Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

high cpu load on cisco 2811

Posted on 2009-12-24
20
Medium Priority
?
2,374 Views
Last Modified: 2013-12-10
hi,
I'm facing a cpu load issue on cisco 2811.
Attached you can see the configuration, there is nothing extra exhausting for the cpu.
The VPN is configured but the tunnel is not up since its a backup one only.
Each time the traffic start to reach 8M, the cpu load increase to 80 or 90% to reach 100% at 10M traffic.
In the sh process cpu sorted, its showing that the ip input is mostly causing this behavior
In the datasheet of the router, its written that it must support up to 60M traffic and 120,000 pps
Any idea how this issue can be resolved? Any hint what can be removed from the router configuration to fix this?

thank you
router.txt
0
Comment
Question by:Raymah
  • 8
  • 5
  • 3
  • +1
18 Comments
 

Author Comment

by:Raymah
ID: 26118403
any feedback on this issue?
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26119042
Can you at least temporarily delete the overhead stuff like nbar, sla, etc and get down to just what you need for routing and see if that improves it?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 26119300
When the load is high:

sh proc cpu sorted
sh ip sockets
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Raymah
ID: 26121131
i already tried removing nbar and packet flow but it didn't work and the same behavior remained.

concerning sh proc cpu sorted, it shows ip input at the top then the processes after are very low in usage. anyway i'll make sure to send u the output of the above 2 commands by monday
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26122731
Can you maybe get a sniffer or wireshark packet capture of the data going through that router? It might give some clue as to what is driving the cpu so high. Generally speaking normal routing of packets shouldn't cause the cpu to max out if those performance numbers are accurate.

This isn't a case of the router's performance numbers being in bits per second and the load you are applying is using bytes per second is it? If that is the case then you are hitting above the spec already with 8 megabytes which is 64 megabits per second.
0
 

Author Comment

by:Raymah
ID: 26123044
can u plz explain more your last idea?
on the router interface, its around 1200pps
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26124585
I am just saying that interface bandwidth numbers are usually quoted in bits per second while application performance numbers are usually in bytes per seconds. There are 8 bits in a byte so depending on which one is being used you have to calculate for the other.
0
 

Author Comment

by:Raymah
ID: 26126606
i'm working in a cisco IOS and monitoring the interface is in bits per second
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26127588
If those datasheet performance numbers quoted are accurate you should be able to do much better than you are seeing.

Could you try removing the netflow commands?
And what interfaces are you using? I see one with the bandwidth set to 5000.
0
 

Author Comment

by:Raymah
ID: 26129763
I did remove the netflow commands and nbar before submitting this question but still, same result!
the bandwidth 5000 on the interface is only for the routing metrics, anyway its not used anymore.
The interfaces used are tunnel 10 and f0/1, the traffic is on these 2 interfaces
0
 

Author Comment

by:Raymah
ID: 26131340
The CPU load decreased when we removed the GRE tunnel with same BW speed 10Mbps
I was able to reach 10M on the router interface with cpu load 30%
When i added the gre back, the cpu became 100%
Any idea what is the reason behind this? is there any speed limitation for the tunnel?
below is the show ver output

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(18b), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Mon 19-May-08 15:43 by prod_rel_team

 

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

 

gw-larn uptime is 5 days, 0 minutes

System returned to ROM by Reload Command at 16:33:50 GMT Wed Dec 23 2009

System restarted at 16:34:42 GMT Wed Dec 23 2009

System image file is "flash:c2800nm-advsecurityk9-mz.124-18b.bin"

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.

Processor board ID FCZ110473Q8

2 FastEthernet interfaces

3 Serial(sync/async) interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)
0
 

Author Comment

by:Raymah
ID: 26131575
Note that the 10M traffic is passing through this tunnel when its activated thus causing the cpu load
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26137928
GRE is one of those CPU intensive processes that can run on a router. I am not sure what the expected load would be for this model.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 800 total points
ID: 26142351
Based on information on Cisco's site the 2811 can do about 20 Mbps over IPSec tunnels with traffic that matches "Spirent IPSec IMIX".

Which is supposed to be "Internet type traffic".  However it also says that if you have 1400 byte MTU, then it can do 55 Mbps.

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80169bd6.html 

See table 12.
0
 

Accepted Solution

by:
Raymah earned 0 total points
ID: 26144003
i was thinking today to decrease the mtu size on the gre tunnel, its now 1500 bytes
Its GRE not IPsec tunnel, so you have any similar info for GRE like IPsec?
Anyway I'll try to put it 1476 bytes and see the result
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 26145190
Under the tunnel interface, "ip tcp adjust-mss 1436"
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26146681
Actually I think it should be even smaller.

Since your normal MTU is probably 1500, the normal MSS would be  1460.  The tunnel and all of its overhead needs to fit inside of this in order not to fragment.  The IPSec overhead depends on a few things, but I would suggest to be on the safe side you set the MTU of the tunnel to 1400, this would yield a MSS of 1360.

You may want to read:

     http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

To help figure out if you can make the tunnel MTU larger to help improve link utilization.  But you are not going to get to much better if you use a MTU of 1400.

0
 
LVL 57

Expert Comment

by:giltjr
ID: 26153464
Sorry about that, but I guess I missed the tunnel mode ipip.  However, I guess I got confused with the the crypto map applied to your tunnel interface.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question