>The 7206 is very old, so it

Sergiy Pyvovaroff · ‎05-15-2016

Hello!

I have I large VPN hub and spoke topology with 2 hubs

1) ASR1001 primary

2) Cisco 7206VXR NPE-G2 –VSA backup

I have no problem with Cisco ASR1001, but when I have switch to 7200VXR NPE-G2 VSA performance mach slow than expected.

I have 90% cpu with 75 Mbit traffic.

My configuration is the following:

!

ip vrf Inet

rd 10:54

!

flow exporter Net-Mon-Flow-export

destination 192.168.x.y

dscp 8

!

flow monitor Tunnel-flowmon-in

exporter Net-Mon-Flow-export

statistics packet protocol

statistics packet size

record netflow ipv4 original-input

!

flow monitor Tunnel-flowmon-out

exporter Net-Mon-Flow-export

statistics packet protocol

statistics packet size

record netflow ipv4 original-output

!

crypto pki trustpoint priv.ca2016

enrollment retry count 5

enrollment retry period 3

enrollment url http://c.d.e.f:80

fingerprint [del]

revocation-check crl none

auto-enroll 90

!

redundancy

no crypto engine software ipsec

!

controller ISA 0/1

!

crypto isakmp policy 100

encr aes

group 2

lifetime 28800

!

crypto ipsec transform-set Entry-transform-AES esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile Tun-ipsec-profile

set security-association lifetime seconds 28800

set transform-set Entry-transform-AES

set pfs group2

!

interface Loopback0

ip address 10.255.0.111 255.255.255.255

end

!

Interface Tunnel1

ip unnumbered Loopback0

no ip unreachables

ip mtu 1342

ip flow monitor Tunnel-flowmon-in input

ip flow monitor Tunnel-flowmon-out output

delay 400

keepalive 10 3

tunnel source GigabitEthernet0/1.54

tunnel mode ipsec ipv4

tunnel destination a.b.c.d

tunnel vrf Inet

tunnel protection ipsec profile Tun-ipsec-profile

crypto ipsec df-bit clear

!

Tunnel500

[same conf]

!

interface GigabitEthernet0/1.54

encapsulation dot1Q 54

ip vrf forwarding Inet

ip address N.V.M.K 255.255.255.240

no ip proxy-arp

!

ip route vrf Inet 0.0.0.0 0.0.0.0 N.V.M.L

!

interface GigabitEthernet0/2

bandwidth 600000

ip address 10.254.31.111 255.255.255.128

!

Router eigrp 1

network 10.254.0.0 0.0.1.255

!

==

sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine VSA details: state = Active

Capability : DES, 3DES, AES, RSA, GDOI, FAILCLOSE, HA

IKE-Session : 501 active, 5120 max, 0 failed

DH : 9 active, 5120 max, 0 failed

IPSec-Session : 984 active, 10230 max, 0 failed

--

d1-gw1#sh ver

Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.2(4)M10, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 07-Mar-16 07:08 by prod_rel_team

ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)

d1-gw1 uptime is 4 days, 14 hours, 41 minutes

System returned to ROM by reload at 02:02:46 EEST Wed May 11 2016

System restarted at 02:06:09 EEST Wed May 11 2016

System image file is "disk2:c7200p-adventerprisek9-mz.152-4.M10.bin"

Last reload reason: Reload Command

[del]

Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.

Processor board ID 36043518

MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2

6 slot VXR midplane, Version 2.11

Last reset from power-on

PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.

Current configuration on bus mb1 has a total of 0 bandwidth points.

This configuration is within the PCI bus capacity and is supported.

PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.

Current configuration on bus mb2 has a total of 0 bandwidth points.

This configuration is within the PCI bus capacity and is supported.

Please refer to the following document "Cisco 7200 Series Port Adaptor

Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>

for c7200 bandwidth points oversubscription and usage guidelines.

1 FastEthernet interface

3 Gigabit Ethernet interfaces

1 Virtual Private Network (VPN) Module

2045K bytes of NVRAM.

250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).

65536K bytes of Flash internal SIMM (Sector size 512K).

Configuration register is 0x2102

---

sh diag 0

Slot 0:

VSA IPsec Card Port adapter

Port adapter is analyzed

Port adapter insertion time 4d14h ago

EEPROM contents at hardware discovery:

PCB Serial Number : JAF1324ALNP

Hardware Revision : 1.0

Part Number : 73-10220-05

Board Revision : B1

RMA Test History : 00

RMA Number : 0-0-0-0

RMA History : 00

Deviation Number : 0

Product (FRU) Number : C7200-VSA

Version Identifier : V01

Top Assy. Part Number : 68-2578-05

CLEI Code : CNUCAFNAAA

EEPROM format version 4

EEPROM contents (hex):

0x00: 04 FF C1 8B 4A 41 46 31 33 32 34 41 4C 4E 50 40

0x10: 05 0D 41 01 00 82 49 27 EC 05 42 42 31 03 00 81

0x20: 00 00 00 00 04 00 88 00 00 00 00 CB 94 43 37 32

0x30: 30 30 2D 56 53 41 20 20 20 20 20 20 20 20 20 20

0x40: 20 89 56 30 31 20 D9 03 C1 40 CB 87 44 0A 12 05

0x50: C6 8A 43 4E 55 43 41 46 4E 41 41 41 FF FF FF FF

0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

The most interesting out is in

Inbound always 0!

d1-gw1#sh crypto engine accelerator statistic 0

Inbound rate: 0pps 0kb/s all time,

Device: VSA

Location: Service Adapter: 0

VSA Traffic Statistics

Inbound rate: 0pps 0kb/s Outbound rate: 486pps 3069kb/s

TRAFFIC Transmitted Received

-------------------------------------------------------------------------------

Message Count: 3104384 3104384

Message Byte Count: 703766103 1165241340

Message Overflow: 0

Outbound Count: 243709246 243709246

Outbound Byte Count: 189911685128 214589899308

Outbound Overflow: 0

Inbound Count: 259135109 424038588

Inbound Byte Count: 146391096870 234318153545

Inbound Overflow: 0

Reassembled Pkt: 0

Fragments Dropped: 0

IPPE: 0

EPPE: 0

FIFO: 0

RAE: 0

Inbound Traffic:

-------------------------------------------------------------------------------

Decrypted Pkt: 0

Passthrough Pkt: 259133568

IKE Pkt: 4

SPI Error: 1537

Policy Violation: 0

Fail-Close Policy Violation: 0

Outbound Traffic: Route cache Processor

-------------------------------------------------------------------------------

Encrypted Pkt: 203220599 40240370

Passthrough Pkt: 0 140648

Policy Violation: 107629

Fail-Close Policy Violation: 0

SSL Session Info:

-------------------------------------------------------------------------------

Total SSL Session Created: 0

Total SSL Session Deleted: 0

Active SSL Sessions: 0

Decrypted SSL Record: 0

Encrypted SSL Record: 0

Queue Depth:

------------------------------------------------------------------------------

TXRing Current Queue Depth:

High Priority : 0.0 %

Medium Priority : 0.0 %

Low Priority : 0.0 %

VSA RX Exception statistics:

Invalid SA : 0 Enc Dec mismatch : 0

Next Header mismatch : 0 Pad mismatch : 0

MAC mismatch : 0 Anti replay failed : 0

Enc Seq num overflow : 0 Dec IPver mismatch : 0

Enc IPver mismatch : 0 TTL Decr : 0

Selector checks : 0 UDP mismatch : 0

IP Parse error : 0 Fragmentation Error : 0

IB Selector check : 0 TimeBased Replay Err : 0

SSL Unsupported suite : 0 SSL MAC Miscompare : 0

SSL CTX Invalid : 0 SSL Verify Data Miscomp : 0

SSL Invalid Padlen : 0 SSL Bad Record : 0

SSL Segmentation Error : 0 Misc. Exceptions : 0

Tnx for any help!

Philip D'Ath · ‎05-15-2016

The 7206 is very old, so it doesn't surprise me. What what does the 7206 report as using the most CPU?

Have you considered a 4000 series router? Much cheaper than an ASR, and will be the pants off a 7206.

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

Philip D'Ath · ‎05-15-2016

As a bonus, the 4000 series also runs IOS-XE, like the ASR1001.

Sergiy Pyvovaroff · ‎05-15-2016

>The 7206 is very old, so it doesn't surprise me.

Yes it is old, but doc http://www.cisco.com/c/en/us/products/collateral/routers/7200-series-routers/prod_qas0900aecd80471935.html

say:

The VSA supports up to 960Mbps for 1400-byte packets with 1000 active tunnels.

30% should be enough for backup for my case.

So I want to try to get 30% of this performance, before purchase some new equipment. It is a hard time in Ukraine.

My be some config error can fix my performance?

sh crypto engine accelerator statistic 0

Inbound rate: 0pps 0kb/s

Inbound Traffic:

-------------------------------------------------------------------------------

Decrypted Pkt: 0

Passthrough Pkt: 259133568

>What what does the 7206 report as using the most CPU?

'IP Input' was at the top of 'sh proc cpu so'

Philip D'Ath · ‎05-15-2016

Hmm, "IP Input" is a pretty normal packet processing process. So that sounds normal to me.

The throughput quoted is based on 1400 byte packets. Any chance your average packet size is much smaller than this?

Sergiy Pyvovaroff · ‎05-15-2016

Sum of the no zero process less then total

d1-gw1#sh proc cpu sorted 1min
CPU utilization for five seconds: 44%/23%; one minute: 39%; five minutes: 18%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
113 10938556 245861649 44 15.67% 13.70% 5.86% 0 IP Input
370 1092068 39968666 27 0.15% 1.82% 1.51% 0 EIGRP-IPv4
371 635400 77144157 8 0.63% 0.63% 0.54% 0 EIGRP-IPv4 Hello
351 26064 104886738 0 0.39% 0.35% 0.28% 0 IP SLAs XOS Even
70 1014464 422212 2402 1.43% 0.29% 0.24% 0 Per-Second Jobs
267 558324 3589190 155 0.15% 0.16% 0.15% 0 Crypto IKMP
345 3200 422121 7 0.15% 0.16% 0.06% 0 FNF Cache Ager P
6 593768 71480 8306 1.03% 0.16% 0.12% 0 Check heaps
51 8248 3952243 2 0.15% 0.13% 0.10% 0 Net Background
374 3768 6783 555 0.15% 0.09% 0.05% 2 SSH Process
146 7108 655288 10 0.07% 0.08% 0.07% 0 CEF: IPv4 proces
68 344412 84454 4078 0.07% 0.08% 0.07% 0 Compute load avg
73 186728 126556 1475 0.07% 0.07% 0.07% 0 HC Counter Timer
358 110192 51434 2142 0.15% 0.06% 0.03% 0 SNMP Traps

My be some packet is decrypted in software?

Inbound rate: 0pps 0kb/s

Inbound Traffic:

-------------------------------------------------------------------------------

Decrypted Pkt: 0

Passthrough Pkt: 259133568

Cisco 7200-NPE-G2 +VSA crypto mudule pure perfomance