cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3371
Views
0
Helpful
7
Replies
Highlighted
Beginner

Very high CPU utilization for VPN connection

Hi,

We have a set up a site-to-site VPN connection between two Cisco 3745 routers running 12.3.6. The tunnel is working fine, but sometimes the CPU utilization on both routers go up to 100% and I can see that it is the Encryption Process that is using the processor. When I do a "debug cry engine"

I get the following error:

CRYPTO_ENGINE: crypto_pak_coalesce: could not allocate pak

I tried to search for the error message, but could not find any results. Has anyone seen this messages and got a clue of what could be wrong?

Any help would be appreciated!

Regards,

Harald

7 REPLIES 7
Highlighted
Contributor

Not sure if you are using any PIX firewalls in your network. If so, you may need to use PIX 5.1 or later. This is because earlier pix versions are by default configured to send syslog messages as traps. This might cause CPU hog especially when live event logging

Highlighted

There is a PIX between the two routers, but it is running version 6.3 and allows ESP and IKE traffic to pass through.

Highlighted
Engager

hi

can u post ur config if possible also sh version of ur routers ??

just to hv a insight view and also to chek/verify if config points are misconfigured which can also eats up the processor..

regds

Highlighted

I have included the configuration for the two routers below. Please note that there is a PIX between them which has IP addresses 10.2.2.41 and 10.1.1.8.

Thanks again for any help!

+++++++++++++++++++++++++++++++++++++

hostname Router1

!

ip subnet-zero

!

ip cef

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key xxxxxxxxxxxxx address 10.1.1.7

!

crypto ipsec transform-set Tunnel esp-des esp-md5-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 10.1.1.7

set transform-set Tunnel

match address Region1

!

interface FastEthernet0/1

ip address 192.168.1.2 255.255.255.252

!

interface FastEthernet0/1

ip address 10.2.2.42 255.255.255.252

crypto map VPN

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 10.0.0.0 255.0.0.0 10.2.2.41

ip route 192.168.32.0 255.255.255.0 10.2.2.41

!

!

ip access-list extended Region1

permit ip any 192.168.32.0 0.0.0.255

!

++++++++++++++++++++++++++++++++++

!

hostname Router2

!

ip subnet-zero

!

ip cef

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key xxxxxxxxxxxxx address 10.2.2.42

!

crypto ipsec transform-set Tunnel esp-des esp-md5-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 10.2.2.42

set transform-set Tunnel

match address region1

!

!

interface FastEthernet0/0

ip address 10.1.1.7 255.255.255.0

crypto map VPN

!

interface FastEthernet0/1

ip address 192.168.32.0 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.8

!

ip access-list extended region1

permit ip 192.168.32.0 0.0.0.255 any

!

========================================

Highlighted

Some additional information:

Router1#show crypto engine connections dropped-packet

Packets dropped because of crypto shutdown:

Interface IP-Address Drop Count

FastEthernet0/1 10.2.2.42 76

Packets dropped because of abnormal event occurred:

Interface IP-Address Drop Count

FastEthernet0/1 10.2.2.42 1062961

+++++++++++

PS By accident when I edited the configuration for posting I got two FastEthernet0/1 interfaces on Router 1. The IP address 192.168.1.2 should be on FastEthernet0/0.

Highlighted

Hi

AFAIU from u r configs u r encrypting the whole traffic being generated ..r u trying to encrypt ur internet traffic too with ur VPN ??

if thts the case it may also utilise ur CPU a lot.

regds

Highlighted

All the traffic from the region should be encrypted. This includes the Internet traffic for them. However, the regions are only connected with E1 links (to Router2), so I assume a 3745 CPU could handle encryption for such low bandwidth links?

Regards,

Harald

Content for Community-Ad