Re: VPN CLIENT - 100% CPU utilisation

dawsonpa · ‎07-24-2003

Hello,

We are having a problem with our pix not accepting VPN Client connections.

We have recently upgraded to 6.3 and enabled the 'isakmp nat-traversal 20' feature. Its works with UDP encapsulation and has been working for about a month now. But all of a sudden sometimes the VPN clients can't connect and I am seeing this when the clients try to connects (regardless of wether the NAT-TRAVERSAL feature is added or not).

Watch as the user tries to connect.

BSISing# sh cpu usage

CPU utilization for 5 seconds = 55%; 1 minute: 4%; 5 minutes: 2%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 55%; 1 minute: 4%; 5 minutes: 2%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 50%; 1 minute: 8%; 5 minutes: 3%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 50%; 1 minute: 8%; 5 minutes: 3%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 100%; 1 minute: 17%; 5 minutes: 4%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 100%; 1 minute: 17%; 5 minutes: 4%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 64%; 1 minute: 22%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 64%; 1 minute: 22%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 64%; 1 minute: 22%; 5 minutes: 5%

<<TRY AGAIN WITHOUT NAT TRAVERSAL>>

BSISing# conf t

BSISing(config)# no isakmp nat-traversal 20

BSISing# sh cpu usage

CPU utilization for 5 seconds = 0%; 1 minute: 2%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 0%; 1 minute: 2%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 0%; 1 minute: 2%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 35%; 1 minute: 5%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 35%; 1 minute: 5%; 5 minutes: 5%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 61%; 1 minute: 11%; 5 minutes: 6%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 61%; 1 minute: 11%; 5 minutes: 6%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 100%; 1 minute: 19%; 5 minutes: 8%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 100%; 1 minute: 19%; 5 minutes: 8%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 50%; 1 minute: 23%; 5 minutes: 9%

BSISing# sh cpu usage

CPU utilization for 5 seconds = 0%; 1 minute: 23%; 5 minutes: 9%

BSISing# sh cpu usage

WHY?

owillins · ‎07-30-2003

With the NAT Traversal feature enabled, you will have to make sure the vpn client has IPSec over UDP checked, since it works with UDP encapsulation. This is probably why the VPN clients are not able to connect. The following link might help.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm