Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Throughput

I just set up a point to point VPN tunnel between a central 3825 and two remote 2811's over a 100Mb link via Ethernet.

I'm using AES256 encryption for isakmp and ipsec. Speeds w/o the tunnel active between the remote and central site are 60-70Mb. Speeds WITH the tunnel are 28-32Mb.

Why such a large decrease in speed? And is this a good result or should I be able to increase speeds some how?

CPU utilization on the 2811's increases to around 75% when a large amount of traffic is being passed. I assume this has something to do with the speed decreases.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: VPN Throughput

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

Silver

Re: VPN Throughput

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

17 REPLIES

Re: VPN Throughput

The encrypt/decrypt process for the packets is performed by the CPU. Just like on a PC the busier the CPU, they slower everything performs. You are in luck though. Cisco has an AIM card which performs the encrypt/decrypt and allows the CPU to perform other duties. You will see a 'speed' gain when using the AIM card. Here's a link for more information.

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

A helpful guide once they are installed-

https://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htvpnssl.html

Hope it helps.

New Member

Re: VPN Throughput

Thanks for the link.

I'm going to try the same VPN scenario in the lab to see what kind of performance I get across two directly connected 2811 routers.

If the speeds are comparable, at least I know the problems don't lie elsewhere. Conversely, I then know the problems don't like elsewhere. ;)

Thanks.

Silver

Re: VPN Throughput

An IPSec VPN between a Cisco 2811 running IOS 12.4(24)T Advanced Enterprise with on-board encryption can get you about 60Mbps throughput with AES-256/SHA/DH-5/PFS-group5.

I tested it from a C2811 with a Checkpoint SPLAT NGx R70 firewall. At 60Mbps throughput, the Cisco 2811 CPU is running about 98% Utilization.

Make sure you have these lines in your 2811 config:

crypto engine accelerator

crypto engine onboard 0

New Member

Re: VPN Throughput

After checking, those settings were enabled. I believe they're defaults in my IOS release.

I got nearly identical speeds in a lab environment as I did in the production environment.

It appears our only chance to increase speeds is with the AIMs.

Thanks for the replies.

Silver

Re: VPN Throughput

Here is my 2c on this:

- With the on-board encryption and PFS disable, I was able to push 64Mbps AES-256 IPSec traffics on IOS 12.4T. I don't think you can get much more throughput on the 2811 than 64Mbps even with the AIMs module. CPU will be your limiting factor.

- The ASA5510 can give you much more throughput than 2811 at a much lower cost

New Member

Re: VPN Throughput

Much lower cost if you didn't already own the 2811.

How do you disable PFS?

Silver

Re: VPN Throughput

When you define crypto map, just do NOT do

"set pfs group5". Example:

crypto map vpn 10 ipsec-isakmp

set peer x.x.x.x

set transform aes256

set security life sec 3600

match addess 101

set pfs group5 (leave this line out)

That's it.

I think the advantage of ASA over IOS is that you can have DH group 7 which is a level higher than DH group 5

New Member

Re: VPN Throughput

That line was left out of the config already.

Re: VPN Throughput

Try a different IOS rev.

New Member

Re: VPN Throughput

I've tried this across two different revisions with identical results.

Silver

Re: VPN Throughput

What do you use to push traffics? I used Iperf to test throughput and I was able to get 64Mbps on the 2811 IPSec VPN.

Both of my Iperf systems (client/server) are very fast systems, capable of pushing 900Mbps.

New Member

Re: VPN Throughput

I use QCheck by Ixia, which is the only software I know of that does this.

If there's something better I'd love to use it. QCheck works, but it'd be nice to have a 2nd piece to compare it against.

New Member

Re: VPN Throughput

IPerf results are very close to the QCheck results:

C:\>iperf --server

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1872] local 10.2.3.36 port 5001 connected with 10.4.1.11 port 2288

[ ID] Interval Transfer Bandwidth

[1872] 0.0-10.0 sec 34.4 MBytes 28.8 Mbits/sec

Silver

Re: VPN Throughput

On the server, do this: iperf -w 256k -s

on the client, do this: iperf -w 256k -c iperf-server-ip -t 120

That should increase the throughput on the endpoint. Not sure about windows but it works great for me in Linux.

New Member

Re: VPN Throughput

C:\>iperf -w 256k -c msdtech -t 120

------------------------------------------------------------

Client connecting to msdtech, TCP port 5001

TCP window size: 256 KByte

------------------------------------------------------------

[1872] local 10.4.1.11 port 1803 connected with 10.2.3.36 port 5001

[ ID] Interval Transfer Bandwidth

[1872] 0.0-120.0 sec 507 MBytes 35.4 Mbits/sec

A little better...

Silver

Re: VPN Throughput

I can NOT comment on Windows platforms but I can definitely tell you that Iperf performance is so much faster on Linux platform. My Linux box, with optimize Linux kernel, can push about 990Mbps on a 1Gig NIC. Maybe you should use Linux to get better performance. Either that or tweak the -w parameter.

New Member

Re: VPN Throughput

The network is all Windows, so I don't have any Linux clients to test with. It's also more indicative of what results they'll see, so I'm OK with testing on Windows boxes.

The link is only 100Mb across the link, not 1Gb. I'd be curious to test between a linux box and Windows box. Might try that at home.

I just started running Debian.

8757
Views
0
Helpful
17
Replies