• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1166
  • Last Modified:

IPSEC tunnel - CPU Utilization for static routes

Hi guys,

I have a scenario where trying to push a public IP subnet over an IPSEC tunnel has my routers down on its knees due to high CPU utilization!
A bit of background - 1841 router to 1841 router ipsec tunnel, using virtual tunnel interface, and ipsec encryption.

RouterA:

interface Tunnel100
 description **To VPN Hub**
 bandwidth 400000
 ip address 10.0.56.2 255.255.255.0 secondary
 ip address 10.0.70.2 255.255.255.0
 ip access-group VPNHub_ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1480
 ip tcp adjust-mss 1400
 load-interval 30
 keepalive 30 3
 tunnel source 220.x
 tunnel destination 203.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN_Hub

sh interfaces tunnel 100
Tunnel100 is up, line protocol is up
  Hardware is Tunnel
  Description: **To VPN Hub**
  Internet address is 10.0.70.2/24
  MTU 1514 bytes, BW 400000 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (30 sec), retries 3
  Tunnel source 220.x, destination 203.x
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "VPN_Hub")
  Last input 00:32:16, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/58/0 (size/max/drops/flushes); Total output drops: 79
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     27756 packets input, 7316557 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     156521 packets output, 139753793 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

On the other side, RouterB:

interface Tunnel100
 description **Sydney Office**
 bandwidth 400000
 ip address 10.0.56.1 255.255.255.0 secondary
 ip address 10.0.70.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1480
 ip hello-interval eigrp 2 15
 ip hold-time eigrp 2 45
 load-interval 30
 keepalive 30 3
 tunnel source 203.x
 tunnel destination 220.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SYD_HO


sh interfaces tunnel 100
Tunnel100 is up, line protocol is up
  Hardware is Tunnel
  Description: **Sydney Office**
  Internet address is 10.0.70.1/24
  MTU 1514 bytes, BW 400000 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (30 sec), retries 3
  Tunnel source 203.x, destination 220.x
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SYD_HO")
  Last input 00:38:28, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     530 packets input, 32379 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     184 packets output, 20590 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

Now when I do a ip route 203.x.x.192 0.0.0.31 tunnel 100 on Router A, the router becomes almost inaccessible and the following happens:


#sh processes cpu history

  12:17:37 AM Wednesday Mar 30 2011 UTC


      99999999999999999998888                   11111
    339999999999999999999333355551111111111     77777111111111
100   *******************
 90   *******************
 80   ***********************
 70   ***********************
 60   ***********************
 50   ***********************
 40   ***********************
 30   ***********************
 20   ***********************                   *****
 10   ***************************               *****
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)


I can't see the reason why this happens, RouterA has learnt a lot of routes from IGP's running on RouterB over the tunnel. I can do big file transfers over this tunnel from servers behind each of these routers, but when I try and add a static route to a public routable IP over the IPSEC tunnel, the CPU utilization goes through the roof.

It shouldn't be the routers (I have tested this with 877 and different 1841's), and it couldn't be the fact that the router can't handle encrypting/decrypting of 203.x traffic as the routers seem to handle all other traffic perfectly fine.

Any ideas guys?
0
demon777
Asked:
demon777
  • 2
  • 2
1 Solution
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

If you configured firewall or using IPSEC with nat 1841 not able to handle only max 10-12 Mbps, I've tested in my home, and after I replaced it to 5505, which has stronger firewall and higher ipsec performance!

I advise to set the outside leg 10M full duplex, to control the bandwith, and the cpu never goes up to 100%

Best regards,
Istvan
0
 
koudryCommented:
Hello,

I am surprised to see the Cisco 1841 struggle with IPSEC because it has a hardware-based crypto engine as opposed to software-based crypto engine and therefore, should not suffer. I suspect there are other factors at work here.

Bandwidth could be one of the problems, because IPSEC is bandwidth hangry.

There is also something suspicious about your bandwidth configuration. This does look like 400,000kb which translates to 400Mb. This must be wrong unless I am not reading this correctly.  You may be right but it does look odd.

What is the WAN interface, i.e. is this Ethernet (10M, 100M etc) or is it DSL etc?

Thanks.

Koudry

0
 
demon777Author Commented:
Found out the problem - the IP address of the destination tunnel was in the static route I was specifying, to go through the tunnel. A sh int confirmed my suspicion that the router was getting hit up with high cpu due to a loop:) All good now, i specified the route to the vpn dest seperatelt to go through normal internet.
0
 
demon777Author Commented:
It was a partial answer - 1841 CAN definitelt handle the load.
0
 
Istvan KalmarHead of IT Security Division Commented:
If you configuring L2L vpn and Firewall same time the 1841 is not enough...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now