I am having problems with CPU load on 2811 with AIM-VPN-II. There is a GRE+IPSec over E3 WAN link and the authentication is done using RSA, but even that there is around 10Mb/s of traffic I have a 70 - 85%.
I also have another WAN link with router 2811 that doesn't have a AIM-VPN, and that one reach 95% CPU once the traffic goes up to 5 Mb/s.
crypto isakmp policy 10
crypto isakmp keepalive 10
crypto ipsec transform-set TEST esp-aes esp-sha-hmac
crypto ipsec profile TEST
set transform-set TEST
description ***E3 WAN Link***
ip address x.x.x.x x.x.x.x
ip mtu 1376
ip tcp adjust-mss 1336
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel protection ipsec profile TEST
Are there any recommendations that RSA authentication is not supportted for hardward encryption? It worries me, becouse have more sitautions like this.
Once the tunnel is authenticated, CPU usage should go back down (certificates are only used to authenticate phase 1). You're more likely to have an issue with the amount of packets you are sending through - the more packets sent the more your throughput suffers.
You could probably help yourself by not using AES, but that's dependent on your security policy.
The 2811 router has a quite lower ipsec performance than the 2821 or 2851 routers, even with the AIM module.
The RSA would indeed only affect the initial tunnel setup. I would rather check what other features you might have (QoS, NBAR for example are quite cpu intensive) and what is the average packet size you have on the network. Small packets would decrease the performance quite a lot as we need more CPU cycles to process them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...