02-04-2014 04:01 AM - edited 02-21-2020 07:28 PM
Hi all,
After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
Cisco CISCO2921/K9 Version 15.0(1)M3.
Config of the tunnet is as follow :
- authentication pre-share
- encryption aes 256
- hash : sha
- transform set : esp-aes esp-sha-hmac mode transport
Routing process is eigrp.
Could anyone please help me on solving this issue?
02-04-2014 05:46 AM
First of all you need to check what process (or IO) is causing CPU utilization.
show proc cpu sort
would be the way to start.
02-04-2014 05:58 AM
Hi,
these process consum the higher cpu time : Crypto support (21%) ; Pool Manager (14%) ; IP Input (9%)
Thanks
02-04-2014 12:13 PM
If I had to guess this would mean there's some fragmentation/reassambly going on.
Did you lower MTU and MSS on the tunnel interface? I would also suggest checking with tunnel PMTUD.
02-05-2014 02:33 AM
Hi,
yes, we substracted the mtu value and mms adjust by 40.
I will check this tunnel PMTDU.
Thanks,
02-05-2014 02:44 AM
Cool, good start.
Check "show ip traffic" on both sides, it would be interesting to see what's going on.
BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: