10-15-2013 03:07 PM - edited 03-04-2019 09:19 PM
Hi all,
I have a router with high CPU usage due:
Encrypt Proc
Router
cisco 1721 (MPC860P) processor (revision 0x300) with 57506K/8030K bytes of memory.
interface Serial0
description #### TELCO
bandwidth 128
ip address 200.94.44.65 255.255.255.252
no cdp enable
crypto map MYCRYPO
end
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key myKey address 216.33.48.49
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set XX esp-3des esp-md5-hmac
mode transport
!
crypto map MYCRYPO 10 ipsec-isakmp
set peer 216.33.48.49
set transform-set XX
match address 102
router1#sh int s0
Serial0 is up, line protocol is up
Hardware is PowerQUICC Serial
Description: #### TELCO
Internet address is 200.94.44.65/30
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 176/255, rxload 3/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 28/75/158175/0 (size/max/drops/flushes); Total output drops: 497
Queueing strategy: weighted fair
Output queue: 0/1000/64/293 (size/max total/threshold/drops)
Conversations 0/9/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 96 kilobits/sec
5 minute input rate 892000 bits/sec, 140 packets/sec
5 minute output rate 226000 bits/sec, 106 packets/sec
42910203 packets input, 3602478677 bytes, 10 no buffer
Received 75479 broadcasts, 16 runts, 1 giants, 0 throttles
44323 input errors, 18116 CRC, 15616 frame, 0 overrun, 0 ignored, 10591 abort
33670083 packets output, 33720500 bytes, 0 underruns
0 output errors, 0 collisions, 328 interface resets
0 output buffer failures, 0 output buffers swapped out
34 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
router1#sh proc cpu sor
CPU utilization for five seconds: 99%/8%; one minute: 99%; five minutes: 97%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
80 283596832 26700772 10621 90.18% 89.03% 86.46% 0 Encrypt Proc
35 498200 979207 508 0.24% 0.08% 0.07% 0 IP Input
61 251432 1082701 232 0.16% 0.04% 0.03% 0 CEF process
5 428608 83317 5144 0.16% 0.08% 0.06% 0 Check heaps
78 5248 4008 1309 0.16% 0.30% 0.39% 6 Virtual Exec
10 589400 649052 908 0.16% 0.07% 0.06% 0 ARP Input
41 100488 2992151 33 0.08% 0.03% 0.01% 0 SSS Feature Time
95 216732 417253 519 0.08% 0.01% 0.00% 0 IP SNMP
........ more
Let me know if more information needed.
Any advice?
10-15-2013 04:33 PM
Can you clear counters and repost "sh int s0"? I'm curious about the CRCs that you have on the interface. I'm not sure how long this router's been up, but the counters have never been cleared. If you're still incrementing, I'd talk to the provider about having your line checked.
Has this worked ok in the past?
HTH,
John
*** Please rate all useful posts ***
10-16-2013 05:29 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you don't have the optional encryption module, or if for some reason it's not being used, it doesn't take much 3DES to consume the main CPU.
10-16-2013 05:49 AM
Hi Omar,
Encryption can be done in software or hardware. You need to have a VAM module in the router which would do the hardware encryption. If software is not able to handle the encrytpion you would see high CPU utilization due to Encrypt process.Temporay fix is you need to remove the crypto map on the interface. You can use show version to see if VAM module is thereon the device.
Regards,
Sathvik
10-16-2013 05:09 PM
This is the show ver but I can´t see the VAM module, Sathvik do you recomend install that moduele?
router1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(20), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Tue 08-Aug-06 17:59 by kesnyder
Image text-base: 0x8000816C, data-base: 0x810A3620
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.3(9), RELEASE SOFTWARE (fc2)
router1 uptime is 1 week, 2 days, 22 hours, 50 minutes
System returned to ROM by power-on
System restarted at 20:31:41 Summer Tue Jun 25 2013
System image file is "flash:c1700-k9o3sy7-mz.123-20.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco 1721 (MPC860P) processor (revision 0x300) with 57506K/8030K bytes of memory.
Processor board ID FOC08080QDN (3072600685), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
10-16-2013 11:23 PM
Hi Omar,
Yes would recommend to install a VPM module. Hacve taken some text capture from the below mentioned URL which would help you understand.
The optional VPN hardware encryption module for the Cisco 1721 router further optimizes VPN encryption performance. By offloading encryption tasks to the VPN module, the router processor is freed to handle other operations. The VPN module accelerates the rate at which encryption occurs, speeding the process of transmitting secure data, a critical factor when using 3DES encryption.
http://www.cisco.com/en/US/products/hw/routers/ps221/products_data_sheet09186a00800920ec.html
Rate the post if it helps!!
Regards,
Sathvik K V
10-18-2013 12:19 PM
Hi Sathvik, this router is end of life so the customer would not want to buy a VPN module for it. What other router do you recommend?
10-18-2013 11:05 PM
Hi Omar,
Would recommend Cisco1921. Please note if your are using IOS version universalk9 they you would have to purchase the license.
Show version should show you the below logs after installing a license.
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
Regards,
Sathvik K V
10-19-2013 02:52 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
The 1721 is rated at 12 Kpps, and doesn't have any hardware encryption, standard.
The current high end 800 series have a faster Kpps rating, and I believe, come with hardware encryption standard. (The hardware for encryption makes a huge difference). For example the 880 series is rated at 50 Kpps.
I've attached a Cisco white paper on ISR performance. Select a model for your expected bandwidth processing needs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: