Cisco Support Community
Community Member

7206 VXR


I am working for an ISP ,

I am using 7206 VXR series(NPE 300) as LNS , this 7206 is configured for VPDN in order to terminating L2TP tunnels coming from PSTN provider( Internet users dial into PSTN provider's LAC and then LAC initates L2TP tunnels to my LNS ) ,

This router is running c7200-jo3s-mz.122-15.T5.bin as IOS and equipped with 256 MB RAM .

When the number of users logged in reaches 550 users and above , the router CPU hits 80% 90 % , 95% and affects the whole performance ( slow browsing ...)

noting that ip cef is enabled ,and route cahe flow is also enabled ,

May i have to know how many L2TP tunnels a 7206 vxr could support or terminate ? is this an IOS problem or it s a hardware limitation?

it s urgent question

My thanks in advance

Best Regards,


VIP Purple

Re: 7206 VXR

Hello Ali,

you might want to try to disable cef and enable process switching instead. If that doesn´t help, can you post your config ?




Re: 7206 VXR

I think you're just hitting a processor limitation. Where is the processor being used? Start here:

Is the high utilization on the process side, or the interrupt side? If it's on the interrupt side, you should look at show align, and see if you're hitting alignement errors, or spurious accesses, etc. If you're not hitting any of these, and the processor utilization is on the interrupt side, then you are just hitting the limit of the box, I'd think (though it seems low to me, but I don't know much about how much processing for these tunnels).

If it's on the process side, then chase down the process, and see if it really looks abnormal. I'd bet the tunnels are being process switched anyway, or require at least some processing.

One thing you might be able to do is to ask your users to reduce their MTU's a bit, to 1350 or so, so the router isn't doing any reassembly across these tunnels. Fragmentation really really eats processor on a router.


Community Member

Re: 7206 VXR


i would like to thank you all for your useful replies ,

all users accessing Internet through my LNS are authenticated by a Radius Cisco ACS ; IP addresses and MTU and other parameters are assigned directly by Cisco radius , so if i impose MTU size on my RADIUS to 1350 or 1448 bytes , will solve this my problem ? or should i have to configure the mtu on LAC and LNS as described in the URLs above ? in fact LAC belongs to PSTN provider, i can't access it to customize a special config profile to my case and i am not sure even if they are using Cisco product

Thanks for your reply



Community Member

Re: 7206 VXR

Manually Configuring a Lower IP MTU

Configure a lower IP MTU on the virtual-template interface using the ip mtu command. Configuring a lower IP MTU forces the router to drop any IP packets which exceed the IP MTU and have the DF (Don't Fragment) bit set in the IP header. The router then generates an Internet Control Message Protocol (ICMP) type 3 Host Unreachable, code 4 fragmentation needed message towards the source of the packet (the original host). This message indicates the IP MTU of the interface, so that the source can reduce the packet size to fit through the interface. This process is also known as Path MTU Detection (PMTUD). For more information, refer to RFC 1191. The IP MTU should be configured to the largest IP packet size which will not exceed the PMTU between the LAC and the LNS when the full L2TP header is added. For a 1500 byte PMTU and a standard 40 byte L2TP header, set the IP MTU to 1460 (1500-40 byte header).

If the PMTU is unknown (or changes) between the LAC and LNS, you can configure the command ip pmtu under the vpdn-group. The ip pmtu command was added in Cisco IOS Software Release 12.2(4)T using Bug ID CSCds72714. For more details on this bug, refer to the Cisco Bug Toolkit. A link to Bug Toolkit can be found the TAC Tools for Access-Dial technologies page. The ip pmtu feature copies the DF bit from the inside packet to the outside L2TP header and turns on PMTUD between the router and its L2TP tunnel endpoint.

Adjusting PMTU on Windows PCs

Microsoft Windows has a registry setting which allows you to enable a backoff feature for their PMTU discovery. For information on Windows NT, see the following article on the Microsoft website: PMTU Black Hole Detection Algorithm Change for Windows NT 3.51 (Q136970).

For Windows 2000/XP, the Microsoft article How to Troubleshoot Black Hole Router Issues (Q314825) describes various methods in Windows for avoiding this issue. This article defines the term "black hole" router, describes a method of locating black hole routers, and suggests three ways to avoid the data loss that can occur because of a black hole router.

Automatically Adjusting the IP MTU

You can also enable automatic adjustment of the IP MTU. This feature allows the router to automatically adjust the IP MTU on the virtual-access interface to compensate for the size of L2TP header and the MTU of the egress interface. This feature was added in Cisco IOS Software Release 12.1(5)T using Bug ID CSCdr01713. For more details on this bug, refer to the Bug Toolkit on the TAC Tools for Access-Dial technologies page.

check the following link for more information

Asim Khan

Community Member

Re: 7206 VXR


Did anyone get to the root of this problem, I started to face the same problem here.

CreatePlease to create content