Hi Cinzia,
You seem to be hitting a bug. Which says "
"Symptoms: Small packets may be dropped when CEF is enabled. This situation may cause encryption or description failures for packets with a certain packet size.
Conditions: This symptom is observed when packets are switched on any interface via CEF or fast switching. The symptom affects packets with a small size (for example, 36 or 37 bytes).
Workaround: There is no workaround."
There is a duplicate bug of this one that is titled : VPN-NetGx: Excessive CPU usage with AH & multilink group
and it says "Using AH (authentication header) with ppp multilink-group uses excessive CPU. This happens only on the decrypt side. Two serial interfaces are bundled together on a "Multilink interface". On decryption Router A's CPU reaches 95% with just 100pps of 64 bytes and Router B's CPU reaches 95% with just 190ppps. Same routers, if used for
encryption with the same traffic do not use more than 5% of their CPU.
Even sofware crypto can decrypt the same amount of traffic with less than
5% of CPU.
This happens only with AH-SHA-HMAC or AH-MD5-HMAC and does not happen with:
ESP-3DES
ESP-3DES ESP-SHA-HMAC
ESP-3DES ESP-MD5-HMAC
ESP-AES
ESP-AES ESP-SHA-HMAC
ESP-AES ESP-MD5-HMAC
If we increase the rate, packets are dropped on the decrypt side. "fw_qs_filled" counters in "show crypto engine accelerator stat" will
start increasing and eventually traffic will stop. "
In this situation, I would recommend opening a TAC case for troubleshooting.
HTH,
Please do rate if it helps,
Regards,
Kamal
