454 4078 0.07% 0.08% 0.07% 0 Compute load avg
73 186728 126556 1475 0.07% 0.07% 0.07% 0 HC Counter Timer
358 110192 51434 2142 0.15% 0.06% 0.03% 0 SNMP Traps
My be some packet is decrypted in software?
Inbound rate: 0pps 0kb/s
Inbound Traffic:
-------------------------------------------------------------------------------
Decrypted Pkt: 0
Passthrough Pkt: 259133568
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide