Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2811 IPSec Performance

Hi Guys,

I am having problems with CPU load on 2811 with AIM-VPN-II. There is a GRE+IPSec over E3 WAN link and the authentication is done using RSA, but even that there is around 10Mb/s of traffic I have a 70 - 85%.

I also have another WAN link with router 2811 that doesn't have a AIM-VPN, and that one reach 95% CPU once the traffic goes up to 5 Mb/s.

crypto isakmp policy 10

encr aes

authentication rsa-encr

group 5

crypto isakmp keepalive 10



crypto ipsec transform-set TEST esp-aes esp-sha-hmac


crypto ipsec profile TEST

set transform-set TEST

interface Tunnel0

description ***E3 WAN Link***

bandwidth 32000

ip address x.x.x.x x.x.x.x

ip mtu 1376

ip tcp adjust-mss 1336

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel protection ipsec profile TEST

Are there any recommendations that RSA authentication is not supportted for hardward encryption? It worries me, becouse have more sitautions like this.


Cisco Employee

2811 IPSec Performance

Once the tunnel is authenticated, CPU usage should go back down (certificates are only used to authenticate phase 1).  You're more likely to have an issue with the amount of packets you are sending through - the more packets sent the more your throughput suffers.

You could probably help yourself by not using AES, but that's dependent on your security policy.


New Member

2811 IPSec Performance

"You could probably help yourself by not using AES, but that's dependent on your security policy"

I am not sure where or how you came up with that conclusion.  It has been shown consistently that AES provides lower CPU load than 3DES. 

Cisco Employee

2811 IPSec Performance

Hi Michal,

The 2811 router has a quite lower ipsec performance than the 2821 or 2851 routers, even with the AIM module.

The RSA would indeed only affect the initial tunnel setup. I would rather check what other features you might have (QoS, NBAR for example are quite cpu intensive) and what is the average packet size you have on the network. Small packets would decrease the performance quite a lot as we need more CPU cycles to process them.

Warm Regards,