cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2066
Views
0
Helpful
3
Replies

2811 IPSec Performance

michal.grzelak
Level 1
Level 1

Hi Guys,

I am having problems with CPU load on 2811 with AIM-VPN-II. There is a GRE+IPSec over E3 WAN link and the authentication is done using RSA, but even that there is around 10Mb/s of traffic I have a 70 - 85%.

I also have another WAN link with router 2811 that doesn't have a AIM-VPN, and that one reach 95% CPU once the traffic goes up to 5 Mb/s.

crypto isakmp policy 10

encr aes

authentication rsa-encr

group 5

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TEST esp-aes esp-sha-hmac

!

crypto ipsec profile TEST

set transform-set TEST

interface Tunnel0

description ***E3 WAN Link***

bandwidth 32000

ip address x.x.x.x x.x.x.x

ip mtu 1376

ip tcp adjust-mss 1336

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel protection ipsec profile TEST

Are there any recommendations that RSA authentication is not supportted for hardward encryption? It worries me, becouse have more sitautions like this.

Thanks

3 Replies 3

Jason Gervia
Cisco Employee
Cisco Employee

Once the tunnel is authenticated, CPU usage should go back down (certificates are only used to authenticate phase 1).  You're more likely to have an issue with the amount of packets you are sending through - the more packets sent the more your throughput suffers.


You could probably help yourself by not using AES, but that's dependent on your security policy.

--Jason

"You could probably help yourself by not using AES, but that's dependent on your security policy"

I am not sure where or how you came up with that conclusion.  It has been shown consistently that AES provides lower CPU load than 3DES. 

Rozsa Illes
Cisco Employee
Cisco Employee

Hi Michal,

The 2811 router has a quite lower ipsec performance than the 2821 or 2851 routers, even with the AIM module.

The RSA would indeed only affect the initial tunnel setup. I would rather check what other features you might have (QoS, NBAR for example are quite cpu intensive) and what is the average packet size you have on the network. Small packets would decrease the performance quite a lot as we need more CPU cycles to process them.

Warm Regards,

Rose

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: