Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Encryption probem

I have an ipsec encryption running between 2 directly connected routed over a FR multilink interface.

The moment we enable encryption, the link utilization seems to peak causing issues such as slowness etc.

The utilization seems to subside (around 60%) if i disable encryption.

What is the normal traffic overhead we can expect when we enable encryption? Is the sympton that is seen is expected or is it some sort of IOS bug

Ambi

7 REPLIES
Hall of Fame Super Gold

Re: Encryption probem

Hi Subramanian,

What IOS are you using?

Does your routers have AIM/VPN card?

Can you post the config for both?

Community Member

Re: Encryption probem

Hi,

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a008022bde8.shtml#wp1002499

Their will be an additional

IPsec Tunnel Mode

IPsec Tunnel Mode encapsulates and protects an entire IP packet. Because IPsec tunnel mode encapsulates or hides the IP header of the packet, a new IP header must be added for the packet to be successfully forwarded. The encrypting routers themselves own the IP addresses used in these new headers. Tunnel mode may be employed with Encapsulating Security Payload (ESP) and/or Authentication Header. Using tunnel mode results in additional packet expansion of approximately 20 bytes associated with the new IP header. Tunnel mode expansion of the IP packet.

Community Member

Re: Encryption probem

IOS is 12.2(33)SRC and the platform is 7200 NPE-400

Attached are the configs.. i have changed the ip addresses for obvious reasons

Ambi

Re: Encryption probem

Based on the config you would at a minimum be adding about 52 bytes to each packet

You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see

One thing you can do however is to refine the access-list for the Ipsec

Instead of permit ip you can streamline it to some specific application protocols and check whether the utilization comes down

HTH

Narayan

Super Bronze

Re: Encryption probem

"You need to figure out the avg packet size for the traffic between the two routers. Add the above 52 bytes and figure out if the utilization matches to what you see "

For the OP, the impact of what Narayan describes . . .

If 52 bytes overhead is being added per packet, and a) packets are small (e.g. perhaps 576 default MTU), and b) packets are being fragmented (i.e. 2x packet with additional overhead), that might add about 20% to traffic.

If lots of minimum size packets, e.g. ACKs, that would increase such traffic by about 80%.

Hall of Fame Super Gold

Re: Encryption probem

Hi Subramanian,

Does your routers have AIM/VPN card?

Re: Encryption probem

Leo

Though it be better to have a AIM/VPN card in the router but that would just offload the router CPU

As per the post though the CPU is not the issue but the link utilization which should be the same irrespective of the whether running software or hardware encyption

Lets get a confirmation whether its the link utilization or CPU utilization

Narayan

114
Views
10
Helpful
7
Replies
CreatePlease to create content