Query on VAM2+ module in 7206 router

Unanswered Question
Nov 21st, 2008

Dear Team

Kindly find the show tech of Cisco 7206 router with VAM2+ module. Also, the output of the command "show crypto engine accelerator statistic" is included in the attachment.

Kindly provide the following information urgently:

1. What is the capability of VAM2+ , ie, how many tunnels and how much of encrypted data can it handle (complete datasheet, if possible)?

2. In the output of "show crypto engine accelerator statistic" command, what is the significance of "ppq full errors" and "replay errors" and how can we reduce them?

3. The CPU utilisation of the router is going above 60% frequently, what is the reason

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/22/2008 - 01:39

Hello Vaibhav,

1) in theory VAM2+ can support 5,000 tunnels

see the datasheet

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps7332/data_sheet_c78_48012.html

One point of attention is that you are trying to build multiple dynamic crypto map tunnels because in your config I see only the dynamic crypto map I don't see static peers.

This can have an impact.

The best solution for an HUB router with a compact config (without static peers) is DMVPN (Dynamic Multipoint VPN)

I stronlgly suggest to review your design I'm afraid that multiple dynamic peers made in this way is heavier for the router.

3)

I took your sh tech and I submitted it to Output interpreter tool.

First of all, it issued the following error:

INFO: Total CPU Utilization is 48% for the past 5 seconds.

Compare this CPU value to the baseline or average utilization. If a baseline is

not available, create one by collecting 'show process cpu' outputs during the

course of several days. If available, use the 'show process cpu history' command

(available in IOS 12.2 and higher).

The following processes are causing excessive CPU usage:

PID CPU Time Process

>>> ERROR: No Processes were found having a CPU utilization greater than 10%.

A link to troubleshooting high cpu usage:

http://www.cisco.com/en/US/customer/products/hw/routers/ps133/products_tech_note09186a00800a70f2.shtml#ts_strat

You can check the processes that use more cpu with:

show proc cpu sorted

show proc cpu sorted 1min

show proc cpu sorted 5min

2)

Unfortunately output interpreter has provided no info about the VAM section

We have the same hardware in two devices using stateful IPSec. We had problems with this feature and we had to upgrade twice.

Currently we are using 12.4(20)T advanced ip services.

I had tried your same release

RT-RM-TLD066-NEW-VPN-2 uptime is 38 minutes

System returned to ROM by reload at 23:43:13 MEST Thu Jul 24 2008

System restarted at 23:44:32 MEST Thu Jul 24 2008

System image file is "disk2:c7200p-advsecurityk9-mz.124-15.T6.bin"

Last reload reason: Reload Command

But it was not good: stateful ipsec was never able to setup between the two devices

I think we tried another one like 12.4.(19)T and then moved to 12.4(20)T where our problem fixed.

In our case we hadn't pps errors but we have only 150 static peers and low traffic.

Hope to help

Giuseppe

vaibhav-g Tue, 11/25/2008 - 21:53

Hi Gluseppe

Thank you for the information sent. At the present moment, the CPU utilization of the router is between 50-60% with approx. 600 active tunnels and 99Mb of encrypted data flowing in/out of the router. Can the router sustain 5000 tunnels and 280Mbps of encrypted dada without further increase in the CPU utilization, as mentioned by you in the previous mail?

Also, revert on the "ppq errors" and the "replay errors" query. This is really important.

Regards

Vaibhav

Giuseppe Larosa Tue, 11/25/2008 - 23:11

Hello Vaihab,

600 active tunnels, 99 Mbps, what about the pps: packet per seconds.

As I noted in first post are all of these remote sites dynamic peers ?

here is the link to the command reference of

show pas vam interface

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s5.html#wp1016563

ppq_full_err

Number of packets dropped because of a lack of space in the packet processing queues for the VAM. This usually means that input traffic has reached VAM maximum throughput possible.

pkt_replay_err

Counter that is incremented when a replay error is detected by the VAM

These are for VAM but I think they apply to VAM2+ the names are just a little different.

Verify with the datasheet I provided in the other thread if your traffic volume is more then the declared performance.

However, your bigger problem is the very high cpu usage.

I would investigate that first use the second link in the post in the other thread for this.

Note:

I understand you are under pressure for this problem but you and your collegue Rakesh have opened two different threads for the same problem and may be a third one.

I don't think this increases your chances to get help here.

We live all around the world in different timezones so answers cannot always be very quick.

see

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2732e

Hope to help

Giuseppe

Actions

This Discussion