06-26-2009 05:44 AM - edited 03-10-2019 04:40 AM
I have an 877 with 12.4(24)T Advanced IP Services. It is a DSL gateway and is configured with NAT, IPS & inbound VPN services. I have noticed that recently the L2TP/IPSec VPN feature has been failing for clients. After a bit of debugging I can see a message saying the router couldn't process the IPSec request due to a lack of memory (or something along those lines). I also noticed that the CPU is maxed out when applying new IPS signatures (for some reason the latest one (S409) won't even apply - however I haven't looked into why yet).
If I disable IPS on the dialer interface then L2TP/IPSec VPN works fine. If I reenable IPS it fails again. If I reboot the router, then give it time to get back up (IPS process maxes the CPU out for a few minutes after boot) then L2TP/IPSec VPN will work for a period - usually a day or so. After that it fails again I assume with the same memory issue.
The 877 has maximum DRAM (256Mb) & FLASH (52Mb) and I would rather keep IPS enabled if I can.
Andy
06-26-2009 07:19 AM
You're asking alot from a little router.
Your CPU and memory are telling you that you can't put 10 lbs of features in a 5 lb bag.
You didn't mention running firewall on your 877. It might use less resources (especially while compliling signatures) than your IPS feature. Aside from that, you're going to have to transistion the least needed features of this router to keep it running. Move VPN to a different system, or stand up an external IPS sensor.
06-26-2009 12:38 PM
Yeh I already sort of thought that was the case. However disabling IPS releases an absolute load of resources. Even if I replaced it with an 1841 then with 256Mb of DRAM I am still going to be looking at similar issues?
Possibly looking at a non-cisco box to replace this now :o(
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: