cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1538
Views
5
Helpful
15
Replies

1760 router hang when Ethernet WAN link above 3Mbps

asoka
Level 1
Level 1

HI, I have many 1760 routers with built in VPN module, but this router special, soon after WAN link upgrade from 2Mbps to 4Mbps it start hanging when wan link utilisation goes high, we change the hardware, means swap the router with a another similar model. This one with 3 P2P IPSEC tunnels , most of the CPU taken by encrypt process, so I down graded the encryption to DES as a workaround. But still when WAN link goes high router hangs.

Any one with any good suggesions pls, I attach the tech-support for review

4 Accepted Solutions

Accepted Solutions

Leo Laohoo
Hall of Fame
Hall of Fame

Errrr ... What "with built in VPN module"?  This 1760 doesn't have one.  You're running software-based encryption.  Although the 1760 can do 8.16mb traffic unencrypted I believe (correct me if I'm wrong) it will have difficulty of 4Mb with software encryption.

Your 1760 router has a WIC-4ESW and PVDM but no VPN module.

View solution in original post

asoka@people.net.au

My judgement was to upgrade the router to 2821 or higher.

Please follow your judgement.

Regards

Edison

View solution in original post

asoka@people.net.au

Hi All,

Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.

Any ideas

A router will be able to support higher throughput when the WAN link is Ethernet based as there isn't any serialization from Ethernet to Ethernet.

If your WAN link is Ethernet, your 1760 router should be able to support 4Mbps of traffic 'with' the VPN Module.

I don't have any numbers on the 1760 router 'without' a VPN module as all packets will be processed by the CPU.

My best guess estimate would be getting the process switched number from the following spreadsheet:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Which indicates the router can potentially support 1Mpbs of process switched traffic

With a VPN module, this router is supposed to support 15Mbps, according to this spreadsheet:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

Regards

Edison.

View solution in original post

I did find a problem but I'm not sure if this would cause any router to hang.

Your WAN facing interface is running at 100/Half Duplex.


It seems the device connected to you (PE device) is hardcoding its speed and duplex and you are using auto/auto.

This can degrade your internet connection and the collision count on the interface is quite high.

When the router hangs, do you have to reboot? Does traffic still flows through it? Can you SSH to it?

BTW, here is the output from your WAN interface:

FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0017.e035.7398 (bia 0017.e035.7398)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:53, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 541000 bits/sec, 73 packets/sec
  5 minute output rate 239000 bits/sec, 65 packets/sec
     645542 packets input, 498529983 bytes, 0 no buffer
     Received 1088 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     572894 packets output, 104513330 bytes, 0 underruns
     0 output errors, 3357 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

View solution in original post

15 Replies 15

Leo Laohoo
Hall of Fame
Hall of Fame

Errrr ... What "with built in VPN module"?  This 1760 doesn't have one.  You're running software-based encryption.  Although the 1760 can do 8.16mb traffic unencrypted I believe (correct me if I'm wrong) it will have difficulty of 4Mb with software encryption.

Your 1760 router has a WIC-4ESW and PVDM but no VPN module.

Thanks for the reply and you are correct, this is the replaced router, IBM made a mistake by swaping the router without hardware VPN module, But it was the same symptom with VPN module though, 4Mbps is a heavy load fora router like 1760 isn't it. My judgement was to upgrade the router to 2821 or higher.

asoka@people.net.au

My judgement was to upgrade the router to 2821 or higher.

Please follow your judgement.

Regards

Edison

Thanks, What is the best way to limit IPSec traffic to 1Mbps(say) to keep the CPU down until we manage to get a good replacement, soon IBM will reinstall the VPN module, but I want to play safe and limit the tunnel traffic, could any one give me some good examplel.- Thanks

Enable traffic shaping.

Hey Edison,

Can you correct me in my opinion that even with a VPN modoule, a 1760 may still find difficulty pushing 4 mb of encrypted traffic?

leolaohoo wrote:

Enable traffic shaping.

Hey Edison,

Can you correct me in my opinion that even with a VPN modoule, a 1760 may still find difficulty pushing 4 mb of encrypted traffic?

Hi Leo,

The 1760 can certainly push 4Mbps of traffic on a LAN-LAN connection. We don't know the WAN connection the original poster have.

IIRC, the 1760 is positioned for dual T1 - anything over may be a problem.

Regards

Edison

Hi Edison,

Thanks for the clarification.

Hi All,

Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.

Any ideas

asoka@people.net.au

Hi All,

Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.

Any ideas

A router will be able to support higher throughput when the WAN link is Ethernet based as there isn't any serialization from Ethernet to Ethernet.

If your WAN link is Ethernet, your 1760 router should be able to support 4Mbps of traffic 'with' the VPN Module.

I don't have any numbers on the 1760 router 'without' a VPN module as all packets will be processed by the CPU.

My best guess estimate would be getting the process switched number from the following spreadsheet:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Which indicates the router can potentially support 1Mpbs of process switched traffic

With a VPN module, this router is supposed to support 15Mbps, according to this spreadsheet:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

Regards

Edison.

Hi Edison,

Any chance of getting this Portable Product sheet updated with the latest ISR2 and new switches?

Best Regards/Leo

leolaohoo wrote:

Hi Edison,

Any chance of getting this Portable Product sheet updated with the latest ISR2 and new switches?

Best Regards/Leo

Use the link at the bottom of this page http://www.cisco.com/web/partners/tools/quickreference/index.html and provide your suggestion.

Thanks.

Hi Edison, Thanks for your valuable time on this, according to those tables my should handle this 4Mbps ETher WAN link without any issues. But it hangs more than couple of time a week. If u have a minuite pls look at the tech-support I attached,

And show crypto engine accelerator statistic out put display VPN module throuput, can we assume that as the IPSec tunnel real time throughput or is ther any other way to see tunnnel througput.

Regards

Asoka

I did find a problem but I'm not sure if this would cause any router to hang.

Your WAN facing interface is running at 100/Half Duplex.


It seems the device connected to you (PE device) is hardcoding its speed and duplex and you are using auto/auto.

This can degrade your internet connection and the collision count on the interface is quite high.

When the router hangs, do you have to reboot? Does traffic still flows through it? Can you SSH to it?

BTW, here is the output from your WAN interface:

FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0017.e035.7398 (bia 0017.e035.7398)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:53, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 541000 bits/sec, 73 packets/sec
  5 minute output rate 239000 bits/sec, 65 packets/sec
     645542 packets input, 498529983 bytes, 0 no buffer
     Received 1088 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     572894 packets output, 104513330 bytes, 0 underruns
     0 output errors, 3357 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco