cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14021
Views
0
Helpful
17
Replies

VPN Throughput

b.gamble
Level 1
Level 1

I just set up a point to point VPN tunnel between a central 3825 and two remote 2811's over a 100Mb link via Ethernet.

I'm using AES256 encryption for isakmp and ipsec. Speeds w/o the tunnel active between the remote and central site are 60-70Mb. Speeds WITH the tunnel are 28-32Mb.

Why such a large decrease in speed? And is this a good result or should I be able to increase speeds some how?

CPU utilization on the 2811's increases to around 75% when a large amount of traffic is being passed. I assume this has something to do with the speed decreases.

2 Accepted Solutions

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

View solution in original post

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

View solution in original post

17 Replies 17

Collin Clark
VIP Alumni
VIP Alumni

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

Thanks for the link.

I'm going to try the same VPN scenario in the lab to see what kind of performance I get across two directly connected 2811 routers.

If the speeds are comparable, at least I know the problems don't lie elsewhere. Conversely, I then know the problems don't like elsewhere. ;)

Thanks.

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

After checking, those settings were enabled. I believe they're defaults in my IOS release.

I got nearly identical speeds in a lab environment as I did in the production environment.

It appears our only chance to increase speeds is with the AIMs.

Thanks for the replies.

Here is my 2c on this:

- With the on-board encryption and PFS disable, I was able to push 64Mbps AES-256 IPSec traffics on IOS 12.4T. I don't think you can get much more throughput on the 2811 than 64Mbps even with the AIMs module. CPU will be your limiting factor.

- The ASA5510 can give you much more throughput than 2811 at a much lower cost

Much lower cost if you didn't already own the 2811.

How do you disable PFS?

When you define crypto map, just do NOT do

"set pfs group5". Example:

crypto map vpn 10 ipsec-isakmp

set peer x.x.x.x

set transform aes256

set security life sec 3600

match addess 101

set pfs group5 (leave this line out)

That's it.

I think the advantage of ASA over IOS is that you can have DH group 7 which is a level higher than DH group 5

That line was left out of the config already.

Try a different IOS rev.

I've tried this across two different revisions with identical results.

What do you use to push traffics? I used Iperf to test throughput and I was able to get 64Mbps on the 2811 IPSec VPN.

Both of my Iperf systems (client/server) are very fast systems, capable of pushing 900Mbps.

I use QCheck by Ixia, which is the only software I know of that does this.

If there's something better I'd love to use it. QCheck works, but it'd be nice to have a 2nd piece to compare it against.

IPerf results are very close to the QCheck results:

C:\>iperf --server

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1872] local 10.2.3.36 port 5001 connected with 10.4.1.11 port 2288

[ ID] Interval Transfer Bandwidth

[1872] 0.0-10.0 sec 34.4 MBytes 28.8 Mbits/sec

On the server, do this: iperf -w 256k -s

on the client, do this: iperf -w 256k -c iperf-server-ip -t 120

That should increase the throughput on the endpoint. Not sure about windows but it works great for me in Linux.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: