Re: High CPU usage due Encrypt Proc

OMAR CANDARAVE · ‎10-15-2013

Hi all,

I have a router with high CPU usage due:

Encrypt Proc

Router

cisco 1721 (MPC860P) processor (revision 0x300) with 57506K/8030K bytes of memory.

interface Serial0

description #### TELCO

bandwidth 128

ip address 200.94.44.65 255.255.255.252

no cdp enable

crypto map MYCRYPO

end

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key myKey address 216.33.48.49

crypto isakmp keepalive 10

!

crypto ipsec transform-set XX esp-3des esp-md5-hmac

mode transport

!

crypto map MYCRYPO 10 ipsec-isakmp

set peer 216.33.48.49

set transform-set XX

match address 102

router1#sh int s0

Serial0 is up, line protocol is up

Hardware is PowerQUICC Serial

Description: #### TELCO

Internet address is 200.94.44.65/30

MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,

reliability 255/255, txload 176/255, rxload 3/255

Encapsulation HDLC, loopback not set

Keepalive set (10 sec)

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 28/75/158175/0 (size/max/drops/flushes); Total output drops: 497

Queueing strategy: weighted fair

Output queue: 0/1000/64/293 (size/max total/threshold/drops)

Conversations 0/9/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 96 kilobits/sec

5 minute input rate 892000 bits/sec, 140 packets/sec

5 minute output rate 226000 bits/sec, 106 packets/sec

42910203 packets input, 3602478677 bytes, 10 no buffer

Received 75479 broadcasts, 16 runts, 1 giants, 0 throttles

44323 input errors, 18116 CRC, 15616 frame, 0 overrun, 0 ignored, 10591 abort

33670083 packets output, 33720500 bytes, 0 underruns

0 output errors, 0 collisions, 328 interface resets

0 output buffer failures, 0 output buffers swapped out

34 carrier transitions

DCD=up DSR=up DTR=up RTS=up CTS=up

router1#sh proc cpu sor

CPU utilization for five seconds: 99%/8%; one minute: 99%; five minutes: 97%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

80 283596832 26700772 10621 90.18% 89.03% 86.46% 0 Encrypt Proc

35 498200 979207 508 0.24% 0.08% 0.07% 0 IP Input

61 251432 1082701 232 0.16% 0.04% 0.03% 0 CEF process

5 428608 83317 5144 0.16% 0.08% 0.06% 0 Check heaps

78 5248 4008 1309 0.16% 0.30% 0.39% 6 Virtual Exec

10 589400 649052 908 0.16% 0.07% 0.06% 0 ARP Input

41 100488 2992151 33 0.08% 0.03% 0.01% 0 SSS Feature Time

95 216732 417253 519 0.08% 0.01% 0.00% 0 IP SNMP

........ more

Let me know if more information needed.

Any advice?

John Blakley · ‎10-15-2013

Can you clear counters and repost "sh int s0"? I'm curious about the CRCs that you have on the interface. I'm not sure how long this router's been up, but the counters have never been cleared. If you're still incrementing, I'd talk to the provider about having your line checked.

Has this worked ok in the past?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Joseph W. Doherty · ‎10-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If you don't have the optional encryption module, or if for some reason it's not being used, it doesn't take much 3DES to consume the main CPU.

sathvik k v · ‎10-16-2013

Hi Omar,

Encryption can be done in software or hardware. You need to have a VAM module in the router which would do the hardware encryption. If software is not able to handle the encrytpion you would see high CPU utilization due to Encrypt process.Temporay fix is you need to remove the crypto map on the interface. You can use show version to see if VAM module is thereon the device.

Regards,

Sathvik

OMAR CANDARAVE · ‎10-16-2013

This is the show ver but I can´t see the VAM module, Sathvik do you recomend install that moduele?

router1#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(20), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 08-Aug-06 17:59 by kesnyder

Image text-base: 0x8000816C, data-base: 0x810A3620

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

ROM: C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.3(9), RELEASE SOFTWARE (fc2)

router1 uptime is 1 week, 2 days, 22 hours, 50 minutes

System returned to ROM by power-on

System restarted at 20:31:41 Summer Tue Jun 25 2013

System image file is "flash:c1700-k9o3sy7-mz.123-20.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco 1721 (MPC860P) processor (revision 0x300) with 57506K/8030K bytes of memory.

Processor board ID FOC08080QDN (3072600685), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial(sync/async) network interface(s)

32K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

sathvik k v · ‎10-16-2013

Hi Omar,

Yes would recommend to install a VPM module. Hacve taken some text capture from the below mentioned URL which would help you understand.

The optional VPN hardware encryption module for the Cisco 1721 router further optimizes VPN encryption performance. By offloading encryption tasks to the VPN module, the router processor is freed to handle other operations. The VPN module accelerates the rate at which encryption occurs, speeding the process of transmitting secure data, a critical factor when using 3DES encryption.

http://www.cisco.com/en/US/products/hw/routers/ps221/products_data_sheet09186a00800920ec.html

Rate the post if it helps!!

Regards,

Sathvik K V

OMAR CANDARAVE · ‎10-18-2013

Hi Sathvik, this router is end of life so the customer would not want to buy a VPN module for it. What other router do you recommend?

sathvik k v · ‎10-18-2013

Hi Omar,

Would recommend Cisco1921. Please note if your are using IOS version universalk9 they you would have to purchase the license.

Show version should show you the below logs after installing a license.

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
data          None          None           None

Regards,

Sathvik K V

Joseph W. Doherty · ‎10-19-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

The 1721 is rated at 12 Kpps, and doesn't have any hardware encryption, standard.

The current high end 800 series have a faster Kpps rating, and I believe, come with hardware encryption standard. (The hardware for encryption makes a huge difference). For example the 880 series is rated at 50 Kpps.

I've attached a Cisco white paper on ISR performance. Select a model for your expected bandwidth processing needs.