Solved: ISR G2 IPSec strange behavior

akorolyov2 · ‎03-13-2014

Greetings everyone,

I have 2911-SEC/K9 router with IOS 151-4.M7. I'm using IPSec + DMVPN. settings are the following:

crypto isakmp policy 20
encr aes 256
group 24
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10

crypto ipsec transform-set *set-name* esp-aes 256 esp-sha512-hmac

crypto ipsec profile *profile-name*
set transform-set *set-name*

int tunnelXXX

*dmvpn settings*

tunnel protection ipsec profile *profile-name* shared

With these settings I was able to load my 100mb/s channel only for 15mb/s and CPU went 99%

Some strange outputs:

#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session : 0 active, 3200 max, 0 failed

#sh crypto isakmp sa count
Active ISAKMP SA's: 5

#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.*.*.* 10.*.*.* QM_IDLE 1044 ACTIVE
10.*.*.* 10.*.*.* QM_IDLE 1045 ACTIVE

#sh plat cer

IPSEC D D 3 N/A

Failed encrypt pkts: 0
Failed decrypt pkts: 0
Failed encrypt pkt bytes: 0
Failed decrypt pkt bytes: 0
Passed encrypt pkts: 5747239
Passed decrypt pkts: 5750789
Passed encrypt pkt bytes: 2974407264
Passed decrypt pkt bytes: 4220119968

So IPSec is working , but why sh crypto eli doesn't show it? Why only 15mb/s?

UPD: Same thing with 881-SEC/K9 and 871

#sh cry eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE

IPSec-Session : 0 active, 100 max, 0 failed

3945E (central hub) shows fine:

sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session : 66 active, 6399 max, 0 failed

All devices using 151-4.M7

Marcin Latosiewicz · ‎03-13-2014

You can check my doing show crypto ipsec sa | i flow to see whether particular IPsec flow is handled by software/hardware/external engine. My *guess* is that sha512 is causing the IPsec flow to be handled by software, which is causing the high CPU and bad performance. There are LOTS of questions I have here, discussing performance problems via forums is always tricky... you might want to check with TAC if you want fast and solid answers.

View solution in original post

Marcin Latosiewicz · ‎03-13-2014

You can check my doing show crypto ipsec sa | i flow to see whether particular IPsec flow is handled by software/hardware/external engine. My *guess* is that sha512 is causing the IPsec flow to be handled by software, which is causing the high CPU and bad performance. There are LOTS of questions I have here, discussing performance problems via forums is always tricky... you might want to check with TAC if you want fast and solid answers.

akorolyov2 · ‎03-13-2014

Thanks Marcin, seems you are right:

3945E (using different profiles)

conn id: 5235, flow_id: Onboard VPN:3235, sibling_flags 80000046, crypto map: map-name-1

conn id: 629, flow_id: SW:629, sibling_flags 80000046, crypto map: crypto map: map-name-2

2911, 881, 871 using only profile that I provided and output is

conn id: 450, flow_id: SW:450, sibling_flags 80000046, crypto map:map-name-2

So I have another question now - Why onboard VPN module doesn't support my profile? should I lower sha to 256? and why 512 is not supported? And where I can find the maximum capabilites of this module?

Marcin Latosiewicz · ‎03-13-2014

The most reliable answer is to use feature navigator. I had a quick look for hardware support for suite-B. You need at least 15.2(4)M.

akorolyov2 · ‎03-13-2014

Some more information on this topic:

IOS 151-4.M7. ISR G2 routers

crypto ipsec transform-set *set-name* esp-aes 256 esp-sha256-hmac still uses Software encryption

crypto ipsec transform-set *set-name* esp-aes 256 esp-sha-hmac uses Onboard VPN module