11-26-2009 11:54 PM - edited 03-04-2019 06:48 AM
HI, I have many 1760 routers with built in VPN module, but this router special, soon after WAN link upgrade from 2Mbps to 4Mbps it start hanging when wan link utilisation goes high, we change the hardware, means swap the router with a another similar model. This one with 3 P2P IPSEC tunnels , most of the CPU taken by encrypt process, so I down graded the encryption to DES as a workaround. But still when WAN link goes high router hangs.
Any one with any good suggesions pls, I attach the tech-support for review
Solved! Go to Solution.
11-27-2009 12:55 AM
Errrr ... What "with built in VPN module"? This 1760 doesn't have one. You're running software-based encryption. Although the 1760 can do 8.16mb traffic unencrypted I believe (correct me if I'm wrong) it will have difficulty of 4Mb with software encryption.
Your 1760 router has a WIC-4ESW and PVDM but no VPN module.
11-27-2009 11:14 AM
My judgement was to upgrade the router to 2821 or higher.
Please follow your judgement.
Regards
Edison
12-03-2009 08:41 AM
Hi All,
Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.
Any ideas
A router will be able to support higher throughput when the WAN link is Ethernet based as there isn't any serialization from Ethernet to Ethernet.
If your WAN link is Ethernet, your 1760 router should be able to support 4Mbps of traffic 'with' the VPN Module.
I don't have any numbers on the 1760 router 'without' a VPN module as all packets will be processed by the CPU.
My best guess estimate would be getting the process switched number from the following spreadsheet:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
Which indicates the router can potentially support 1Mpbs of process switched traffic
With a VPN module, this router is supposed to support 15Mbps, according to this spreadsheet:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf
Regards
Edison.
12-03-2009 06:31 PM
I did find a problem but I'm not sure if this would cause any router to hang.
Your WAN facing interface is running at 100/Half Duplex.
It seems the device connected to you (PE device) is hardcoding its speed and duplex and you are using auto/auto.
This can degrade your internet connection and the collision count on the interface is quite high.
When the router hangs, do you have to reboot? Does traffic still flows through it? Can you SSH to it?
BTW, here is the output from your WAN interface:
FastEthernet0/1 is up, line protocol is up
Hardware is Fast Ethernet, address is 0017.e035.7398 (bia 0017.e035.7398)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:53, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 541000 bits/sec, 73 packets/sec
5 minute output rate 239000 bits/sec, 65 packets/sec
645542 packets input, 498529983 bytes, 0 no buffer
Received 1088 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
572894 packets output, 104513330 bytes, 0 underruns
0 output errors, 3357 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
11-27-2009 12:55 AM
Errrr ... What "with built in VPN module"? This 1760 doesn't have one. You're running software-based encryption. Although the 1760 can do 8.16mb traffic unencrypted I believe (correct me if I'm wrong) it will have difficulty of 4Mb with software encryption.
Your 1760 router has a WIC-4ESW and PVDM but no VPN module.
11-27-2009 06:04 AM
Thanks for the reply and you are correct, this is the replaced router, IBM made a mistake by swaping the router without hardware VPN module, But it was the same symptom with VPN module though, 4Mbps is a heavy load fora router like 1760 isn't it. My judgement was to upgrade the router to 2821 or higher.
11-27-2009 11:14 AM
My judgement was to upgrade the router to 2821 or higher.
Please follow your judgement.
Regards
Edison
11-28-2009 01:11 AM
Thanks, What is the best way to limit IPSec traffic to 1Mbps(say) to keep the CPU down until we manage to get a good replacement, soon IBM will reinstall the VPN module, but I want to play safe and limit the tunnel traffic, could any one give me some good examplel.- Thanks
11-28-2009 01:33 AM
Enable traffic shaping.
Hey Edison,
Can you correct me in my opinion that even with a VPN modoule, a 1760 may still find difficulty pushing 4 mb of encrypted traffic?
12-02-2009 09:35 AM
leolaohoo wrote:
Enable traffic shaping.
Hey Edison,
Can you correct me in my opinion that even with a VPN modoule, a 1760 may still find difficulty pushing 4 mb of encrypted traffic?
Hi Leo,
The 1760 can certainly push 4Mbps of traffic on a LAN-LAN connection. We don't know the WAN connection the original poster have.
IIRC, the 1760 is positioned for dual T1 - anything over may be a problem.
Regards
Edison
12-02-2009 01:25 PM
Hi Edison,
Thanks for the clarification.
12-02-2009 07:16 PM
Hi All,
Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.
Any ideas
12-03-2009 08:41 AM
Hi All,
Appreciate all inputs on this matter, what do you think about a Ethernet WAN link traffic load on a router compared with T1 WAN link, my feeling about this would be routers should be abloe to handle larger Ethernet WAN link traffic compared to T1 WAN link.
Any ideas
A router will be able to support higher throughput when the WAN link is Ethernet based as there isn't any serialization from Ethernet to Ethernet.
If your WAN link is Ethernet, your 1760 router should be able to support 4Mbps of traffic 'with' the VPN Module.
I don't have any numbers on the 1760 router 'without' a VPN module as all packets will be processed by the CPU.
My best guess estimate would be getting the process switched number from the following spreadsheet:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
Which indicates the router can potentially support 1Mpbs of process switched traffic
With a VPN module, this router is supposed to support 15Mbps, according to this spreadsheet:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf
Regards
Edison.
12-03-2009 01:38 PM
Hi Edison,
Any chance of getting this Portable Product sheet updated with the latest ISR2 and new switches?
Best Regards/Leo
12-03-2009 01:58 PM
leolaohoo wrote:
Hi Edison,
Any chance of getting this Portable Product sheet updated with the latest ISR2 and new switches?
Best Regards/Leo
Use the link at the bottom of this page http://www.cisco.com/web/partners/tools/quickreference/index.html and provide your suggestion.
12-03-2009 03:02 PM
Thanks.
12-03-2009 05:41 PM
Hi Edison, Thanks for your valuable time on this, according to those tables my should handle this 4Mbps ETher WAN link without any issues. But it hangs more than couple of time a week. If u have a minuite pls look at the tech-support I attached,
And show crypto engine accelerator statistic out put display VPN module throuput, can we assume that as the IPSec tunnel real time throughput or is ther any other way to see tunnnel througput.
Regards
Asoka
12-03-2009 06:31 PM
I did find a problem but I'm not sure if this would cause any router to hang.
Your WAN facing interface is running at 100/Half Duplex.
It seems the device connected to you (PE device) is hardcoding its speed and duplex and you are using auto/auto.
This can degrade your internet connection and the collision count on the interface is quite high.
When the router hangs, do you have to reboot? Does traffic still flows through it? Can you SSH to it?
BTW, here is the output from your WAN interface:
FastEthernet0/1 is up, line protocol is up
Hardware is Fast Ethernet, address is 0017.e035.7398 (bia 0017.e035.7398)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:53, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 541000 bits/sec, 73 packets/sec
5 minute output rate 239000 bits/sec, 65 packets/sec
645542 packets input, 498529983 bytes, 0 no buffer
Received 1088 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
572894 packets output, 104513330 bytes, 0 underruns
0 output errors, 3357 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: