Hi, Here is the show version:

NickCTAus · ‎09-28-2014

I have a Cisco 2901 on the end of a 100/100Mbps WAN.

I have an IPsec VPN configured, however the maximum traffic I have seen go over this link is 40Mbps, and while traffic is sustained at this maximum rate the CPU is between 80-90% busy.

During periods of high CPU, the router is sluggish and often drops packets even ones which aren't destined for the VPN (I wouldn't expect otherwise)

I am currently running DES/MD5 to try and squeeze the most performance out of the router.

Is there any way I can push the VPN speed to as close as 100Mbps as possible without maxing the CPU?

Can the 2901 even support these speeds? And is it making proper use of the hardware encryption module which is built in?

Here are some stats which may help:

show proc cpu sorted

CPU utilization for five seconds: 81%/80%; one minute: 77%; five minutes: 40%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
 101      188804    47594649          3  0.23%  0.22%  0.21%   0 Ethernet Msec Ti
  14      482964      385534       1252  0.23%  0.04%  0.05%   0 Environmental mo
   3        1460         585       2495  0.15%  0.04%  0.05% 388 SSH Process
 327       85280      280383        304  0.07%  0.01%  0.00%   0 SNMP ENGINE
 127       43608    11898639          3  0.07%  0.04%  0.05%   0 IPAM Manager
 142        5920     1510439          3  0.07%  0.00%  0.00%   0 SSS Feature Time
 131      114060      407605        279  0.07%  0.03%  0.00%   0 IP Input
 325      130836      561332        233  0.07%  0.02%  0.00%   0 IP SNMP

      888887777788888888888888888888888888888888887777711111111111
      333339999944444888884444411111111133333333339999933333333336
  100
   90                *****
   80 *************************************************
   70 *************************************************
   60 *************************************************
   50 *************************************************
   40 *************************************************
   30 *************************************************
   20 *************************************************          *
   10 ************************************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)

    crypto engine name:  Virtual Private Network (VPN) Module
    crypto engine type:  hardware
                 State:  Enabled
              Location:  onboard 0
          Product Name:  Onboard-VPN
            HW Version:  1.0
           Compression:  Yes
                   DES:  Yes
                 3 DES:  Yes
               AES CBC:  Yes (128,192,256)
              AES CNTR:  No
 Maximum buffer length:  0000
      Maximum DH index:  0000
      Maximum SA index:  0000
    Maximum Flow index:  2800
  Maximum RSA key size:  0000

johnlloyd_13 · ‎09-29-2014

hi,

could you post show version output?

maybe can try to upgrade/add DRAM.

NickCTAus · ‎09-30-2014

Hi, Here is the show version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 19:25 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M12, RELEASE SOFTWARE (fc1)

XXX uptime is 6 days, 10 hours, 4 minutes
System returned to ROM by power-on
System restarted at 11:09:55 Sydney Wed Sep 24 2014
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FGLXXXX
2 Gigabit Ethernet interfaces
2 Serial(sync/async) interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2901/K9 FGLXXXX

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    EvalRightToUse securityk9
uc            None          None           None
data          datak9        Permanent      datak9

Configuration register is 0x2102

I am leaning towards this being a 'hardware is running at limits' issue rather than anything else from the other research I've done.

Cisco 2901 Slow VPN/High CPU