Try removing the ACLs and NetFlow one at a time, see if any of those help. The NAT you probably can't get rid of I'm guessing. Is this an older IOS version? Older ones couldn't do NAT in the CEF path, from what I remember. An upgrade might help. Although newer ones might complain about the NPE-225 in there. If you really need VPN, a 2851 or 3825 would do this with ease.
Chuck -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Spencer Barnes Sent: Wednesday, December 17, 2008 11:53 AM To: E. Versaevel Cc: [email protected] Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization I included several replies in this that didn't make the list because I thought the information might be helpful. "You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip)" Pure routing. I setup a server on our external network with a big file and uploaded it to the remote network outside of the VPN, verified by a traceroute. "What type of VPN is it and what type of encryption are you using?" Here is the VPN config. crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key xxx address xxx crypto ipsec transform-set abc esp-des esp-md5-hmac crypto map myvpn 5 ipsec-isakmp description === 192 to xxx === set peer xxx set transform-set abc match address 153 crypto map myvpn 6 ipsec-isakmp description === 172 to xxx === set peer xxx set transform-set abc match address 154 "...is it possible that without a IPSec accelerator card that your experiences is not unsurprising?" That is what it is beginning to look like but the fact that IP input is high even without the VPN is confusing to me. Based on the CPU utilization graphs and the correlating bandwidth graphs, I could upload at half the T3s capacity and more than likely crash the router. Configuration change since first post: Removed outbound ACL on Serial1/0. No effect on CPU utilization. -------------------------------------- Spencer -----Original Message----- From: E. Versaevel [mailto:[email protected]] Sent: Wednesday, December 17, 2008 12:22 AM To: Spencer Barnes Cc: [email protected] Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization Hi Spencer, All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that. You config isn't exactly minimal (ie, gathering flow statistics & NAT also eats CPU), also notice that you are referring to 5 minute averages on the bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values. I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic` You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip) Kind regards, Erik _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
