I've just setup a DMVPN solution with Hub and Spoke topology. I'm using 2911 SEC as the spoke routers and 2951 HSEC and the Hub.
I've been doing some load testing where I transfer a 800Mb file across the DMVPN and have noticed the CPU maxes out during the transfer on the spoke (2911), CPU sits around 70% on the Hub (2951). I wanted to apply an ACL to the inbound interface, however it starts dropping/denying packets since the CPU is so high. The physical link is 1Gig fiber so the link will support higher speed than the SEC license supports.
Below is the configuration I'm using on my spoke router. I've tried using 4 different firmware versions (Three being the latest maintenance releases). I've tried using lower encryption also and it didn't make any difference. I've checked for fragmentation and there isn't any across the link. Throughput decreases to roughly quarter when applying the ACL.
Are there any known issues with the 2911 and high CPU? Can anyone see any issues with my configuration below or how I could fix it? Any suggestions on how I could troubleshoot this issue further?
! ! crypto ipsec transform-set NAME esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile PROFILE_NAME set security-association lifetime seconds 900 set transform-set NAME ! interface TunnelX ip address x.x.x.x x.x.x.x no ip redirects ip mtu 1400 ip nhrp map 'Hub Tunnel IP address' 'Hub Physical IP' ip nhrp map multicast x.x.x.x ip nhrp network-id 1 ip nhrp nhs 'Hub Tunnel IP Address' ip nhrp registration timeout 2 ip tcp adjust-mss 1330 ip ospf network broadcast ip ospf priority 0 ip ospf cost 10 tunnel source GigabitEthernetx/x tunnel mode gre multipoint tunnel key 0 tunnel path-mtu-discovery tunnel protection ipsec profile PROFILE_NAME
Not having seen what other things you are running on your 2911, i would say it is just not powerful enough, with DMVPN i would not expect more than 50mbps. QoS/shaping, might be able to help you manage the traffic, so you at least get the important stuff through, once the router reaches a point where it would normally start dropping random traffic.
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...