VPN Throughput

Answered Question
Sep 29th, 2009

I just set up a point to point VPN tunnel between a central 3825 and two remote 2811's over a 100Mb link via Ethernet.

I'm using AES256 encryption for isakmp and ipsec. Speeds w/o the tunnel active between the remote and central site are 60-70Mb. Speeds WITH the tunnel are 28-32Mb.

Why such a large decrease in speed? And is this a good result or should I be able to increase speeds some how?

CPU utilization on the 2811's increases to around 75% when a large amount of traffic is being passed. I assume this has something to do with the speed decreases.

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 7 years 2 months ago

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

Correct Answer by Collin Clark about 7 years 2 months ago

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Collin Clark Wed, 09/30/2009 - 06:46

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

b.gamble Wed, 09/30/2009 - 07:18

Thanks for the link.

I'm going to try the same VPN scenario in the lab to see what kind of performance I get across two directly connected 2811 routers.

If the speeds are comparable, at least I know the problems don't lie elsewhere. Conversely, I then know the problems don't like elsewhere. ;)

Thanks.

Correct Answer
cisco24x7 Wed, 09/30/2009 - 11:34

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

b.gamble Thu, 10/01/2009 - 11:01

After checking, those settings were enabled. I believe they're defaults in my IOS release.

I got nearly identical speeds in a lab environment as I did in the production environment.

It appears our only chance to increase speeds is with the AIMs.

Thanks for the replies.

cisco24x7 Thu, 10/01/2009 - 15:53

Here is my 2c on this:

- With the on-board encryption and PFS disable, I was able to push 64Mbps AES-256 IPSec traffics on IOS 12.4T. I don't think you can get much more throughput on the 2811 than 64Mbps even with the AIMs module. CPU will be your limiting factor.

- The ASA5510 can give you much more throughput than 2811 at a much lower cost

b.gamble Thu, 10/01/2009 - 17:07

Much lower cost if you didn't already own the 2811.

How do you disable PFS?

cisco24x7 Thu, 10/01/2009 - 18:37

When you define crypto map, just do NOT do

"set pfs group5". Example:

crypto map vpn 10 ipsec-isakmp

set peer x.x.x.x

set transform aes256

set security life sec 3600

match addess 101

set pfs group5 (leave this line out)

That's it.

I think the advantage of ASA over IOS is that you can have DH group 7 which is a level higher than DH group 5

b.gamble Thu, 10/01/2009 - 18:46

I've tried this across two different revisions with identical results.

cisco24x7 Fri, 10/02/2009 - 06:15

What do you use to push traffics? I used Iperf to test throughput and I was able to get 64Mbps on the 2811 IPSec VPN.

Both of my Iperf systems (client/server) are very fast systems, capable of pushing 900Mbps.

b.gamble Fri, 10/02/2009 - 06:18

I use QCheck by Ixia, which is the only software I know of that does this.

If there's something better I'd love to use it. QCheck works, but it'd be nice to have a 2nd piece to compare it against.

b.gamble Fri, 10/02/2009 - 06:26

IPerf results are very close to the QCheck results:

C:\>iperf --server

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1872] local 10.2.3.36 port 5001 connected with 10.4.1.11 port 2288

[ ID] Interval Transfer Bandwidth

[1872] 0.0-10.0 sec 34.4 MBytes 28.8 Mbits/sec

cisco24x7 Fri, 10/02/2009 - 10:05

On the server, do this: iperf -w 256k -s

on the client, do this: iperf -w 256k -c iperf-server-ip -t 120

That should increase the throughput on the endpoint. Not sure about windows but it works great for me in Linux.

b.gamble Fri, 10/02/2009 - 10:17

C:\>iperf -w 256k -c msdtech -t 120

------------------------------------------------------------

Client connecting to msdtech, TCP port 5001

TCP window size: 256 KByte

------------------------------------------------------------

[1872] local 10.4.1.11 port 1803 connected with 10.2.3.36 port 5001

[ ID] Interval Transfer Bandwidth

[1872] 0.0-120.0 sec 507 MBytes 35.4 Mbits/sec

A little better...

cisco24x7 Fri, 10/02/2009 - 10:39

I can NOT comment on Windows platforms but I can definitely tell you that Iperf performance is so much faster on Linux platform. My Linux box, with optimize Linux kernel, can push about 990Mbps on a 1Gig NIC. Maybe you should use Linux to get better performance. Either that or tweak the -w parameter.

b.gamble Fri, 10/02/2009 - 10:42

The network is all Windows, so I don't have any Linux clients to test with. It's also more indicative of what results they'll see, so I'm OK with testing on Windows boxes.

The link is only 100Mb across the link, not 1Gb. I'd be curious to test between a linux box and Windows box. Might try that at home.

I just started running Debian.

Actions

This Discussion