Encryption probem

Unanswered Question

I have an ipsec encryption running between 2 directly connected routed over a FR multilink interface.

The moment we enable encryption, the link utilization seems to peak causing issues such as slowness etc.

The utilization seems to subside (around 60%) if i disable encryption.


What is the normal traffic overhead we can expect when we enable encryption? Is the sympton that is seen is expected or is it some sort of IOS bug


Ambi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Leo Laohoo Tue, 04/07/2009 - 21:57
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Subramanian,

What IOS are you using?

Does your routers have AIM/VPN card?

Can you post the config for both?

srinivas_816 Tue, 04/07/2009 - 22:09
User Badges:

Hi,


http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a008022bde8.shtml#wp1002499


Their will be an additional


IPsec Tunnel Mode

IPsec Tunnel Mode encapsulates and protects an entire IP packet. Because IPsec tunnel mode encapsulates or hides the IP header of the packet, a new IP header must be added for the packet to be successfully forwarded. The encrypting routers themselves own the IP addresses used in these new headers. Tunnel mode may be employed with Encapsulating Security Payload (ESP) and/or Authentication Header. Using tunnel mode results in additional packet expansion of approximately 20 bytes associated with the new IP header. Tunnel mode expansion of the IP packet.



royalblues Tue, 04/07/2009 - 22:54
User Badges:
  • Green, 3000 points or more

Based on the config you would at a minimum be adding about 52 bytes to each packet


You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see


One thing you can do however is to refine the access-list for the Ipsec

Instead of permit ip you can streamline it to some specific application protocols and check whether the utilization comes down


HTH

Narayan

Joseph W. Doherty Wed, 04/08/2009 - 03:22
User Badges:
  • Super Bronze, 10000 points or more

"You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see "


For the OP, the impact of what Narayan describes . . .


If 52 bytes overhead is being added per packet, and a) packets are small (e.g. perhaps 576 default MTU), and b) packets are being fragmented (i.e. 2x packet with additional overhead), that might add about 20% to traffic.


If lots of minimum size packets, e.g. ACKs, that would increase such traffic by about 80%.

Leo Laohoo Wed, 04/08/2009 - 01:44
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Subramanian,

Does your routers have AIM/VPN card?


royalblues Wed, 04/08/2009 - 02:17
User Badges:
  • Green, 3000 points or more

Leo


Though it be better to have a AIM/VPN card in the router but that would just offload the router CPU


As per the post though the CPU is not the issue but the link utilization which should be the same irrespective of the whether running software or hardware encyption


Lets get a confirmation whether its the link utilization or CPU utilization


Narayan

Actions

This Discussion