I would know how to see whether the router is busy on defragmentin/fragmenting of packets about wrong settings of MTU. I have IPsec traffic going through the router and when it is present the CPU blasts up to 100%. Every other traffic can reach peaks of 400-500 kbytes per second while the IPsec traffic only 30/40 kBytes per second. Using "cpu show proc" the sum of all processes is close to 1% while the percentage on the top of list reaches 95/100%.
Many thanks,
Alex.
Hi,
You can use 'show ip traffic' command to check for frags/defrags among the other things... 'debug ip traffic' is also valuable, but limit it with ACL or use it at low utilization day periods...
When 'sh proc cpu' indicates high cpu percentage, but sum of all processes does not reach that cpu percentage (in your case 95/100%) then this means that your cpu is busy because of high number of interrupts. Make sure that your router has CEF switching enabled: 'show ip int' and then look for the "IP CEF switching is enabled" or similar. Next, if you suspect IPSec traffic for this issue, check if your router is equipped with AIM-VPN card or it's on board variant and if so, type 'sh crypto engine accelerator statistic' to check if AIM-VPN card is making it's purpose. If all from the above is ok, then consult the following URL:
B.R. Igor
Is your IPSec traffic going through serial interfaces? If so, just crank the physical mtu to 1600 on both side. "sho ip traffic" will tell you how many packets you are fragmenting.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.