Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
10
Helpful
7
Replies

Encryption probem

ambi
Level 1
Level 1

‎04-07-2009 09:52 PM - edited ‎03-04-2019 04:17 AM

I have an ipsec encryption running between 2 directly connected routed over a FR multilink interface.

The moment we enable encryption, the link utilization seems to peak causing issues such as slowness etc.

The utilization seems to subside (around 60%) if i disable encryption.

What is the normal traffic overhead we can expect when we enable encryption? Is the sympton that is seen is expected or is it some sort of IOS bug

Ambi

Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-07-2009 09:57 PM

Hi Subramanian,

What IOS are you using?

Does your routers have AIM/VPN card?

Can you post the config for both?

0 Helpful

srinivas_816
Level 1
Level 1
In response to Leo Laohoo

‎04-07-2009 10:09 PM

Hi,

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a008022bde8.shtml#wp1002499

Their will be an additional

IPsec Tunnel Mode

IPsec Tunnel Mode encapsulates and protects an entire IP packet. Because IPsec tunnel mode encapsulates or hides the IP header of the packet, a new IP header must be added for the packet to be successfully forwarded. The encrypting routers themselves own the IP addresses used in these new headers. Tunnel mode may be employed with Encapsulating Security Payload (ESP) and/or Authentication Header. Using tunnel mode results in additional packet expansion of approximately 20 bytes associated with the new IP header. Tunnel mode expansion of the IP packet.

0 Helpful

ambi
Level 1
Level 1
In response to Leo Laohoo

‎04-07-2009 10:31 PM

IOS is 12.2(33)SRC and the platform is 7200 NPE-400

Attached are the configs.. i have changed the ip addresses for obvious reasons

Ambi

Preview file
3 KB
0 Helpful

royalblues
Level 10
Level 10
In response to ambi

‎04-07-2009 10:54 PM

Based on the config you would at a minimum be adding about 52 bytes to each packet

You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see

One thing you can do however is to refine the access-list for the Ipsec

Instead of permit ip you can streamline it to some specific application protocols and check whether the utilization comes down

HTH

Narayan

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to royalblues

‎04-08-2009 03:22 AM

"You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see "

For the OP, the impact of what Narayan describes . . .

If 52 bytes overhead is being added per packet, and a) packets are small (e.g. perhaps 576 default MTU), and b) packets are being fragmented (i.e. 2x packet with additional overhead), that might add about 20% to traffic.

If lots of minimum size packets, e.g. ACKs, that would increase such traffic by about 80%.

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-08-2009 01:44 AM

Hi Subramanian,

Does your routers have AIM/VPN card?

0 Helpful

royalblues
Level 10
Level 10
In response to Leo Laohoo

‎04-08-2009 02:17 AM

Leo

Though it be better to have a AIM/VPN card in the router but that would just offload the router CPU

As per the post though the CPU is not the issue but the link utilization which should be the same irrespective of the whether running software or hardware encyption

Lets get a confirmation whether its the link utilization or CPU utilization

Narayan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card