Hi,
I've just setup a DMVPN solution with Hub and Spoke topology. I'm using 2911 SEC as the spoke routers and 2951 HSEC and the Hub.
I've been doing some load testing where I transfer a 800Mb file across the DMVPN and have noticed the CPU maxes out during the transfer on the spoke (2911), CPU sits around 70% on the Hub (2951). I wanted to apply an ACL to the inbound interface, however it starts dropping/denying packets since the CPU is so high. The physical link is 1Gig fiber so the link will support higher speed than the SEC license supports.
Below is the configuration I'm using on my spoke router. I've tried using 4 different firmware versions (Three being the latest maintenance releases). I've tried using lower encryption also and it didn't make any difference. I've checked for fragmentation and there isn't any across the link. Throughput decreases to roughly quarter when applying the ACL.
Are there any known issues with the 2911 and high CPU? Can anyone see any issues with my configuration below or how I could fix it? Any suggestions on how I could troubleshoot this issue further?
Thanks,
*****************************************
!
!
crypto ipsec transform-set NAME esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile PROFILE_NAME
set security-association lifetime seconds 900
set transform-set NAME
!
interface TunnelX
ip address x.x.x.x x.x.x.x
no ip redirects
ip mtu 1400
ip nhrp map 'Hub Tunnel IP address' 'Hub Physical IP'
ip nhrp map multicast x.x.x.x
ip nhrp network-id 1
ip nhrp nhs 'Hub Tunnel IP Address'
ip nhrp registration timeout 2
ip tcp adjust-mss 1330
ip ospf network broadcast
ip ospf priority 0
ip ospf cost 10
tunnel source GigabitEthernetx/x
tunnel mode gre multipoint
tunnel key 0
tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE_NAME
*************************************************