Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CPU 100% upon Isakmp key re-initialization ..

Status
Not open for further replies.
jevansau99

jevansau99

MIS
Jul 12, 2001
38
US
can anyone out there tell me if it is a normal operation for a 2600 or 3600 router to reach 100% utilization at the exact time it gets a new crypto key? It only happens for a milisecond, however, our customer has a very tcp sensitive Oracle connection over the WAN and it cuts them off when this key gets its new setting from the PIX. We have set the lifetime on the key to a much higher time limit, but I would like to know if anyone else has come across this?

thanks - jason "No hacker is worth missing a Dead concert for" - c.s.
 
Sort by date Sort by votes
No router should every theoretically reach 100% utilization. What percent is it through general use - ie when it is not recieving the key?

you should really be seeing abou 5-10% max.

Dan,
 
Upvote 0 Downvote
Dan, thats what we're seeing. usually 10% is the max, but every key reinitialization we get this 100% spike?? "No hacker is worth missing a Dead concert for" - c.s.
 
Upvote 0 Downvote
Couple of quick questions

1. Where does this key come in from, ie where does it enter the router?
2. Do you have an policy routing configured, ie access-lists?
 
Upvote 0 Downvote
1. key comes from PIX which is across frame relay connection over serial interface
2. I have priority based routing for an Oracle Server and a few more access-lists configured - but how could this have any effect on the CPU util? Oracle traffic is very light and BW is 128

it should be noted that we have a star topology w/ this customer w/ 3 2600's and a PIX. IE, all routers have VPN to each other.

any ideas? "No hacker is worth missing a Dead concert for" - c.s.
 
Upvote 0 Downvote
Access-Lists are one of the most processor intensive tasks you can put on a router.

show processes CPU will give you the breakdown of all interupts the router is performing, not traffic. The best thing to do is configure IP accounting on the interface that recieves the key, then, view the results once the CPU has hit 100%. This way, you can see if it is the key or whether anything else is being triggered. Also, if it is the key, the interface that recieves it will record a throttle. This is where the traffic is too high for the interface to process, so it shuts itself down iuntil it clears its buffers.

Try this, then let me know how you get on
 
Upvote 0 Downvote
ok, thanks alot Dan. I'll take a look at the accounting/throttle. I'm positive though that it is the key reinitialization b/c the CPU spike happens at the exact minute and second the router gets its new SA :). i compared the "sho proc cpu hist" with the current clock and the "sh crypto key mypubkey rsa"

what i can't understand is why the key is causing this to happen? maybe a hole/error in my config is what I was thinking?? "No hacker is worth missing a Dead concert for" - c.s.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
430
whykap
whykap
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
145
BleuBell
BleuBell
RFCOMM2K1
  • Locked
  • Question
Cisco UCM reports
Replies
0
Views
79
RFCOMM2K1
RFCOMM2K1
ClaireNovice
  • Locked
  • Question
Unable to view ASDM real-time logs
Replies
1
Views
253
ADB100
ADB100
chieftan
  • Locked
  • Question
Redundancy on 3850 to Cisco ASR 1001-X
Replies
2
Views
149
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top