Link to home
Start Free TrialLog in
Avatar of Raymah
RaymahFlag for Lebanon

asked on

high cpu load on cisco 2811

hi,
I'm facing a cpu load issue on cisco 2811.
Attached you can see the configuration, there is nothing extra exhausting for the cpu.
The VPN is configured but the tunnel is not up since its a backup one only.
Each time the traffic start to reach 8M, the cpu load increase to 80 or 90% to reach 100% at 10M traffic.
In the sh process cpu sorted, its showing that the ip input is mostly causing this behavior
In the datasheet of the router, its written that it must support up to 60M traffic and 120,000 pps
Any idea how this issue can be resolved? Any hint what can be removed from the router configuration to fix this?

thank you
router.txt
Avatar of Raymah
Raymah
Flag of Lebanon image

ASKER

any feedback on this issue?
Can you at least temporarily delete the overhead stuff like nbar, sla, etc and get down to just what you need for routing and see if that improves it?
Avatar of Jan Bacher
When the load is high:

sh proc cpu sorted
sh ip sockets
Avatar of Raymah

ASKER

i already tried removing nbar and packet flow but it didn't work and the same behavior remained.

concerning sh proc cpu sorted, it shows ip input at the top then the processes after are very low in usage. anyway i'll make sure to send u the output of the above 2 commands by monday
Can you maybe get a sniffer or wireshark packet capture of the data going through that router? It might give some clue as to what is driving the cpu so high. Generally speaking normal routing of packets shouldn't cause the cpu to max out if those performance numbers are accurate.

This isn't a case of the router's performance numbers being in bits per second and the load you are applying is using bytes per second is it? If that is the case then you are hitting above the spec already with 8 megabytes which is 64 megabits per second.
Avatar of Raymah

ASKER

can u plz explain more your last idea?
on the router interface, its around 1200pps
I am just saying that interface bandwidth numbers are usually quoted in bits per second while application performance numbers are usually in bytes per seconds. There are 8 bits in a byte so depending on which one is being used you have to calculate for the other.
Avatar of Raymah

ASKER

i'm working in a cisco IOS and monitoring the interface is in bits per second
If those datasheet performance numbers quoted are accurate you should be able to do much better than you are seeing.

Could you try removing the netflow commands?
And what interfaces are you using? I see one with the bandwidth set to 5000.
Avatar of Raymah

ASKER

I did remove the netflow commands and nbar before submitting this question but still, same result!
the bandwidth 5000 on the interface is only for the routing metrics, anyway its not used anymore.
The interfaces used are tunnel 10 and f0/1, the traffic is on these 2 interfaces
Avatar of Raymah

ASKER

The CPU load decreased when we removed the GRE tunnel with same BW speed 10Mbps
I was able to reach 10M on the router interface with cpu load 30%
When i added the gre back, the cpu became 100%
Any idea what is the reason behind this? is there any speed limitation for the tunnel?
below is the show ver output

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(18b), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Mon 19-May-08 15:43 by prod_rel_team

 

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

 

gw-larn uptime is 5 days, 0 minutes

System returned to ROM by Reload Command at 16:33:50 GMT Wed Dec 23 2009

System restarted at 16:34:42 GMT Wed Dec 23 2009

System image file is "flash:c2800nm-advsecurityk9-mz.124-18b.bin"

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.

Processor board ID FCZ110473Q8

2 FastEthernet interfaces

3 Serial(sync/async) interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)
Avatar of Raymah

ASKER

Note that the 10M traffic is passing through this tunnel when its activated thus causing the cpu load
GRE is one of those CPU intensive processes that can run on a router. I am not sure what the expected load would be for this model.
SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Under the tunnel interface, "ip tcp adjust-mss 1436"
Actually I think it should be even smaller.

Since your normal MTU is probably 1500, the normal MSS would be  1460.  The tunnel and all of its overhead needs to fit inside of this in order not to fragment.  The IPSec overhead depends on a few things, but I would suggest to be on the safe side you set the MTU of the tunnel to 1400, this would yield a MSS of 1360.

You may want to read:

     http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

To help figure out if you can make the tunnel MTU larger to help improve link utilization.  But you are not going to get to much better if you use a MTU of 1400.

Sorry about that, but I guess I missed the tunnel mode ipip.  However, I guess I got confused with the the crypto map applied to your tunnel interface.