I have an 877 with 12.4(24)T Advanced IP Services. It is a DSL gateway and is configured with NAT, IPS & inbound VPN services. I have noticed that recently the L2TP/IPSec VPN feature has been failing for clients. After a bit of debugging I can see a message saying the router couldn't process the IPSec request due to a lack of memory (or something along those lines). I also noticed that the CPU is maxed out when applying new IPS signatures (for some reason the latest one (S409) won't even apply - however I haven't looked into why yet).
If I disable IPS on the dialer interface then L2TP/IPSec VPN works fine. If I reenable IPS it fails again. If I reboot the router, then give it time to get back up (IPS process maxes the CPU out for a few minutes after boot) then L2TP/IPSec VPN will work for a period - usually a day or so. After that it fails again I assume with the same memory issue.
The 877 has maximum DRAM (256Mb) & FLASH (52Mb) and I would rather keep IPS enabled if I can.
Your CPU and memory are telling you that you can't put 10 lbs of features in a 5 lb bag.
You didn't mention running firewall on your 877. It might use less resources (especially while compliling signatures) than your IPS feature. Aside from that, you're going to have to transistion the least needed features of this router to keep it running. Move VPN to a different system, or stand up an external IPS sensor.
Yeh I already sort of thought that was the case. However disabling IPS releases an absolute load of resources. Even if I replaced it with an 1841 then with 256Mb of DRAM I am still going to be looking at similar issues?
Possibly looking at a non-cisco box to replace this now :o(
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :