High cpu consumption with GRE over IPSEC

Michael Rakotobearison · ‎02-04-2014

Hi all,

After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).

Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and

Cisco CISCO2921/K9 Version 15.0(1)M3.

Config of the tunnet is as follow :

- authentication pre-share

- encryption aes 256

- hash : sha

- transform set : esp-aes esp-sha-hmac mode transport

Routing process is eigrp.

Could anyone please help me on solving this issue?

Marcin Latosiewicz · ‎02-04-2014

First of all you need to check what process (or IO) is causing CPU utilization.

show proc cpu sort

would be the way to start.

seta.rakotoarisoa · ‎02-04-2014

Hi,

these process consum the higher cpu time : Crypto support (21%) ; Pool Manager (14%) ; IP Input (9%)

Thanks

Marcin Latosiewicz · ‎02-04-2014

If I had to guess this would mean there's some fragmentation/reassambly going on.

Did you lower MTU and MSS on the tunnel interface? I would also suggest checking with tunnel PMTUD.

seta.rakotoarisoa · ‎02-05-2014

Hi,

yes, we substracted the mtu value and mms adjust by 40.

I will check this tunnel PMTDU.

Thanks,

Marcin Latosiewicz · ‎02-05-2014

Cool, good start.

Check "show ip traffic" on both sides, it would be interesting to see what's going on.

BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that).