2811 IPSec Performance

Unanswered Question
Jul 26th, 2011

Hi Guys,

I am having problems with CPU load on 2811 with AIM-VPN-II. There is a GRE+IPSec over E3 WAN link and the authentication is done using RSA, but even that there is around 10Mb/s of traffic I have a 70 - 85%.

I also have another WAN link with router 2811 that doesn't have a AIM-VPN, and that one reach 95% CPU once the traffic goes up to 5 Mb/s.

crypto isakmp policy 10

encr aes

authentication rsa-encr

group 5

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TEST esp-aes esp-sha-hmac

!

crypto ipsec profile TEST

set transform-set TEST

interface Tunnel0

description ***E3 WAN Link***

bandwidth 32000

ip address x.x.x.x x.x.x.x

ip mtu 1376

ip tcp adjust-mss 1336

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel protection ipsec profile TEST

Are there any recommendations that RSA authentication is not supportted for hardward encryption? It worries me, becouse have more sitautions like this.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jason Gervia Tue, 07/26/2011 - 12:27

Once the tunnel is authenticated, CPU usage should go back down (certificates are only used to authenticate phase 1).  You're more likely to have an issue with the amount of packets you are sending through - the more packets sent the more your throughput suffers.


You could probably help yourself by not using AES, but that's dependent on your security policy.

--Jason

cciesec2011 Tue, 07/26/2011 - 18:09

"You could probably help yourself by not using AES, but that's dependent on your security policy"

I am not sure where or how you came up with that conclusion.  It has been shown consistently that AES provides lower CPU load than 3DES. 

Rozsa Illes Wed, 07/27/2011 - 05:22

Hi Michal,

The 2811 router has a quite lower ipsec performance than the 2821 or 2851 routers, even with the AIM module.

The RSA would indeed only affect the initial tunnel setup. I would rather check what other features you might have (QoS, NBAR for example are quite cpu intensive) and what is the average packet size you have on the network. Small packets would decrease the performance quite a lot as we need more CPU cycles to process them.

Warm Regards,

Rose

Actions

Login or Register to take actions

This Discussion

Posted July 26, 2011 at 1:33 AM
Stats:
Replies:3 Avg. Rating:
Views:756 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard