Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN Performance 1800/2800 - Spec vs. Reality

We're considering deployment of about 50 1800s across the branch infrastructure with 3mb/768k DSL as the VPN port (DS3 head-end). DMVPN topology.

Problem is that performance doesn't seem to meet spec in the lab. Spec says a 2800 should get about 50mbit stock. I'm seeing 1/50th of that. See below, this is MSS 1400, FTP of a 36mb file.

aes 256 ftp: 36232088 bytes received in 36.73Seconds 986.34Kbytes/sec.

aes 192 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.

aes 128 ftp: 36232088 bytes received in 36.47Seconds 993.50Kbytes/sec.

3des cr ftp: 36232088 bytes received in 36.16Seconds 1002.10Kbytes/sec.

null cryp ftp: 36232088 bytes received in 3.23Seconds 11203.49Kbytes/sec.

Any thoughts or suggestions?

15 REPLIES

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Hi,

Check that 2800 has a hardware IPSEC encryption module, and make sure is active. Check the documentation for that.

http://cisco.com/en/US/products/ps5853/products_data_sheet0900aecd804ff58a.html

Please rate if this helped.

Regards,

Daniel

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Our Cisco rep sent us a doc stating that the 2800 has a built-in hardware encryptor capable of 50mbit of IPSEC throughput.

I am aware of the AIM-upgrade potential, and am currently determining the need for it. Cisco has thus-far claimed it is not necessary.

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

How did you make out with your testing? I am seeing the same thing, regardless of the crypto used, I am seeing about 10mbps, rather than the 50mbps promised.

joe Bronze
Bronze

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Please post the show tech from the device that is only getting 10Mbps and i can determine why that is.

I have been using DMVPN since the day the IOS was released :*)

There are many reasons why throughput can be reduced.

Thanks,

Joe

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

This is simply straight site to site vpn with a tunnel, not multipoint. The OP was using DMVPN and seeing the same issue I was, which was sub 10mbps performance with ipsec. I am seeing about 6mpbs, when I remove the crypto map from tun102 and fa0/2, my throughput jumps to 94mbps. The performance does not change significantly with changes in the encryption scheme.

joe Bronze
Bronze

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

You don't have the correct hardware configuration for high speed ipsec throughput.

You need to purchase and install part number.

AIM-VPN-EPII-Plus

You are only using the default on-board vpn accelerator; i'm surprised you are getting as much vpn throughput as you are...

please refer to the following document

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html

While it does say you can achieve "50 Mbps" with the onboard i have never seen more than 5 to 6 Mbps with the 2801 without the AIM EP II.

So I don't know why Cisco puts the 50Mbps number out there; it simply is not what the product delivers in production with 1 or 20 tunnels.

Thanks,

Joe

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

please

show the output

"sh proc cpu hist"

"sh proc cpu sort 1min"

"sh ip traffic"

start your test and wait 1 min

show the output

"sh proc cpu hist"

"sh proc cpu sort 1min"

"sh ip traffic"

by the way you will never get 50Mb/s with encryption on 2801

joe Bronze
Bronze

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Two more things I found in your configuration;

-You only need the crypto map on the outside (not the tunnel interfaces)

-You are causing fragments the receiving router will have to reassemble.

please add

ip tcp adjust-mss 1380

ip mtu 1412

To ALL of your tunnel interfaces.

Your want to prevent the IPSEC process from causing fragments. This was a Tac case I had with the 2801 and ipsec vpn's in general back in 2005.

You dont need need these commands on any interface except the tunnel interface.

-Joe

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

sorry, but

1412-40=1372

and this such configuration you will never get what you want.

should be

ip tcp adjust-mss 1360

ip mtu 1400

and just FYI

In releases before Cisco IOS Release 12.2(13)T, the crypto maps must be applied to both the physical interface and the logical interfaces, such as the p2p GRE tunnel interfaces. As of Cisco IOS Release 12.2(13)T (assumed in the example below), the crypto map is applied only to the physical interface, not to the logical interface.

joe Bronze
Bronze

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

thanks alekseev;

could you explain why you choose the lower numbers...

i have been using my number for 3 years :)

I understand the gre / outgoing interface part.

thanks,

Joe

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

I mean that the difference between ip mtu and mss size must be more or qual 40 bytes (TCP header - 40 bytes)

As for the "ip mtu" it depends on IPSec overhead.

And IPSec overhead depends on tranform set.

GRE overhead 24bytes or 28bytes if you use "tunnel key"

IPSec overhead for

esp esp-3des transport 30-37bytes

esp esp-3des tunnel 50-57bytes

esp-aes 256 esp-md5-hmac tunnel 58-73-bytes

esp-aes 256 esp-md5-hmac transport 38-53-bytes

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Wow, I just applied that mtu and tcp adjust-mss config and the throughput jumped to 25mbps. I'm happy with that.

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Jeremy,

what encryption and decryption rate have you achieved?

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

Seeing 28mbps TCP throughput according to IxChariot

Counters from the tunnel interface:

5 minute input rate 18078000 bits/sec, 1673 packets/sec

5 minute output rate 1010000 bits/sec, 399 packets/sec

And from the crypto engine:

Onboard crypto engine:

ds: 0x64A474A0 idb:0x64A463D8

Statistics for Virtual Private Network (VPN) Module:

3438358 packets in 3438358 packets out

494 paks/sec in 494 paks/sec out

3938 Kbits/sec in 4058 Kbits/sec out

1641713 packets decrypted 1796645 packets encrypted

It is strange that the packet count is different.

New Member

Re: DMVPN Performance 1800/2800 - Spec vs. Reality

I rebooted both the routers to clear all counters, and the packet counts match up.

cil-2801-02#sh crypto engine accelerator statistic

Device: FPGA

Location: Onboard: 0

Onboard crypto engine:

ds: 0x649511E0 idb:0x64950118

Statistics for Virtual Private Network (VPN) Module:

845829 packets in 845829 packets out

2255 paks/sec in 2255 paks/sec out

22174 Kbits/sec in 22795 Kbits/sec out

109799 packets decrypted 736030 packets encrypted

packet overruns: 0 output packets dropped: 0

tx_hi_drops: 13 fw_failure: 0

invalid_sa: 0 invalid_flow: 0

null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0

esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0

ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0

esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0

obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0

invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0

no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0

pak_too_big: 0

tx_lo_queue_size_max 0 cmd_unimplemented: 0

flow_cfg_mismatch 0 flow_ip_add_mismatch: 0

unknown_protocol 0 bad_particle_align: 0

375 seconds since last clear of counters

Interrupts: Notify = 88538

cil-2801-02#sh int tun102

Tunnel102 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.2.13/30

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 35/255, rxload 213/255

Encapsulation TUNNEL, loopback not set

Keepalive set (10 sec), retries 3

Tunnel source 172.16.2.9 (FastEthernet0/1), destination 172.16.2.10

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 00:00:03, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 125000 bits/sec, 235 packets/sec

5 minute output rate 16834000 bits/sec, 1490 packets/sec

109767 packets input, 7032341 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

736010 packets output, 1047159276 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

cil-2801-02#

2393
Views
15
Helpful
15
Replies
CreatePlease to create content