Do i need a new router?

Jun 6th, 2007


I've a new lmds 4mbps simetric connection.

I have a vpn with 2 cisco 1721

First (full of memory, vpn module and 3des encryption)This router is connected directly to the lmds device with a 4port wic

Second (full of memory, without vpn module 3des encryption)This router has a adsl 3mbps/512Kb.

I do not know but transfer rate is only 60-70-80KB..

This is the stat:

vpn1#show crypto engine accelerator statistic


ds: 0x82A94354 idb:0x82A908B8

Statistics for Virtual Private Network (VPN) Module:

914035 packets in 914035 packets out

27 paks/sec in 27 paks/sec out

112 Kbits/sec in 116 Kbits/sec out

0 packets decompressed 0 packets compressed

0 compressed bytes in 0 uncompressed bytes in

0 compressed bytes out 0 decompressed bytes out

0 packets bypass compression 0 packets abort compression

rx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0

invalid_sa: 0 invalid_flow: 0 cgx_errors 0

fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0

null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0

esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0

ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0

esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0

obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0

invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0

no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0

dsp_coproc_err: 0 comp_unsupported:0 pak_too_big: 0

pak_mp_length_spec_fault: 0

tx_lo_queue_size_max 2 cmd_unimplemented: 0

32853 seconds since last clear of counters

Interrupts: Notify = 533255, Reflected = 521840, Spurious = 0

cgx_cmd_pending:0 packet_loop_max: 240 packet_loop_limit: 512


Is the sender not potent enough?

Richard Burts Tue, 06/12/2007 - 11:00


There might be a couple of things that are impacting the throughput. I would take a look at the link capacity of the second router. I wonder if the mismatch between its capacity (3mbps/512Kb) is part of the issue. But I suspect that the major issue is that the second router does not have the VPN acceleratoin module. This means that all of the processing for encryption and decryption must be done in software. The 1721 is not a particularly strong router and doing the encryption and decryption in software would tend to bog it down.



Richard Burts Tue, 06/12/2007 - 11:50


If both routers now have the VPN module then I would expect performance to improve. Please let us know what happens.



edgar-quintana Tue, 06/12/2007 - 14:33


This is our scenario:

-Headquarters with a 1721 (64mb memory module,vpn module wic 1adsl and wic 4 port lan) running IOS c1700-k9o3sy7-mz.124-8a.bin

Office A with a same 1721.. same hard(only wic 1adsl installed) same IOS version

Office B 837 nothing improved and IOS c837-k9o3sy6-mz.124-10a.bin

Between Headquarters and A and Heardquarters and B is a VPN 3des ipsec stablished nothung between A-B.

A and B have 3mbps adsl and Headquarters 4mbps lmbs connection.

From this lmds makes 430KB/s and adsl 3mbps 310-320KB/s.

In headquarters, a ftpserver under linux is configured and connected from A and B ... B gives 130KB/s--160KB/s

If ths ftpserver is configured under windows 2003r2 at headquarters this rates goes down to 60KB/s or 70KB/s

I dont know if the slow problem is the router which can not send as quickly as lmds or config or ios incorrect version... I do not know

Richard Burts Tue, 06/12/2007 - 18:31


Maybe I am not understanding something correctly. But it sounds to me like you are saying that at headquarters if you use a linux server for FTP then A and B get 130 to 160 KBs. But if you use a Windows server at headquarters for FTP then A and B get only 60 or 70 KBs. If that is the correct understanding then the issue is not anything in the router. The issue is that the performance of the Windows server is worse than the performance of the linux server.



edgar-quintana Tue, 06/12/2007 - 23:41

This is the first thing...

If both are power servers, I do not know why occurs this.

Second one is... using a linux ftp server I do not know why the rate is only 150-160Kb/s when it would be at least 200..250KB/s or more the middle of a ldms connection


edgar-quintana Fri, 06/15/2007 - 04:41


I ve been doing probes with/without encription and with/withoutintegrity

There is the same velocity (140-150KB/s) using esp_3des-md5-hmac or des-nothing or esp_null-md5-hmac

Then... where is the problem where is the problem? the 1721 is not stronger enough?


