Re: 1841 high cpu

danny.carroll · ‎03-25-2011

Hey,

I have an 1841 router that has 10 tunnels. When the traffic hits in the 17mb range ( one direction) the cpu spikes to 99%.

This device should be able to support 45mb according to the documentation out there.

Anyone seen something like this before ?

Part 2 of my question goes to the Show process cpu sorted command

Why is it that when the cpu is at 99 percent the processes listed don't add up to 99. Some cisco devices are fine but i have experienced lots that don't.

I usually blame the one that is listed at the top since it didn't add up. ip input was the highest in this case which is traffic.

Dan

Marcin Latosiewicz · ‎03-27-2011

Dan,

If the processess don't add up to total percentage, it means your high CPU is caused by IO operation.

First things to do is check:

- show buff (check which buffers see failures increasing)

- show interface (to check any possible high rate of error or input/output rate)

I doubt this will be a VPN specific problem, I'd move this thread to architecture or better open up a TAC case.

Marcin

danny.carroll · ‎03-27-2011

When you say IO , what do you mean?

Marcin Latosiewicz · ‎03-27-2011

Dan,

IO = Input/output, not the moon of ... Jupiter was is? :-)

Ie. if your router has high CPU because of IO it's handling too high rate of packets (might be because of some underlying problems).

Marcin

danny.carroll · ‎03-27-2011

There must be underlying problems then. The 1841 should be able to handle 45mb.

17mb shouldn't be too much output.

Marcin Latosiewicz · ‎03-27-2011

Dan,

Very likely, did you verify the two outputs I suggested before?

Marcin

cciesec2011 · ‎03-27-2011

The 1841 can NOT handle 45Mbps IPSec traffics when you're talking AES-256/DH-5 with PFS Group5. With 1 VPN tunnel, the most it can handle is about 32Mbps and only in ONE direction. At 32Mbps, the CPU hits 99% utilization:

C1841#sh process cpu | i five
CPU utilization for five seconds: 100%/99%; one minute: 99%; five minutes: 99%
C1841#

Marcin Latosiewicz · ‎03-27-2011

Interesting point. Do you have the comparison link handy?

I honestly don't remember the throughput with and without AIMII card.

Marcin

danny.carroll · ‎03-27-2011

hmmm that would make sense then. This document says 40mb.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns171_Networking_Solutions_Brochure.html

Marcin Latosiewicz · ‎03-28-2011

Dan,

40/2 + a bit of overhead/fragmentation/packetloss could be at 17Mbit.

Check current crypto accelerator stats:

- show crypto cli

- show crypto engine config

- show crypto engine accel stati

Marcin

danny.carroll · ‎03-28-2011

Cisco shouldn't lead me on. If it can't even deal with 17mb one direction, How are they going to squeeze another 17mb in the other direction.

danny.carroll · ‎03-28-2011

Thanks for the help guys.

danny.carroll · ‎03-28-2011

I'm going to go with that there is underlying problems. To say the 1841 only supports 20mb one way doesn't seem correct.

The router isn't under a warranty so I can't call their tech support.

I'll try to find another 1841 that i can perform some tests on.

Dan

Marcin Latosiewicz · ‎03-28-2011

Dan,

It all depends what you're running ... onboard crypto?

I believe the number 40 Mbit is done in ideal circumstance (no drop, 1400 byte packets etc), I didn't go over the comparison so I don't know the details of the test. But I would definetly check accelerator stats.

Marcin

cciesec2011 · ‎03-28-2011

Even with onboard crypto enable and with 1400 bytes packet, I can tell you that the 1841 will max out at about 36Mbps, ONE WAY.