2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput
We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?
Re: 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughpu
I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...