Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Max 3DES/DES IPSEC throughput of an 806 router.

I am creating and IPSEC tunnel between an 806 router and a Concentrator 3015. The 806 is connected to cable modem provider, and the concentrator sits on per-packet load balanced ds1's. Sending data across the tunnel (tunnel is across the Internet) The copy is a ms network file copy from an nt server behind the concentrator to the a Win98 client pc behind the 806. The max throughput I am seeing is 9-13k/s. File transfers that do not go across the tunnel easily peak over 100k/s. I have tried adjusting the MTU on the client pc, I have tried turning off PMTUD on the client pc as well. This yeilded no improvement in performance. I am trying to find out what the max througput of the 806 router is when doing 3des/des encryption tunnels. The 806 sits around 12-15 cpu utilization. Perhaps I should be setting a lower MTU elsewhere? Perhaps the concnetrator? (i don think thats an option, but im open to all ideas) The goal here is faster transfer speeds than 10k/s

-Chris

5 REPLIES
Cisco Employee

Re: Max 3DES/DES IPSEC throughput of an 806 router.

Just a thought that you might have to adjust the MTU on both the client and server to something like 1400 to allow for the extra header that IPSec adds. If this doesn't work, maybe a packet capture is necessary on both sides to see what is happening on the packet (ie is it being dropped, or is it too big with DF bit set or something similar).

Community Member

Re: Max 3DES/DES IPSEC throughput of an 806 router.

I just repeated the a smiliar test with a PIX520. The only difference is, the 806 is seen as a client by the concentrator, and the 520 is seen as a Lan-to-Lan setup. The PIX520 was able to reach a blazing 25k/s (sarcasim). The same exact file copy from my PC (on the same network as the 806 and the PIX 520) is able to achieve 120k/s Using the Cisco VPN client. The MTU's on the PC running the client are all default 1500. The CPU util on the 520 was 1%. I guess i'm down to packet capturing... feel free to chip in ideas...

Community Member

Re: Max 3DES/DES IPSEC throughput of an 806 router.

Please clarify:

First: Are you using DES or 3DES?

Second: Does 9-13k/s mean k-BYTES-per-second or k-BITS-per-second?

If it is k-BYTES-per-second then essentially you are getting 13KB/s x 8b/B = 104Kbps.

Believe it or not, as sad as that is, it may just be correct. Cisco has not released any throughput statistics for the 806. I've looked all over for them, but there seems to be little info in general for the 806. I just ordered one, and based on this I may have to cancel the order. I wish you could provide clearer test data to include the type of test files you are transferring.

Based on published throughput for the 3002 hardware VPN client that may be your best bet.

Community Member

Re: Max 3DES/DES IPSEC throughput of an 806 router.

The MAX 3DES throughput of a Cisco 806 is 384Kbps.

I just noticed you said you created the tunnel over the Internet. That would account for the decrease in speed as the Internet is a highly unreliable medium. You should repeat the same test in a lab setup.

Community Member

Re: Max 3DES/DES IPSEC throughput of an 806 router.

Thanks for the input everyone.. here are some answers to your suggestions.

The k/s i am refering to is KiloBytes/second

3DES and DES gave the same throughput speeds.

I would duplicate this in a lab, but, a pc using cisco vpn software client (going to the 3015 instead the 806) is able to achieve 120k/s. This drastic difference in speed between the 806 vs. a client pc lead me to the conclusion the internet is not the source of the issue. I agree the Internet is a horrible testing bed, but for this purpose, it works for me.

I am pretty sure the MTU on the client pc that was able to sustain 120kbytes/sec is the default 1500.

so I am still in the same position. I stepped away from testing for a bit, and I will be returning to it soon...feel free to offer ideas/suggestions. I saw another post saying an 806 usually gave .5-1mbit throughput (3des) I am seeing nowhere near that.

200
Views
0
Helpful
5
Replies
CreatePlease to create content