Re: DMVPN Performance 1800/2800 - Spec vs. Reality

aronjsmith · ‎01-16-2007

We're considering deployment of about 50 1800s across the branch infrastructure with 3mb/768k DSL as the VPN port (DS3 head-end). DMVPN topology.

Problem is that performance doesn't seem to meet spec in the lab. Spec says a 2800 should get about 50mbit stock. I'm seeing 1/50th of that. See below, this is MSS 1400, FTP of a 36mb file.

aes 256 ftp: 36232088 bytes received in 36.73Seconds 986.34Kbytes/sec.

aes 192 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.

aes 128 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.

3des cr ftp: 36232088 bytes received in 36.16Seconds 1002.10Kbytes/sec.

null cryp ftp: 36232088 bytes received in 3.23Seconds 11203.49Kbytes/sec.

Any thoughts or suggestions?

5220 · ‎01-16-2007

Hi,

Check that 2800 has a hardware IPSEC encryption module, and make sure is active. Check the documentation for that.

http://cisco.com/en/US/products/ps5853/products_data_sheet0900aecd804ff58a.html

Please rate if this helped.

Regards,

Daniel

aronjsmith · ‎01-16-2007

Our Cisco rep sent us a doc stating that the 2800 has a built-in hardware encryptor capable of 50mbit of IPSEC throughput.

I am aware of the AIM-upgrade potential, and am currently determining the need for it. Cisco has thus-far claimed it is not necessary.

jparr · ‎07-31-2008

How did you make out with your testing? I am seeing the same thing, regardless of the crypto used, I am seeing about 10mbps, rather than the 50mbps promised.

joe19366 · ‎07-31-2008

Please post the show tech from the device that is only getting 10Mbps and i can determine why that is.

I have been using DMVPN since the day the IOS was released :*)

There are many reasons why throughput can be reduced.

Thanks,

Joe

jparr · ‎07-31-2008

This is simply straight site to site vpn with a tunnel, not multipoint. The OP was using DMVPN and seeing the same issue I was, which was sub 10mbps performance with ipsec. I am seeing about 6mpbs, when I remove the crypto map from tun102 and fa0/2, my throughput jumps to 94mbps. The performance does not change significantly with changes in the encryption scheme.

joe19366 · ‎07-31-2008

You don't have the correct hardware configuration for high speed ipsec throughput.

You need to purchase and install part number.

AIM-VPN-EPII-Plus

You are only using the default on-board vpn accelerator; i'm surprised you are getting as much vpn throughput as you are...

please refer to the following document

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html

While it does say you can achieve "50 Mbps" with the onboard i have never seen more than 5 to 6 Mbps with the 2801 without the AIM EP II.

So I don't know why Cisco puts the 50Mbps number out there; it simply is not what the product delivers in production with 1 or 20 tunnels.

Thanks,

Joe

a.alekseev · ‎07-31-2008

please

show the output

"sh proc cpu hist"

"sh proc cpu sort 1min"

"sh ip traffic"

start your test and wait 1 min

show the output

"sh proc cpu hist"

"sh proc cpu sort 1min"

"sh ip traffic"

by the way you will never get 50Mb/s with encryption on 2801

joe19366 · ‎07-31-2008

Two more things I found in your configuration;

-You only need the crypto map on the outside (not the tunnel interfaces)

-You are causing fragments the receiving router will have to reassemble.

please add

ip tcp adjust-mss 1380

ip mtu 1412

To ALL of your tunnel interfaces.

Your want to prevent the IPSEC process from causing fragments. This was a Tac case I had with the 2801 and ipsec vpn's in general back in 2005.

You dont need need these commands on any interface except the tunnel interface.

-Joe

a.alekseev · ‎07-31-2008

sorry, but

1412-40=1372

and this such configuration you will never get what you want.

should be

ip tcp adjust-mss 1360

ip mtu 1400

and just FYI

In releases before Cisco IOS Release 12.2(13)T, the crypto maps must be applied to both the physical interface and the logical interfaces, such as the p2p GRE tunnel interfaces. As of Cisco IOS Release 12.2(13)T (assumed in the example below), the crypto map is applied only to the physical interface, not to the logical interface.

joe19366 · ‎07-31-2008

thanks alekseev;

could you explain why you choose the lower numbers...

i have been using my number for 3 years :)

I understand the gre / outgoing interface part.

thanks,

Joe

a.alekseev · ‎07-31-2008

I mean that the difference between ip mtu and mss size must be more or qual 40 bytes (TCP header - 40 bytes)

As for the "ip mtu" it depends on IPSec overhead.

And IPSec overhead depends on tranform set.

GRE overhead 24bytes or 28bytes if you use "tunnel key"

IPSec overhead for

esp esp-3des transport 30-37bytes

esp esp-3des tunnel 50-57bytes

esp-aes 256 esp-md5-hmac tunnel 58-73-bytes

esp-aes 256 esp-md5-hmac transport 38-53-bytes

jparr · ‎07-31-2008

Wow, I just applied that mtu and tcp adjust-mss config and the throughput jumped to 25mbps. I'm happy with that.

a.alekseev · ‎07-31-2008

Jeremy,

what encryption and decryption rate have you achieved?

jparr · ‎07-31-2008

Seeing 28mbps TCP throughput according to IxChariot

Counters from the tunnel interface:

5 minute input rate 18078000 bits/sec, 1673 packets/sec

5 minute output rate 1010000 bits/sec, 399 packets/sec

And from the crypto engine:

Onboard crypto engine:

ds: 0x64A474A0 idb:0x64A463D8

Statistics for Virtual Private Network (VPN) Module:

3438358 packets in 3438358 packets out

494 paks/sec in 494 paks/sec out

3938 Kbits/sec in 4058 Kbits/sec out

1641713 packets decrypted 1796645 packets encrypted

It is strange that the packet count is different.