750G r2 100% CPU

Colox · June 1, 2017, 12:29pm

Hello,

I just bought a RouterBOARD 750G r2.

I have a VPN with a cisco router (871). Both routers have dynamic ip from the isp. The mikrotik has 100% cpu utilization. the process ipsec is using 90% of the cpu and it wont go down even with no traffic.

Usually the router has a load of 2Mbps of upload and 2Mbps of download.

I am using two scripts to reconfigure the vpn and DDNS.

The DDNS script runs every 4 minutes if it detects the same name it doesnt update the value and the VPN script runs every 5 minutes, in this case it writes a change every 5 minutes.

The router behaves well for 8 hours aproximatly, past this time the cpu goes to 100% and it needs a reboot.

Here is the VPN script:

*Note: im using the values “site0” and “site1” to not give the names of the sites.

:global newr1 [:resolve “site0”]
:global newr2 [:resolve “site1”]
/ip ipsec policy set src-address=192.168.1.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=$newr2 sa-dst-address=$newr1 proposal=MyProposal numbers=1
/ip ipsec peer set address=$newr1 port=500 auth-method=pre-shared-key secret=central2017 exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 generate-policy=no 0
:log info “SetIPsecscript:Changing IP”

Router info:

Model RouterBOARD 750G r2
Factory Firmware 3.31
Current Firmware 3.31
Upgrade Firmware 3.30
Voltage 11.8 V
Temperature 44 C
Software ID L2S8-K2FT
Level 4

What could be causing this? i think that the script might be the problem but i dont know how to write it better, maybe someone can help me with this?

Thanks!

junior013 · June 8, 2017, 8:01am

I have probably the same problem on a CCR1016. It worked for a month without any problem, but in last few days, the load sometimes rising to 88-96% without any reason (on 16 cpu core!!).
In profiler I have no Ipsec, I see the networking profile makes the high load, but every local traffic, routing works, only the Ipsec tunnels stops.
The load can’t be lowered, if I temporary disable the Ipsec peers, either the networking (eth ports) itself. Only a restart helps - for a while.

[Edited]
The normal load is only 1-3%
Software updated to last 6.39.2 (was 6.39.1 before)
Firmware is the last too (3.33)

pe1chl · June 8, 2017, 8:34am

Second hand, I presume? The current model is 750Gr3 and it has MUCH better performance, especially for IPSEC.
You should have bought that one.
Anyway, the spec you give for software version is a bit strange. Has it been downgraded? Maybe by the previous owner?
Start by upgrading it to the current RouterOS version 6.39.2 and then perform a Firmware upgrade and reboot again.
See if that fixes it.
8 hours of uptime probably means there is some issue when re-negotiating the IPsec keys after they reach the end
of their 8 hour lifetime.
Is the software on the Cisco uptodate?

Steveocee · June 8, 2017, 12:00pm

Problem would be there.

You really want the r3 as the VPN performance on them is phenomenal.