CPU overloaded on a 2611XM due to ipsec

Unanswered Question
May 25th, 2010
User Badges:


On my 2611XM (c2600-advsecurityk9-mz.123-11.T2.bin) with no vpn hardware module, my cpu is very overloaded due to the encrypt proc.

I know that the solution is to upgrade this box (or to purchase a vpn module). But I would like to know if there is any tuning to decrease the cpu waiting for this upgrade ?

For the moment, it has three gre/ipsec tunnels to reach other offices in my company. The transform set is esp-3des esp-sha-hmac .

Do you have any idea how i can decrease the cpu like changing the encryption algorithm ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Tue, 05/25/2010 - 05:56
User Badges:
  • Red, 2250 points or more


Instead of changing the encryption method, i would suggest to check whether you are allowing the required interesting traffic to be encrypted rather than all the traffic between the sites.

Using a particular encryption method may be an architecture decision and may not comply if you change the same.


mathieuploton Tue, 05/25/2010 - 06:37
User Badges:

This vpn router is used only to encrypt the relevant traffic. The other traffic is going to a PIX.

I can change on the remote location to fit the encryption. I just need to know if there is an encryption algorythm that require less ressources. Any other tip will be helpful.

Thank you

Federico Coto F... Tue, 05/25/2010 - 06:47
User Badges:
  • Green, 3000 points or more

The encryption mechanisms that you can choose from are DES/3DES or AES.

If the encryption is done in hardware you won't notice any difference.

If the encryption is done in software, then might want to go with DES (not really recommended for security reasons) since 3DES or AES are more processor-demanding.


mathieuploton Tue, 05/25/2010 - 08:09
User Badges:

Hello Federico,

As I said, unfortunatelly, there is no hardware crypto card.

My transform set is esp-3des esp-sha-hmac

The solution will be to go down to esp-des, right ?


Federico Coto F... Tue, 05/25/2010 - 08:49
User Badges:
  • Green, 3000 points or more


You can try going to DES and MD5

Instead of:

esp-3des esp-sha-hmac

esp-des esp-md5-hmac

As well, if you have the same settings for phase 1, you can change them as well:

sh cry isa policy

Now, give this a try, but I don't think is the right final solution.



This Discussion