Re: Cisco ISR G2 High CPU Utilization

nikzad_beh · ‎08-05-2018

Hi guys

My cisco device is Router 2911.

When I apply an IPsec profile to the interface tunnel I have a problem in CPU usage being increased by Crypto IKEv2.

POL#show proc cpu sorted 1min | exclude 0.00%__0.00%__0.00%

CPU utilization for five seconds: 99%/2%; one minute: 99%; five minutes: 99%

And my configuration is:

crypto ikev2 proposal Proposal1

encryption aes-cbc-256

integrity sha512

group 16

!

crypto ikev2 policy policy1

proposal Proposal1

!

crypto ikev2 keyring Key1

peer Endpoint

address y.y.y.y m.m.m.m

pre-shared-key XXXXXXXXXXXXXXXXX

!

crypto ikev2 profile IKE-Profile

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local Key1

!

crypto ipsec transform-set TS1 esp-gcm 256

mode tunnel

!

crypto ipsec profile IPSEC-Profile

set transform-set TS1

set ikev2-profile IKE-Profile

!

what can I do to reduce CPU usage by Crypto IKEv2 or Crypto engine?

Thanks.

Rob Ingram · ‎08-05-2018

Hi,
I assume this a new deployment, correct?
How many tunnels will be terminated on this router?
What version of IOS are you running?

nikzad_beh · ‎08-05-2018

Thanks for your attention

I assume this a new deployment, correct? => Yes

How many tunnels will be terminated on this router? => 50 Endpoints

What version of IOS are you running? => Yes, I thought that was a problem with iOS, which I upgraded from c2900-universalk9-mz.SPA.155-3.M7.bin to c2900-universalk9-mz.SPA.157-3.M2.bin, but the problem did not resolve.

It is noteworthy that I have another router like this router with the same configurations, which has no problems.

Thanks.

Rob Ingram · ‎08-05-2018

Does the CPU increase as soon as the ipsec profile is attached on the interface? Or when spoke routers establish a tunnel?

Can you provide the rest of your configuration e.g. interface VTI/DVTI please?

Leo Laohoo · ‎08-05-2018

Post the complete output to the command "sh interface <WAN PORT>" and what is the WAN bandwidth?

nikzad_beh · ‎08-05-2018

interface GigabitEthernet0/0.40
description WAN
encapsulation dot1Q 400
ip address z.z.z.z y.y.y.y
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1300

and bandwdith is 10Mb

nikzad_beh · ‎08-05-2018

Does the CPU increase as soon as the ipsec profile is attached on the interface? Or when spoke routers establish a tunnel? => Yes, The CPU (Headquarter) increases as soon as the IPsec profile is attached on the interface Tunnel.

Can you provide the rest of your configuration e.g. interface VTI/DVTI please? => Yes

interface Tunnel0
description to Endpoints
ip address 10.2.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nhrp authentication XXXXX
ip nhrp map multicast dynamic
ip nhrp network-id 11
ip nhrp registration timeout 30
ip virtual-reassembly in
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/0.40
tunnel mode gre multipoint
tunnel key XXXXX
tunnel protection ipsec profile IPSEC-Profile shared
!
interface Tunnel1
description to H1
ip address 10.1.2.2 255.255.255.252
no ip redirects
ip mtu 1400
ip flow monitor mNetflow1 input
ip flow monitor mNetflow1 output
ip nhrp authentication XXXXX
ip nhrp map multicast z.z.z.z
ip nhrp map 10.1.2.1 z.z.z.z
ip nhrp network-id 12
ip nhrp nhs 10.1.2.1
ip nhrp registration timeout 30
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/0.40
tunnel destination z.z.z.z
tunnel key XXXXX
tunnel protection ipsec profile IPSEC-Profile shared

Thanks.

Leo Laohoo · ‎08-05-2018

What is the exact IOS version?

nikzad_beh · ‎08-05-2018

Thanks for your attention

What is the exact IOS version? => Yes, I thought that was a problem with iOS, which I upgraded from c2900-universalk9-mz.SPA.155-3.M7.bin to c2900-universalk9-mz.SPA.157-3.M2.bin, but the problem did not resolve.

Thanks.