Only 5Mbps through 2821-2821 3DES

mmedwid · ‎12-08-2005

My initial tests are showing throughput maxing out at 5Mbps when trying to transfer files using SCP via a tunnel run between two 2821s with the built-in hardware encryption. While I am tracking down all the other possible bottlenecks in the path - can someone confirm if anything special needs to be done to enable the hardware encryption to take over? My tunnel is encrypting and decrypting fine. No errors and good latency. But I am expecting to see far better than just 5Mbps. Thanks.

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key xxxx address x.x.x.x

crypto ipsec transform-set vpn esp-des esp-md5-hmac

crypto map VPNs 10 ipsec-isakmp

description vpn to boulder

set peer 172.22.25.199

set transform-set vpn

match address 180

john-chapman · ‎12-09-2005

This may be a TCP windowing issue. If you have about 40 ms latency each way on your link, 5 Mbps is all you will get with a 64 kb default TCP window. Increase the size to 400 kb and try again.

mmedwid · ‎12-09-2005

I don't think there's an option to change the TCP window within open SSH. The latency in the lab I'm working in is actually very low - like 12ms.

roluce · ‎12-09-2005

I agree with the gentleman who brought up RTT throughput impact on TCP. Otherwise, I don't see anything that would impact throughput in the config snippet. We normally figure on 80mb one way between two 2821's using the Cisco VPN hardware, we normally get much higher rates than 80mb though.

The one item I wanted to point out is that you're running DES56, not Triple DES. If you wanted to run Triple DES you should have "esp-3des" in the transform set instead of "esp-des".

Rob

mmedwid · ‎12-09-2005

Thanks for noticing that on the DES. This is a lab I inherited - honest!