I recently configured an IPsec tunnel over an 1GE-Connection. As we need nearly 1GBit we decided to use two 3945 with Crypto Engine.
Now that we configured the connection unfortunately the speed is quite slower than expected. We tried to copy a large file using Windows through this connection an we got approx 30 MB/s. Same tests in internal networks leads to 80 to 100 MB/s (thats what I nearly expected). PRTG says something about 240 MBit/s
So first of all two questions:
- Has anybody values to compare?
- Any ideas how to get this faster? Now I am using AES. The Crypto Engine is enabled (show crypto engine configuration tells me VPN Module onboard - disabled / ISM VPN Accelerator in Slot 0 - enabled)
Last idea I had was the line not being real 1 GE, but that is a bit more difficult to check without interrrupting traffic.
All other factors being negligible and assuming a 3945E with HSEC license, you should be able to get about 800 Mbps of IPsec throughput with IMIX traffic over a single tunnel IPSec VPN. Without the HSEC license you will be artifically limited.
If you add zone-based firewall and QoS features the performance will decrease.
That said, your provider contract or service portal should define the actual commited rate on the 1 Gbps physical interface. Here in the US at least, it is often less that the full 1 Gbps.
thanks for the replies. There shouldn't be a licensing issue (we bought a security-bundle, so this is fine).
Of course I know, that SMB is nothing to to performance testing, but this is the application the customer needs - and it is his baseline, so I have to cope with it. ;-(
The router only does static routing for this particular line and nothing else (no qos, acls ...). I thought about some bugs in the IOS, but I am not sure where to go to. 5.2 or 5.4. As routing even does not work properly, I have to upgrade either.
Thanks so far,
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :