Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CPU overloaded on a 2611XM due to ipsec

Hello,

On my 2611XM (c2600-advsecurityk9-mz.123-11.T2.bin) with no vpn hardware module, my cpu is very overloaded due to the encrypt proc.

I know that the solution is to upgrade this box (or to purchase a vpn module). But I would like to know if there is any tuning to decrease the cpu waiting for this upgrade ?

For the moment, it has three gre/ipsec tunnels to reach other offices in my company. The transform set is esp-3des esp-sha-hmac .

Do you have any idea how i can decrease the cpu like changing the encryption algorithm ?

5 REPLIES

Re: CPU overloaded on a 2611XM due to ipsec

Hi

Instead of changing the encryption method, i would suggest to check whether you are allowing the required interesting traffic to be encrypted rather than all the traffic between the sites.

Using a particular encryption method may be an architecture decision and may not comply if you change the same.

regds

New Member

Re: CPU overloaded on a 2611XM due to ipsec

This vpn router is used only to encrypt the relevant traffic. The other traffic is going to a PIX.

I can change on the remote location to fit the encryption. I just need to know if there is an encryption algorythm that require less ressources. Any other tip will be helpful.

Thank you

Re: CPU overloaded on a 2611XM due to ipsec

The encryption mechanisms that you can choose from are DES/3DES or AES.

If the encryption is done in hardware you won't notice any difference.

If the encryption is done in software, then might want to go with DES (not really recommended for security reasons) since 3DES or AES are more processor-demanding.

Federico.

New Member

Re: CPU overloaded on a 2611XM due to ipsec

Hello Federico,

As I said, unfortunatelly, there is no hardware crypto card.

My transform set is esp-3des esp-sha-hmac

The solution will be to go down to esp-des, right ?

Thanks,

Re: CPU overloaded on a 2611XM due to ipsec

Yes,

You can try going to DES and MD5

Instead of:

esp-3des esp-sha-hmac

esp-des esp-md5-hmac

As well, if you have the same settings for phase 1, you can change them as well:

sh cry isa policy

Now, give this a try, but I don't think is the right final solution.

Federico.

354
Views
0
Helpful
5
Replies