03-25-2011 09:27 AM
Hey,
I have an 1841 router that has 10 tunnels. When the traffic hits in the 17mb range ( one direction) the cpu spikes to 99%.
This device should be able to support 45mb according to the documentation out there.
Anyone seen something like this before ?
Part 2 of my question goes to the Show process cpu sorted command
Why is it that when the cpu is at 99 percent the processes listed don't add up to 99. Some cisco devices are fine but i have experienced lots that don't.
I usually blame the one that is listed at the top since it didn't add up. ip input was the highest in this case which is traffic.
Dan
03-27-2011 01:11 AM
Dan,
If the processess don't add up to total percentage, it means your high CPU is caused by IO operation.
First things to do is check:
- show buff (check which buffers see failures increasing)
- show interface (to check any possible high rate of error or input/output rate)
I doubt this will be a VPN specific problem, I'd move this thread to architecture or better open up a TAC case.
Marcin
03-27-2011 06:21 AM
When you say IO , what do you mean?
03-27-2011 09:35 AM
Dan,
IO = Input/output, not the moon of ... Jupiter was is? :-)
Ie. if your router has high CPU because of IO it's handling too high rate of packets (might be because of some underlying problems).
Marcin
03-27-2011 09:39 AM
There must be underlying problems then. The 1841 should be able to handle 45mb.
17mb shouldn't be too much output.
03-27-2011 10:03 AM
Dan,
Very likely, did you verify the two outputs I suggested before?
Marcin
03-27-2011 10:05 AM
The 1841 can NOT handle 45Mbps IPSec traffics when you're talking AES-256/DH-5 with PFS Group5. With 1 VPN tunnel, the most it can handle is about 32Mbps and only in ONE direction. At 32Mbps, the CPU hits 99% utilization:
C1841#sh process cpu | i five
CPU utilization for five seconds: 100%/99%; one minute: 99%; five minutes: 99%
C1841#
03-27-2011 12:56 PM
Interesting point. Do you have the comparison link handy?
I honestly don't remember the throughput with and without AIMII card.
Marcin
03-27-2011 05:19 PM
hmmm that would make sense then. This document says 40mb.
03-28-2011 12:19 AM
Dan,
40/2 + a bit of overhead/fragmentation/packetloss could be at 17Mbit.
Check current crypto accelerator stats:
- show crypto cli
- show crypto engine config
- show crypto engine accel stati
Marcin
03-28-2011 04:33 AM
Cisco shouldn't lead me on. If it can't even deal with 17mb one direction, How are they going to squeeze another 17mb in the other direction.
03-28-2011 04:34 AM
Thanks for the help guys.
03-28-2011 11:24 AM
I'm going to go with that there is underlying problems. To say the 1841 only supports 20mb one way doesn't seem correct.
The router isn't under a warranty so I can't call their tech support.
I'll try to find another 1841 that i can perform some tests on.
Dan
03-28-2011 01:28 PM
Dan,
It all depends what you're running ... onboard crypto?
I believe the number 40 Mbit is done in ideal circumstance (no drop, 1400 byte packets etc), I didn't go over the comparison so I don't know the details of the test. But I would definetly check accelerator stats.
Marcin
03-28-2011 02:20 PM
Even with onboard crypto enable and with 1400 bytes packet, I can tell you that the 1841 will max out at about 36Mbps, ONE WAY.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide