08-05-2018 12:12 AM - edited 08-05-2018 12:16 AM
Hi guys
My cisco device is Router 2911.
When I apply an IPsec profile to the interface tunnel I have a problem in CPU usage being increased by Crypto IKEv2.
POL#show proc cpu sorted 1min | exclude 0.00%__0.00%__0.00%
CPU utilization for five seconds: 99%/2%; one minute: 99%; five minutes: 99%
And my configuration is:
crypto ikev2 proposal Proposal1
encryption aes-cbc-256
integrity sha512
group 16
!
crypto ikev2 policy policy1
proposal Proposal1
!
crypto ikev2 keyring Key1
peer Endpoint
address y.y.y.y m.m.m.m
pre-shared-key XXXXXXXXXXXXXXXXX
!
crypto ikev2 profile IKE-Profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local Key1
!
crypto ipsec transform-set TS1 esp-gcm 256
mode tunnel
!
crypto ipsec profile IPSEC-Profile
set transform-set TS1
set ikev2-profile IKE-Profile
!
what can I do to reduce CPU usage by Crypto IKEv2 or Crypto engine?
Thanks.
08-05-2018 02:12 AM
08-05-2018 03:28 AM - edited 08-05-2018 03:35 AM
Thanks for your attention
I assume this a new deployment, correct? => Yes
How many tunnels will be terminated on this router? => 50 Endpoints
What version of IOS are you running? => Yes, I thought that was a problem with iOS, which I upgraded from c2900-universalk9-mz.SPA.155-3.M7.bin to c2900-universalk9-mz.SPA.157-3.M2.bin, but the problem did not resolve.
It is noteworthy that I have another router like this router with the same configurations, which has no problems.
Thanks.
08-05-2018 03:54 AM
08-05-2018 04:17 AM
08-05-2018 05:04 AM
interface GigabitEthernet0/0.40
description WAN
encapsulation dot1Q 400
ip address z.z.z.z y.y.y.y
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1300
and bandwdith is 10Mb
08-05-2018 04:23 AM - edited 08-05-2018 05:00 AM
Does the CPU increase as soon as the ipsec profile is attached on the interface? Or when spoke routers establish a tunnel? => Yes, The CPU (Headquarter) increases as soon as the IPsec profile is attached on the interface Tunnel.
Can you provide the rest of your configuration e.g. interface VTI/DVTI please? => Yes
interface Tunnel0
description to Endpoints
ip address 10.2.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nhrp authentication XXXXX
ip nhrp map multicast dynamic
ip nhrp network-id 11
ip nhrp registration timeout 30
ip virtual-reassembly in
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/0.40
tunnel mode gre multipoint
tunnel key XXXXX
tunnel protection ipsec profile IPSEC-Profile shared
!
interface Tunnel1
description to H1
ip address 10.1.2.2 255.255.255.252
no ip redirects
ip mtu 1400
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nhrp authentication XXXXX
ip nhrp map multicast z.z.z.z
ip nhrp map 10.1.2.1 z.z.z.z
ip nhrp network-id 12
ip nhrp nhs 10.1.2.1
ip nhrp registration timeout 30
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/0.40
tunnel destination z.z.z.z
tunnel key XXXXX
tunnel protection ipsec profile IPSEC-Profile shared
Thanks.
08-05-2018 02:54 AM
08-05-2018 03:31 AM
Thanks for your attention
What is the exact IOS version? => Yes, I thought that was a problem with iOS, which I upgraded from c2900-universalk9-mz.SPA.155-3.M7.bin to c2900-universalk9-mz.SPA.157-3.M2.bin, but the problem did not resolve.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide