C871 Performance Issue with IPSec

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Fri, 08/03/2007 - 03:13


can you revert back on how and where you are measuring this performance out there with ipsec ?

do you have any other applications like web access/mail access being accessed from the internet except this vpn ?


I measured the throughput using the SHOW INTERFACE command on the WAN port with multiple file transfers going at the same time.

If I remove the C871 and go directly to the Internet router with no VPN I can get the 5 Mb/s I am alloted on the Interet link with the same multiple file transfers.

With the C871 and IPSec VPN the response is slower than my dedicated T-1 I am trying to replace.


zshadowcisco Sat, 08/04/2007 - 10:28

According to cisco :

Q. What are the performance characteristics of the Cisco 870 Series and Cisco 850 Series Integrated Services Routers?

A. Aggregate performance with IPsec 3DES for the Cisco 870 Series is up to 8 Mbps with IMIX packets, and up to 30 Mbps with 1400-byte packets.

As a 3DES string is more complex to encrypt than with AES, I think you can achieve a min throughput of 20Mbps with some access lists, nat enabled, CBAC and so on...

I have configured a 3DES tunnel with a router with a Conexant chip, and the throughput was already more than 1Mb/s with a 851 router (851 %cpu : about 30%, conexant %cpu : 100%).

When the tunnel is established, check the %cpu used on your 871 with the "show proc cpu hist" command.

And if you hit 100%, then "show proc cpu sorted" should tell you which process is wasting the router cpu cycles.


This Discussion