2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

nickjacobs · ‎09-11-2009

We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

feene1 · ‎09-14-2009

Hi Nick,

I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.

We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.

When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.

Inspect

Packet inspection statistics [process switch:fast switch]

tcp packets: [14809800:0]

udp packets: [145107:0]

icmp packets: [20937:12]

I have disabled the ZFW and still see high cpu although it is a little lower.

Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.

I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.

Anyone have some ideas?