Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec Performance on 3945 with Crypto Engine

Hello,

I recently configured an IPsec tunnel over an 1GE-Connection. As we need nearly 1GBit we decided to use two 3945 with Crypto Engine.

Now that we configured the connection unfortunately the speed is quite slower than expected. We tried to copy a large file using Windows through this connection an we got approx 30 MB/s. Same tests in internal networks leads to 80 to 100 MB/s (thats what I nearly expected). PRTG says something about 240 MBit/s

So first of all two questions:

- Has anybody values to compare?

- Any ideas how to get this faster? Now I am using AES. The Crypto Engine is enabled (show crypto engine configuration tells me VPN Module onboard - disabled / ISM VPN Accelerator in Slot 0 - enabled)

Last idea I had was the line not being real 1 GE, but that is a bit more difficult to check without interrrupting traffic.

Any help is appreciated, thanks in advance,

Andreas

Everyone's tags (1)
3 REPLIES
Hall of Fame Super Silver

All other factors being

All other factors being negligible and assuming a 3945E with HSEC license, you should be able to get about 800 Mbps of IPsec throughput with IMIX traffic over a single tunnel IPSec VPN. Without the HSEC license you will be artifically limited.

If you add zone-based firewall and QoS features the performance will decrease.

That said, your provider contract or service portal should define the actual commited rate on the 1 Gbps physical interface. Here in the US at least, it is often less that the full 1 Gbps.

Cisco Employee

To add a bit,

To add a bit, SMB is probably the worst protocol to measure performance with, use iperf at least. That being said for single flow TCP performance we were dealing with recently: https://tools.cisco.com/bugsearch/bug/CSCui60221/?reffering_site=dumpcr Check out the workaround. I'm not sure it applies to VPN ISM, but it's worth a try.
New Member

Hello,

Hello, thanks for the replies. There shouldn't be a licensing issue (we bought a security-bundle, so this is fine). Of course I know, that SMB is nothing to to performance testing, but this is the application the customer needs - and it is his baseline, so I have to cope with it. ;-( The router only does static routing for this particular line and nothing else (no qos, acls ...). I thought about some bugs in the IOS, but I am not sure where to go to. 5.2 or 5.4. As routing even does not work properly, I have to upgrade either. Thanks so far, Regards, Andreas
268
Views
0
Helpful
3
Replies
CreatePlease to create content