Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco 1841 ipsec performance

Hi all,

I'm experiencing problems with the newest IOS version, I will try to explain here exactly what happened.

I'm running a GRE tunnel with IPSEC AES protection. Both IOS versions running exactly the same configuration file. With these results:

c1841-advipservicesk9-mz.151-4.M6               : 1,7MByte/s (uni)                [99%/96% cpu]

                                                                    : 1,7MByte/s (uni-16mbit)     [96%/93% cpu]

c1841-advipservicesk9-mz.124-25g                 : 2,9MByte/s (uni)                [99%/97% cpu]

                                                                      2,0MByte/s (uni-16mbit)      [77%/74% cpu]

Obviously the router isn't capable of retreiving the line speed provided by my ISP, therefore I've set a service-policy to cap the bandwidth at 16mbit for this tunnel. For the 12.4 version it will be sufficient, but the 15.1 version will still be running above it's capability.

This is my tunnel configuration:

interface Tunnel16

bandwidth 16384

ip address 10.0.0.2 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1352

tunnel source Loopback16

tunnel destination 4.4.4.4

tunnel bandwidth transmit 16384

tunnel bandwidth receive 16384

service-policy input 16MBIT               (police cir 16777000 bc 375000 be 750000)

I've also tried rate-limit instead of service-policy giving me exactly the same results.

These are the related IPSEC configured settings:

crypto ipsec transform-set TRAN esp-aes 256 esp-sha-hmac

set transform-set TRAN

set pfs group2

The general information for this router:

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.

Processor board ID FCZ121210U5

2 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

250880K bytes of ATA CompactFlash (Read/Write)

I will show you here some results, that were significantly different from the other IOS:

15.1:

dsc#sh buffers

Buffer elements:

     169 in free list (500 max allowed)

     11451 hits, 0 misses, 617 created

Public buffer pools:

Small buffers, 104 bytes (total 71, permanent 50, peak 71 @ 00:42:26):

     65 in free list (20 min, 150 max allowed)

     21927 hits, 32 misses, 0 trims, 21 created

    13 failures (0 no memory)

Middle buffers, 600 bytes (total 88, permanent 25, peak 88 @ 00:01:54):

     76 in free list (10 min, 150 max allowed)

     198539 hits, 196 misses, 0 trims, 63 created

     28 failures (0 no memory)

Big buffers, 1536 bytes (total 134, permanent 50, peak 134 @ 00:40:34):

     84 in free list (5 min, 150 max allowed)

     369375 hits, 1088 misses, 0 trims, 84 created

     593 failures (0 no memory)

VeryBig buffers, 4520 bytes (total 18, permanent 10, peak 18 @ 00:03:11):

     18 in free list (0 min, 100 max allowed)

     560 hits, 33 misses, 0 trims, 8 created

     33 failures (0 no memory)

Large buffers, 5024 bytes (total 5, permanent 0, peak 5 @ 00:03:11):

     5 in free list (0 min, 10 max allowed)

     15 hits, 18 misses, 0 trims, 5 created

     18 failures (0 no memory)

Huge buffers, 18024 bytes (total 1, permanent 0, peak 1 @ 00:43:04):

     1 in free list (0 min, 4 max allowed)

     5 hits, 13 misses, 0 trims, 1 created

    13 failures (0 no memory)

Interface buffer pools:

Syslog ED Pool buffers, 600 bytes (total 133, permanent 132, peak 133 @ 00:42:26):

12.4:

Buffer elements:

     1117 in free list (1119 max allowed)

     5928 hits, 0 misses, 619 created

Public buffer pools:

Small buffers, 104 bytes (total 54, permanent 50, peak 54 @ 00:33:36):

     51 in free list (20 min, 150 max allowed)

     692009 hits, 26 misses, 0 trims, 4 created

     0 failures (0 no memory)

Middle buffers, 600 bytes (total 52, permanent 25, peak 52 @ 00:20:09):

     51 in free list (10 min, 150 max allowed)

     713928 hits, 66 misses, 0 trims, 27 created

     43 failures (0 no memory)

Big buffers, 1536 bytes (total 56, permanent 50, peak 56 @ 00:20:09):

     56 in free list (5 min, 150 max allowed)

     1321119 hits, 111 misses, 0 trims, 6 created

     70 failures (0 no memory)

VeryBig buffers, 4520 bytes (total 11, permanent 10, peak 11 @ 00:24:12):

     11 in free list (0 min, 100 max allowed)

     53 hits, 17 misses, 0 trims, 1 created

     17 failures (0 no memory)

Large buffers, 5024 bytes (total 1, permanent 0, peak 1 @ 00:24:12):

     1 in free list (0 min, 10 max allowed)

     1 hits, 16 misses, 0 trims, 1 created

     16 failures (0 no memory)

Huge buffers, 18024 bytes (total 1, permanent 0, peak 1 @ 00:24:12):

     1 in free list (0 min, 4 max allowed)

     1 hits, 15 misses, 0 trims, 1 created

     15 failures (0 no memory)

Interface buffer pools:

Syslog ED Pool buffers, 600 bytes (total 150, permanent 150):

     118 in free list (150 min, 150 max allowed)

I noticed there are more big buffer failures in the 15.1 version, also there are less buffer elements allowed. Could this be the reason for the performance degradation? I've also checked the status of all interfaces, not displaying any errors.

I've also checked the AIM config on both versions, and they seem to be different:

15.1:

dsc#sh crypto engine conf

        crypto engine name:  Virtual Private Network (VPN) Module

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  onboard 0

              Product Name:  Onboard-VPN

                HW Version:  1.0

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  0000

          Maximum SA index:  0000

        Maximum Flow index:  0300

      Maximum RSA key size:  0000

12.4:

        crypto engine name:  Virtual Private Network (VPN) Module

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  onboard 0

              Product Name:  Onboard-VPN

                HW Version:  1.0

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  0150

          Maximum SA index:  0150

        Maximum Flow index:  0300

      Maximum RSA key size:  0000

As you can see the DH/SA index is 0000 with the 15.1 version compared to 0150 with the 12.4 version. Is this a driver bug, configuration error or unrelated to this issue?

What I'd like to know if this performance issue is related to a bug in IOS or a faulty-configuration even though they both run exactly the same config? Or are these results as expected since the IOS 15.1 performance is generally lower?

Regards,

475
Views
0
Helpful
0
Replies
CreatePlease to create content