James G- What do you see when you do: sh ip tra -- Regards, Ge Moua Network Design Engineer
University of Minnesota | OIT - NTS -- On 10/7/10 1:45 PM, Lasher, Donn wrote:
In my experience, two things hammer the CPU for IPSEC tunnels: 1. mGRE is not accelerated by the hardware. 2. Fragmenting Packets, lower MTU/MSS, CPU driven. Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a tunnel, in my experience. -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Graebner [VPNtranet] Sent: Thursday, October 07, 2010 10:32 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] High CPU util on a 2811 with two ipsec tunnels I have a 2811 w/ AIM module terminating two 10m ipsec tunnels that is nearly always above 80% and often above 95% cpu util during the day. Buffers show no significant number of misses. sh int switching shows that 100% of the outbound encrypted packets are being process switched. IOS C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1. Why would this traffic not be fast switched?
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/