01-16-2007 07:33 AM - edited 02-21-2020 02:49 PM
We're considering deployment of about 50 1800s across the branch infrastructure with 3mb/768k DSL as the VPN port (DS3 head-end). DMVPN topology.
Problem is that performance doesn't seem to meet spec in the lab. Spec says a 2800 should get about 50mbit stock. I'm seeing 1/50th of that. See below, this is MSS 1400, FTP of a 36mb file.
aes 256 ftp: 36232088 bytes received in 36.73Seconds 986.34Kbytes/sec.
aes 192 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.
aes 128 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.
3des cr ftp: 36232088 bytes received in 36.16Seconds 1002.10Kbytes/sec.
null cryp ftp: 36232088 bytes received in 3.23Seconds 11203.49Kbytes/sec.
Any thoughts or suggestions?
01-16-2007 10:42 AM
Hi,
Check that 2800 has a hardware IPSEC encryption module, and make sure is active. Check the documentation for that.
http://cisco.com/en/US/products/ps5853/products_data_sheet0900aecd804ff58a.html
Please rate if this helped.
Regards,
Daniel
01-16-2007 10:56 AM
Our Cisco rep sent us a doc stating that the 2800 has a built-in hardware encryptor capable of 50mbit of IPSEC throughput.
I am aware of the AIM-upgrade potential, and am currently determining the need for it. Cisco has thus-far claimed it is not necessary.
07-31-2008 06:55 AM
How did you make out with your testing? I am seeing the same thing, regardless of the crypto used, I am seeing about 10mbps, rather than the 50mbps promised.
07-31-2008 09:07 AM
Please post the show tech from the device that is only getting 10Mbps and i can determine why that is.
I have been using DMVPN since the day the IOS was released :*)
There are many reasons why throughput can be reduced.
Thanks,
Joe
07-31-2008 10:39 AM
This is simply straight site to site vpn with a tunnel, not multipoint. The OP was using DMVPN and seeing the same issue I was, which was sub 10mbps performance with ipsec. I am seeing about 6mpbs, when I remove the crypto map from tun102 and fa0/2, my throughput jumps to 94mbps. The performance does not change significantly with changes in the encryption scheme.
07-31-2008 11:12 AM
You don't have the correct hardware configuration for high speed ipsec throughput.
You need to purchase and install part number.
AIM-VPN-EPII-Plus
You are only using the default on-board vpn accelerator; i'm surprised you are getting as much vpn throughput as you are...
please refer to the following document
While it does say you can achieve "50 Mbps" with the onboard i have never seen more than 5 to 6 Mbps with the 2801 without the AIM EP II.
So I don't know why Cisco puts the 50Mbps number out there; it simply is not what the product delivers in production with 1 or 20 tunnels.
Thanks,
Joe
07-31-2008 11:12 AM
please
show the output
"sh proc cpu hist"
"sh proc cpu sort 1min"
"sh ip traffic"
start your test and wait 1 min
show the output
"sh proc cpu hist"
"sh proc cpu sort 1min"
"sh ip traffic"
by the way you will never get 50Mb/s with encryption on 2801
07-31-2008 11:21 AM
Two more things I found in your configuration;
-You only need the crypto map on the outside (not the tunnel interfaces)
-You are causing fragments the receiving router will have to reassemble.
please add
ip tcp adjust-mss 1380
ip mtu 1412
To ALL of your tunnel interfaces.
Your want to prevent the IPSEC process from causing fragments. This was a Tac case I had with the 2801 and ipsec vpn's in general back in 2005.
You dont need need these commands on any interface except the tunnel interface.
-Joe
07-31-2008 11:36 AM
sorry, but
1412-40=1372
and this such configuration you will never get what you want.
should be
ip tcp adjust-mss 1360
ip mtu 1400
and just FYI
In releases before Cisco IOS Release 12.2(13)T, the crypto maps must be applied to both the physical interface and the logical interfaces, such as the p2p GRE tunnel interfaces. As of Cisco IOS Release 12.2(13)T (assumed in the example below), the crypto map is applied only to the physical interface, not to the logical interface.
07-31-2008 02:04 PM
thanks alekseev;
could you explain why you choose the lower numbers...
i have been using my number for 3 years :)
I understand the gre / outgoing interface part.
thanks,
Joe
07-31-2008 09:27 PM
I mean that the difference between ip mtu and mss size must be more or qual 40 bytes (TCP header - 40 bytes)
As for the "ip mtu" it depends on IPSec overhead.
And IPSec overhead depends on tranform set.
GRE overhead 24bytes or 28bytes if you use "tunnel key"
IPSec overhead for
esp esp-3des transport 30-37bytes
esp esp-3des tunnel 50-57bytes
esp-aes 256 esp-md5-hmac tunnel 58-73-bytes
esp-aes 256 esp-md5-hmac transport 38-53-bytes
07-31-2008 11:37 AM
Wow, I just applied that mtu and tcp adjust-mss config and the throughput jumped to 25mbps. I'm happy with that.
07-31-2008 11:49 AM
Jeremy,
what encryption and decryption rate have you achieved?
07-31-2008 11:58 AM
Seeing 28mbps TCP throughput according to IxChariot
Counters from the tunnel interface:
5 minute input rate 18078000 bits/sec, 1673 packets/sec
5 minute output rate 1010000 bits/sec, 399 packets/sec
And from the crypto engine:
Onboard crypto engine:
ds: 0x64A474A0 idb:0x64A463D8
Statistics for Virtual Private Network (VPN) Module:
3438358 packets in 3438358 packets out
494 paks/sec in 494 paks/sec out
3938 Kbits/sec in 4058 Kbits/sec out
1641713 packets decrypted 1796645 packets encrypted
It is strange that the packet count is different.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: