Уважаемые коллеги. Помогите найти источник проблемы! Сломал всю голову за последние две недели, но не могу найти где порылась собака.

Имеется c7206vxr NPE400
IOS (tm) 7200 Software (C7200-JK9S-M), Version 12.3(18), RELEASE SOFTWARE (fc3)

На ней крутится три IPSec туннеля, наттинг локалки и DMZ в инет и IPSec коннект к Firebox оборудованию удаленного офиса.
Периодически CPU на несколько секунд забивается процессом  Encrypt Proc.
Забивается апериодично, но раз или два в час пики случаются.
По ту сторону тунелей суммарно 400 автономных терминальных хостов. Нагрузка по трафику никакая.
Возрастание нагрузки стало заметно при возрастании активности на Tunnel2. Но по тунелю работают всего 180 хостов.
Неужели 7206 не может справиться с этой пустяковой нагрузкой?
P.S. Tunnel1 и Tunnel2 смотрят на две разные аналогичные кошки с разными адресами, просто звездочками адреса забил, неочевидно стало что тунели в разные хосты.

вот что говорит в секунды лагов sh proc cpu sor:
CPU utilization for five seconds: 92%/22%; one minute: 48%; five minutes: 32%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
117      715368    436648       1638 53.95% 21.30% 11.44%   0 Encrypt Proc
  52      626120   1936745        323 15.58% 11.36%  8.25%   0 IP Input
115        1964       768       2557  0.23%  0.48%  0.20%   2 SSH Process

sh ip tra показывает что фрагментаций особо нету:
IP statistics:
  Rcvd:  77020097 total, 884405 local destination
         0 format errors, 23 checksum errors, 222210 bad hop count
         1754 unknown protocol, 46 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 88 reassembled, 0 timeouts, 0 couldn't reassemble
         74 fragmented, 373 fragments, 1 couldn't fragment

конфиг:

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 7200

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share

crypto isakmp policy 4
encr 3des
authentication pre-share

crypto isakmp key *** address 6*.14*.10*.24* no-xauth
crypto isakmp key *** address 21*.87.1.16* no-xauth
crypto isakmp key *** address 80.84.11*.21*
crypto isakmp key *** address 21*.87.1.16* no-xauth
crypto isakmp keepalive 10
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set maks esp-3des esp-sha-hmac
crypto ipsec transform-set mtsset esp-3des esp-md5-hmac
crypto ipsec transform-set bankrs esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set mtsrzd esp-3des esp-md5-hmac
!
crypto ipsec profile gre1
set transform-set maks
!
crypto ipsec profile mts
set transform-set mtsset
!
crypto ipsec profile mtsrzd
set transform-set mtsrzd
!
!
crypto map bankrs 4 ipsec-isakmp
set peer 80.84.11*.21*
set security-association lifetime seconds 86400
set transform-set bankrs
match address bankrs
!
!
!
!
interface Tunnel0
description UCS
ip address 10.3.2.9 255.255.255.192
no ip redirects
ip mtu 1416
ip nat outside
ip nhrp authentication ocsic
ip nhrp map 10.3.2.1 62.14*.10*.24*
ip nhrp map multicast 62.14*.10*.24*
ip nhrp network-id 24
ip nhrp nhs 10.3.2.1
tunnel source 62.11*.87.*
tunnel destination 62.14*.10*.24*
tunnel key 54321
tunnel protection ipsec profile gre1 shared
!
interface Tunnel1
description MTS
bandwidth 2000
ip address 10.11.0.2 255.255.255.252
ip mtu 1420
ip nat outside
ip tcp adjust-mss 1380
no ip mroute-cache
ip policy route-map comcor-map
tunnel source 62.11*.87.*
tunnel destination 21*.87.1.16*
tunnel protection ipsec profile mts shared
!
interface Tunnel2
description MTSRZD
bandwidth 2000
ip address 192.168.254.162 255.255.255.252
ip mtu 1420
ip nat outside
ip tcp adjust-mss 1380
no ip mroute-cache
ip policy route-map comcor-map
tunnel source 62.11*.87.*
tunnel destination 21*.87.1.16*
tunnel protection ipsec profile mtsrzd shared
!
interface FastEthernet0/0
description LAN
ip address 192.168.0.1 255.255.255.0 secondary
ip address 192.168.100.1 255.255.255.0 secondary
ip address 192.168.101.1 255.255.255.0 secondary
ip address 192.168.3.1 255.255.255.0
ip access-group lvsin in
ip nat inside
no ip mroute-cache
ip policy route-map comcor-map
duplex auto
speed 100
!
interface FastEthernet0/1
description DMZ
ip address 87.24*.13*.17 255.255.255.240 secondary
ip address 77.10*.90.12* 255.255.255.192 secondary
ip address 77.10*.72.1 255.255.255.240
ip access-group dmzin in
ip nat inside
no ip mroute-cache
ip policy route-map comcor-map
duplex auto
speed 100
!
interface Serial1/0:0
no ip address
shutdown
!
interface Serial1/1:0
no ip address
shutdown
!
interface FastEthernet2/0
description COMCOR
ip address 62.11*.87.* 255.255.255.252
ip access-group 128 in
ip access-group comcorout out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip nat outside
duplex auto
speed auto
crypto map bankrs
!
interface FastEthernet2/1
no ip address
shutdown
duplex auto
speed auto
!
ip nat log translations syslog
ip nat pool comcor-space 62.11*.87.* 62.11*.87.* netmask 255.255.255.252
ip nat pool poolnat 77.10*.90.14* 77.10*.90.14* netmask 255.255.255.0 type rotary
ip nat inside source list ucs interface Tunnel0 overload
ip nat inside source route-map comcor-map pool comcor-space overload
ip nat inside source static tcp 192.168.3.213 80 62.11*.87.* *** extendable no-alias
ip nat inside source static tcp 192.168.3.212 80 62.11*.87.* *** extendable no-alias
ip nat inside destination list portnat pool poolnat
ip classless
ip route 0.0.0.0 0.0.0.0 62.11*.87.*
ip route 10.0.4.0 255.255.255.0 80.84.11*.21*
ip route 10.10.0.0 255.255.240.0 Tunnel1
ip route 10.14.0.0 255.255.254.0 Tunnel2
ip route 77.10*.72.0 255.255.255.240 FastEthernet0/1
ip route 77.10*.90.12* 255.255.255.192 FastEthernet0/1
ip route 87.24*.13*.16 255.255.255.240 FastEthernet0/1
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 192.168.3.0 255.255.255.0 FastEthernet0/0
ip route 192.168.88.0 255.255.255.0 77.10*.90.13*
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0
ip route 192.168.101.0 255.255.255.0 FastEthernet0/0
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list standard telacc
permit 192.168.3.100
permit 93.81.25*.16*
permit 77.10*.72.0 0.0.0.15
!
ip access-list extended bankrs
permit ip 77.10*.72.0 0.0.0.15 10.0.4.0 0.0.0.255
permit ip 77.10*.90.12* 0.0.0.63 10.0.4.0 0.0.0.255
ip access-list extended comcorout
permit ip any any
ip access-list extended dmzin
permit ip any any log
ip access-list extended lvsin
permit ip any any log
ip access-list extended permitinternet
permit ip host 192.168.3.100 any
permit ip host 192.168.3.50 any
permit ip host 192.168.0.4 any
permit ip 10.10.0.0 0.0.15.255 any
permit ip 10.14.0.0 0.0.1.255 any
ip access-list extended portnat
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
permit tcp any host 77.10*.72.6 eq ***
ip access-list extended ucs
permit ip host 87.24*.13*.27 172.16.0.0 0.0.255.255
permit ip host 87.24*.13*.25 172.16.0.0 0.0.255.255
permit ip host 87.24*.13*.20 172.16.0.0 0.0.255.255
permit ip host 77.10*.72.6 172.16.0.0 0.0.255.255
permit ip host 192.168.3.100 172.16.0.0 0.0.255.255
permit ip host 192.168.3.100 10.3.2.0 0.0.0.255
permit ip host 192.168.3.11 10.3.2.0 0.0.0.255
logging history size 500
logging history informational
logging trap debugging
logging source-interface FastEthernet0/1
logging 77.10*.90.13*
access-list 128 permit ip any any (128 аксесслист весьма длинный. вырезал)
!
route-map comcor-map permit 20
match ip address permitinternet
match interface FastEthernet2/0
set default interface FastEthernet2/0