09-28-2014 06:44 AM
I have a Cisco 2901 on the end of a 100/100Mbps WAN.
I have an IPsec VPN configured, however the maximum traffic I have seen go over this link is 40Mbps, and while traffic is sustained at this maximum rate the CPU is between 80-90% busy.
During periods of high CPU, the router is sluggish and often drops packets even ones which aren't destined for the VPN (I wouldn't expect otherwise)
I am currently running DES/MD5 to try and squeeze the most performance out of the router.
Is there any way I can push the VPN speed to as close as 100Mbps as possible without maxing the CPU?
Can the 2901 even support these speeds? And is it making proper use of the hardware encryption module which is built in?
Here are some stats which may help:
show proc cpu sorted
CPU utilization for five seconds: 81%/80%; one minute: 77%; five minutes: 40%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
101 188804 47594649 3 0.23% 0.22% 0.21% 0 Ethernet Msec Ti
14 482964 385534 1252 0.23% 0.04% 0.05% 0 Environmental mo
3 1460 585 2495 0.15% 0.04% 0.05% 388 SSH Process
327 85280 280383 304 0.07% 0.01% 0.00% 0 SNMP ENGINE
127 43608 11898639 3 0.07% 0.04% 0.05% 0 IPAM Manager
142 5920 1510439 3 0.07% 0.00% 0.00% 0 SSS Feature Time
131 114060 407605 279 0.07% 0.03% 0.00% 0 IP Input
325 130836 561332 233 0.07% 0.02% 0.00% 0 IP SNMP
888887777788888888888888888888888888888888887777711111111111
333339999944444888884444411111111133333333339999933333333336
100
90 *****
80 *************************************************
70 *************************************************
60 *************************************************
50 *************************************************
40 *************************************************
30 *************************************************
20 ************************************************* *
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 0000
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 2800
Maximum RSA key size: 0000
09-29-2014 01:59 AM
hi,
could you post show version output?
maybe can try to upgrade/add DRAM.
09-30-2014 04:38 AM
Hi, Here is the show version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 14-Jun-11 19:25 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M12, RELEASE SOFTWARE (fc1)
XXX uptime is 6 days, 10 hours, 4 minutes
System returned to ROM by power-on
System restarted at 11:09:55 Sydney Wed Sep 24 2014
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FGLXXXX
2 Gigabit Ethernet interfaces
2 Serial(sync/async) interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2901/K9 FGLXXXX
Technology Package License Information for Module:'c2900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 EvalRightToUse securityk9
uc None None None
data datak9 Permanent datak9
Configuration register is 0x2102
I am leaning towards this being a 'hardware is running at limits' issue rather than anything else from the other research I've done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide