02-11-2014 06:32 AM - edited 03-11-2019 08:44 PM
After reading some info on Julio's website, I have come to think my VPN configs are a bit too fat and not very streamline. My configs are starting to hammer CPU on the routers now, especially as the remote offices are now starting to use VDSL speeds. What are you thoughts?
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1 |
match access-group 104 |
class-map type inspect match-any SDM_AH |
match access-group name SDM_AH |
class-map type inspect match-any ccp-skinny-inspect |
match protocol skinny |
class-map type inspect match-any ccp-h323nxg-inspect |
match protocol h323-nxg |
class-map type inspect match-any ccp-cls-icmp-access |
match protocol icmp |
match protocol tcp |
match protocol udp |
class-map type inspect match-any ccp-h225ras-inspect |
match protocol h225ras |
class-map type inspect match-any SDM_ESP |
match access-group name SDM_ESP |
class-map type inspect match-any ccp-h323annexe-inspect |
match protocol h323-annexe |
class-map type inspect match-any ccp-cls-insp-traffic |
match protocol dns |
match protocol ftp |
match protocol https |
match protocol icmp |
match protocol imap |
match protocol pop3 |
match protocol netshow |
match protocol shell |
match protocol realmedia |
match protocol rtsp |
match protocol smtp |
match protocol sql-net |
match protocol streamworks |
match protocol tftp |
match protocol vdolive |
match protocol tcp |
match protocol udp |
class-map type inspect match-any PING_ACCESS |
match access-group name PING_ACCESS |
class-map type inspect match-any SDM_SSH |
match access-group name SDM_SSH |
class-map type inspect match-any SDM_HTTPS |
match access-group name SDM_HTTPS |
class-map type inspect match-any SDM_SHELL |
match access-group name SDM_SHELL |
class-map type inspect match-any SNMP_ACCESS |
match access-group name SNMP_ACCESS |
class-map type inspect match-any ccp-h323-inspect |
match protocol h323 |
class-map type inspect match-all ccp-invalid-src |
match access-group 100 |
class-map type inspect match-any ccp-sip-inspect |
match protocol sip |
class-map type inspect match-all ccp-protocol-http |
match protocol http |
class-map type inspect match-any sdm-cls-access |
match class-map SDM_HTTPS |
match class-map SDM_SSH |
match class-map SDM_SHELL |
match class-map SNMP_ACCESS |
match class-map PING_ACCESS |
class-map type inspect match-all ccp-insp-traffic |
match class-map ccp-cls-insp-traffic |
class-map type inspect match-any SDM_VPN_TRAFFIC |
match protocol isakmp |
match protocol ipsec-msft |
match class-map SDM_AH |
match class-map SDM_ESP |
class-map type inspect match-all ccp-icmp-access |
match class-map ccp-cls-icmp-access |
class-map type inspect match-all SDM_VPN_PT |
match access-group 103 |
match class-map SDM_VPN_TRAFFIC |
class-map type inspect match-all sdm-access |
match class-map sdm-cls-access |
match access-group 102 |
! |
policy-map type inspect sdm-pol-VPNOutsideToInside-1 |
class type inspect sdm-cls-VPNOutsideToInside-1 |
inspect |
class class-default |
drop |
policy-map type inspect ccp-inspect |
class type inspect ccp-invalid-src |
drop log |
class type inspect ccp-protocol-http |
inspect |
class type inspect ccp-insp-traffic |
inspect |
class type inspect ccp-sip-inspect |
inspect |
class type inspect ccp-h323-inspect |
inspect |
class type inspect ccp-h323annexe-inspect |
inspect |
class type inspect ccp-h225ras-inspect |
inspect |
class type inspect ccp-h323nxg-inspect |
inspect |
class type inspect ccp-skinny-inspect |
inspect |
class class-default |
drop |
policy-map type inspect ccp-permit |
class type inspect SDM_VPN_PT |
pass |
class type inspect sdm-access |
inspect |
class class-default |
drop |
policy-map type inspect ccp-permit-icmpreply |
class type inspect ccp-icmp-access |
inspect |
class class-default |
pass |
! |
zone security in-zone |
zone security out-zone |
zone-pair security ccp-zp-out-self source out-zone destination self |
service-policy type inspect ccp-permit |
zone-pair security ccp-zp-in-out source in-zone destination out-zone |
service-policy type inspect ccp-inspect |
zone-pair security ccp-zp-self-out source self destination out-zone |
service-policy type inspect ccp-permit-icmpreply |
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone |
service-policy type inspect sdm-pol-VPNOutsideToInside-1 |
! |
! |
crypto isakmp policy 15 |
encr 3des |
authentication pre-share |
group 2 |
lifetime 28800 |
crypto isakmp key m0n5t3r address ***.***.***.*** |
! |
! |
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac |
mode tunnel |
! |
! |
! |
crypto map ipsec-TEST 10 ipsec-isakmp |
set peer ***.***.***.*** |
set transform-set aes-sha |
set pfs group2 |
match address 101 |
02-18-2014 06:02 AM
What routers are you using?
--
Please remember to rate and select a correct answer
03-21-2014 10:22 AM
Hi Marius,
The routers we are using are CISCO 887VA
Thanks.
03-25-2014 08:02 AM
Sorry for the late reply. I have not been getting any email notifications since the new support website was launched.
If that is all the ZBF config you have it is not much configured...relitively speaking. So that leads me to beleive that if you are experiencing performance issues it could be related to the amount of traffic that is traversing the 887 router, and its ability to handle that traffic.
You do have some redundant config in there but that should not affect performance in any significant way...just to point out an example:
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
This could have been done using just the ccp-cls-icmp-access class map. But as I said it should not affect performance.
Have you checked memory usage on the router and not just the CPU?
How many users are connecting through the router on a daily basis?
It could very well be that the amount of traffic passing through the router is becoming more than it can handle, and an upgrade to a more robust router is needed.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: