Исходное сообщение
"Процесс Encrypt периодически съедает весь процессор 7206" Отправлено _RAW_, 01-Сен-10 17:38
Уважаемые коллеги. Помогите найти источник проблемы! Сломал всю голову за последние две недели, но не могу найти где порылась собака. Имеется c7206vxr NPE400 IOS (tm) 7200 Software (C7200-JK9S-M), Version 12.3(18), RELEASE SOFTWARE (fc3) На ней крутится три IPSec туннеля, наттинг локалки и DMZ в инет и IPSec коннект к Firebox оборудованию удаленного офиса. Периодически CPU на несколько секунд забивается процессом  Encrypt Proc. Забивается апериодично, но раз или два в час пики случаются. По ту сторону тунелей суммарно 400 автономных терминальных хостов. Нагрузка по трафику никакая. Возрастание нагрузки стало заметно при возрастании активности на Tunnel2. Но по тунелю работают всего 180 хостов. Неужели 7206 не может справиться с этой пустяковой нагрузкой? P.S. Tunnel1 и Tunnel2 смотрят на две разные аналогичные кошки с разными адресами, просто звездочками адреса забил, неочевидно стало что тунели в разные хосты. вот что говорит в секунды лагов sh proc cpu sor: CPU utilization for five seconds: 92%/22%; one minute: 48%; five minutes: 32% PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 117      715368    436648       1638 53.95% 21.30% 11.44%   0 Encrypt Proc   52      626120   1936745        323 15.58% 11.36%  8.25%   0 IP Input 115        1964       768       2557  0.23%  0.48%  0.20%   2 SSH Process sh ip tra показывает что фрагментаций особо нету: IP statistics:   Rcvd:  77020097 total, 884405 local destination          0 format errors, 23 checksum errors, 222210 bad hop count          1754 unknown protocol, 46 not a gateway          0 security failures, 0 bad options, 0 with options   Opts:  0 end, 0 nop, 0 basic security, 0 loose source route          0 timestamp, 0 extended security, 0 record route          0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump          0 other   Frags: 88 reassembled, 0 timeouts, 0 couldn't reassemble          74 fragmented, 373 fragments, 1 couldn't fragment конфиг: crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 7200 crypto isakmp policy 3 encr 3des hash md5 authentication pre-share crypto isakmp policy 4 encr 3des authentication pre-share crypto isakmp key *** address 6*.14*.10*.24* no-xauth crypto isakmp key *** address 21*.87.1.16* no-xauth crypto isakmp key *** address 80.84.11*.21* crypto isakmp key *** address 21*.87.1.16* no-xauth crypto isakmp keepalive 10 ! crypto ipsec security-association idle-time 3600 ! crypto ipsec transform-set maks esp-3des esp-sha-hmac crypto ipsec transform-set mtsset esp-3des esp-md5-hmac crypto ipsec transform-set bankrs esp-3des esp-sha-hmac mode transport crypto ipsec transform-set mtsrzd esp-3des esp-md5-hmac ! crypto ipsec profile gre1 set transform-set maks ! crypto ipsec profile mts set transform-set mtsset ! crypto ipsec profile mtsrzd set transform-set mtsrzd ! ! crypto map bankrs 4 ipsec-isakmp set peer 80.84.11*.21* set security-association lifetime seconds 86400 set transform-set bankrs match address bankrs ! ! ! ! interface Tunnel0 description UCS ip address 10.3.2.9 255.255.255.192 no ip redirects ip mtu 1416 ip nat outside ip nhrp authentication ocsic ip nhrp map 10.3.2.1 62.14*.10*.24* ip nhrp map multicast 62.14*.10*.24* ip nhrp network-id 24 ip nhrp nhs 10.3.2.1 tunnel source 62.11*.87.* tunnel destination 62.14*.10*.24* tunnel key 54321 tunnel protection ipsec profile gre1 shared ! interface Tunnel1 description MTS bandwidth 2000 ip address 10.11.0.2 255.255.255.252 ip mtu 1420 ip nat outside ip tcp adjust-mss 1380 no ip mroute-cache ip policy route-map comcor-map tunnel source 62.11*.87.* tunnel destination 21*.87.1.16* tunnel protection ipsec profile mts shared ! interface Tunnel2 description MTSRZD bandwidth 2000 ip address 192.168.254.162 255.255.255.252 ip mtu 1420 ip nat outside ip tcp adjust-mss 1380 no ip mroute-cache ip policy route-map comcor-map tunnel source 62.11*.87.* tunnel destination 21*.87.1.16* tunnel protection ipsec profile mtsrzd shared ! interface FastEthernet0/0 description LAN ip address 192.168.0.1 255.255.255.0 secondary ip address 192.168.100.1 255.255.255.0 secondary ip address 192.168.101.1 255.255.255.0 secondary ip address 192.168.3.1 255.255.255.0 ip access-group lvsin in ip nat inside no ip mroute-cache ip policy route-map comcor-map duplex auto speed 100 ! interface FastEthernet0/1 description DMZ ip address 87.24*.13*.17 255.255.255.240 secondary ip address 77.10*.90.12* 255.255.255.192 secondary ip address 77.10*.72.1 255.255.255.240 ip access-group dmzin in ip nat inside no ip mroute-cache ip policy route-map comcor-map duplex auto speed 100 ! interface Serial1/0:0 no ip address shutdown ! interface Serial1/1:0 no ip address shutdown ! interface FastEthernet2/0 description COMCOR ip address 62.11*.87.* 255.255.255.252 ip access-group 128 in ip access-group comcorout out ip verify unicast reverse-path no ip redirects no ip unreachables ip nat outside duplex auto speed auto crypto map bankrs ! interface FastEthernet2/1 no ip address shutdown duplex auto speed auto ! ip nat log translations syslog ip nat pool comcor-space 62.11*.87.* 62.11*.87.* netmask 255.255.255.252 ip nat pool poolnat 77.10*.90.14* 77.10*.90.14* netmask 255.255.255.0 type rotary ip nat inside source list ucs interface Tunnel0 overload ip nat inside source route-map comcor-map pool comcor-space overload ip nat inside source static tcp 192.168.3.213 80 62.11*.87.* *** extendable no-alias ip nat inside source static tcp 192.168.3.212 80 62.11*.87.* *** extendable no-alias ip nat inside destination list portnat pool poolnat ip classless ip route 0.0.0.0 0.0.0.0 62.11*.87.* ip route 10.0.4.0 255.255.255.0 80.84.11*.21* ip route 10.10.0.0 255.255.240.0 Tunnel1 ip route 10.14.0.0 255.255.254.0 Tunnel2 ip route 77.10*.72.0 255.255.255.240 FastEthernet0/1 ip route 77.10*.90.12* 255.255.255.192 FastEthernet0/1 ip route 87.24*.13*.16 255.255.255.240 FastEthernet0/1 ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 ip route 192.168.3.0 255.255.255.0 FastEthernet0/0 ip route 192.168.88.0 255.255.255.0 77.10*.90.13* ip route 192.168.100.0 255.255.255.0 FastEthernet0/0 ip route 192.168.101.0 255.255.255.0 FastEthernet0/0 ip http server ip http authentication local ip http secure-server ! ! ! ip access-list standard telacc permit 192.168.3.100 permit 93.81.25*.16* permit 77.10*.72.0 0.0.0.15 ! ip access-list extended bankrs permit ip 77.10*.72.0 0.0.0.15 10.0.4.0 0.0.0.255 permit ip 77.10*.90.12* 0.0.0.63 10.0.4.0 0.0.0.255 ip access-list extended comcorout permit ip any any ip access-list extended dmzin permit ip any any log ip access-list extended lvsin permit ip any any log ip access-list extended permitinternet permit ip host 192.168.3.100 any permit ip host 192.168.3.50 any permit ip host 192.168.0.4 any permit ip 10.10.0.0 0.0.15.255 any permit ip 10.14.0.0 0.0.1.255 any ip access-list extended portnat permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** permit tcp any host 77.10*.72.6 eq *** ip access-list extended ucs permit ip host 87.24*.13*.27 172.16.0.0 0.0.255.255 permit ip host 87.24*.13*.25 172.16.0.0 0.0.255.255 permit ip host 87.24*.13*.20 172.16.0.0 0.0.255.255 permit ip host 77.10*.72.6 172.16.0.0 0.0.255.255 permit ip host 192.168.3.100 172.16.0.0 0.0.255.255 permit ip host 192.168.3.100 10.3.2.0 0.0.0.255 permit ip host 192.168.3.11 10.3.2.0 0.0.0.255 logging history size 500 logging history informational logging trap debugging logging source-interface FastEthernet0/1 logging 77.10*.90.13* access-list 128 permit ip any any (128 аксесслист весьма длинный. вырезал) ! route-map comcor-map permit 20 match ip address permitinternet match interface FastEthernet2/0 set default interface FastEthernet2/0