cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1232
Views
0
Helpful
1
Replies

DMVPN - High CPU Cisco 2900 Router

CB90021204
Level 1
Level 1

Hi,

I've just setup a DMVPN solution with Hub and Spoke topology. I'm using 2911 SEC as the spoke routers and 2951 HSEC and the Hub.

 

I've been doing some load testing where I transfer a 800Mb file across the DMVPN and have noticed the CPU maxes out during the transfer on the spoke (2911), CPU sits around 70% on the Hub (2951). I wanted to apply an ACL to the inbound interface, however it starts dropping/denying packets since the CPU is so high. The physical link is 1Gig fiber so the link will support higher speed than the SEC license supports.

 

Below is the configuration I'm using on my spoke router. I've tried using 4 different firmware versions (Three being the latest maintenance releases). I've tried using lower encryption also and it didn't make any difference. I've checked for fragmentation and there isn't any across the link. Throughput decreases to roughly quarter when applying the ACL. 

 

Are there any known issues with the 2911 and high CPU? Can anyone see any issues with my configuration below or how I could fix it?  Any suggestions on how I could troubleshoot this issue further? 

 

Thanks,

 

*****************************************

!
!
crypto ipsec transform-set NAME esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile PROFILE_NAME
 set security-association lifetime seconds 900
 set transform-set NAME
!
interface TunnelX
 ip address x.x.x.x x.x.x.x
 no ip redirects
 ip mtu 1400
 ip nhrp map 'Hub Tunnel IP address' 'Hub Physical IP'
 ip nhrp map multicast x.x.x.x
 ip nhrp network-id 1
 ip nhrp nhs 'Hub Tunnel IP Address'
 ip nhrp registration timeout 2
 ip tcp adjust-mss 1330
 ip ospf network broadcast
 ip ospf priority 0
 ip ospf cost 10
 tunnel source GigabitEthernetx/x
 tunnel mode gre multipoint
 tunnel key 0
 tunnel path-mtu-discovery
 tunnel protection ipsec profile PROFILE_NAME

*************************************************

 

 

1 Reply 1

jan.nielsen
Level 7
Level 7

Not having seen what other things you are running on your 2911, i would say it is just not powerful enough, with DMVPN i would not expect more than 50mbps. QoS/shaping, might be able to help you manage the traffic, so you at least get the important stuff through, once the router reaches a point where it would normally start dropping random traffic.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: