cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6437
Views
0
Helpful
10
Replies

GRE over IPSec performance issues

Spaniard141
Level 1
Level 1

I am troubleshooting a performance issue on a GRE over IPSEC tunnel between two sites.
After a lot of research, I ended up lowering the MTU size and configuring an mss value and this has reduced 99% of the fragmentation I was experiencing. The issue now is that the throughput is only a portion of the WAN link. Both sites are connected by a 100 Mbps metro e but when doing testing on it I can't seem to get any higher than 25-30 Mbps. I figured I would lose some due to the tunnel but not as much as I am.

See the configuration of the tunnel interface below:

Router 1
interface Tunnel0
bandwidth 100000
ip address X.X.X.X X.X.X.X
ip mtu 1400
ip tcp adjust-mss 1360
delay 1
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination X.X.X.X X.X.X.X

and the physical interface:

interface GigabitEthernet0/0
description BlahBlah
ip address interface GigabitEthernet0/0
ip address X.X.X.X X.X.X.X
duplex auto
speed auto
crypto map CM


Router 2

interface Tunnel0
bandwidth 100000
ip address X.X.X.X X.X.X.X
ip mtu 1400
ip tcp adjust-mss 1360
delay 2970
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel destination X.X.X.X

Physical interface:

interface GigabitEthernet0/0
ip address X.X.X.X X.X.X.X
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CM

Also eigrp is being used

Any ideas as to how to address this problem?

Thanks

2 Accepted Solutions

Accepted Solutions

Hi Raul,

The very first thing that comes to mind is that the Gig interfaces have been set to auto negotiate the speed. Can you check what speeds have the interfaces negotiated to? If it is 1000 Mbps the line speed is more that the carrier contracted BW of 100 Mbps which means anything above 100 mbps sent over that will be discarded by the carrier. You can limit the interface capacity by hard coding the speed to 100 mbps which is the best option and if thats not possible try traffic shaping the BW down to 100 mbps.

HTH

Regards

Umesh Shetty

View solution in original post

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Actually Cisco documents a 2921's maximum IPSec performance at 207 Mbps and a 2951's maximum at 282 Mbps, so in theory either could push (but barely) 100 Mbps (duplex), but their recommendation bandwidths, still for IPSec, are 72 and 103 Mbps, respectively.  (Note: bandwidths are aggregates.)

In attachment, see tables 2 and 7.

View solution in original post

10 Replies 10

Jeff Van Houten
Level 5
Level 5

2 questions. What model router? Have you tried a speed test or file transfer without the IPSec tunnel to see if you're truly getting 100Mbps on the link?

Sent from Cisco Technical Support iPad App

Jeff

The router models are 2951 and 2921.

I have not tested just GRE without IPSEC. I have been testing with an application called iperf which sends files between a server and a client and reports the file sizes and transfer rate.

Leo Laohoo
Hall of Fame
Hall of Fame
The issue now is that the throughput is only a portion of the WAN link. Both sites are connected by a 100 Mbps metro e but when doing testing on it I can't seem to get any higher than 25-30 Mbps.

Hmmmm ... I'm suspecting you are using a 2900 router.

Can you please post the following commands:

1.  sh version; and

2.  sh crypto engine brief

Spaniard141
Level 1
Level 1

Leo

The hardware is

2951 on one end and 2921 on the other

Spaniard141
Level 1
Level 1

Leo

See below the Output of the requested commands.

Thanks

R1#sh ver

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.3(2)T, RELE                                                                             ASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Thu 28-Mar-13 13:17 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)

R1 uptime is 26 weeks, 3 days, 21 hours, 1 minute

System returned to ROM by reload at 17:52:23 UTC Sat Apr 20 2013

System image file is "flash:c2951-universalk9-mz.SPA.153-2.T.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO2951/K9 (revision 1.1) with 487424K/36864K bytes of memory.

Processor board ID FTX1628AL00

3 Gigabit Ethernet interfaces

1 terminal line

1 Virtual Private Network (VPN) Module

DRAM configuration is 72 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#   PID                   SN

-------------------------------------------------

*0       CISCO2951/K9         FTX1628AL00

Technology Package License Information for Module:'c2951'

-----------------------------------------------------------------

Technology   Technology-package           Technology-package

             Current       Type           Next reboot

------------------------------------------------------------------

ipbase       ipbasek9     Permanent     ipbasek9

security     securityk9   Permanent     securityk9

uc           None         None           None

data         None         None           None

Configuration register is 0x2102

R1#sh crypto engine brief

       crypto engine name: Virtual Private Network (VPN) Module

       crypto engine type: hardware

                     State: Enabled

               Location: onboard 0

             Product Name: Onboard-VPN

               FW Version: 1

             Time running: 4294967 seconds

               Compression: Yes

                       DES: Yes

                     3 DES: Yes

                  AES CBC: Yes (128,192,256)

                 AES CNTR: No

     Maximum buffer length: 4096

         Maximum DH index: 0000

         Maximum SA index: 0000

       Maximum Flow index: 8000

     Maximum RSA key size: 0000

       crypto engine name: Cisco VPN Software Implementation

       crypto engine type: software

             serial number: 10EEF1A5

       crypto engine state: installed

     crypto engine in slot: N/A

RTR02#sh ver

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Wed 07-Nov-12 14:08 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

RTR02 uptime is 26 weeks, 5 days, 22 hours, 55 minutes

System returned to ROM by reload

System restarted at 12:08:45 Eastern Thu Apr 18 2013

System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M2.bin"

Last reload type: Normal Reload

Last reload reason: power-on

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO2921/K9 (revision 1.0) with 487424K/36864K bytes of memory.

Processor board ID FTX1711ALHK

3 Gigabit Ethernet interfaces

1 terminal line

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#   PID                   SN

-------------------------------------------------

*0       CISCO2921/K9         FTX1711ALHK

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------

Technology   Technology-package           Technology-package

             Current       Type           Next reboot

------------------------------------------------------------------

ipbase       ipbasek9     Permanent     ipbasek9

security     securityk9   Permanent     securityk9

uc           None         None           None

data         None         None           None

Configuration register is 0x2102

RTR02#sh crypto engine brief

       crypto engine name: Virtual Private Network (VPN) Module

       crypto engine type: hardware

                     State: Enabled

                 Location: onboard 0

             Product Name: Onboard-VPN

               HW Version: 1.0

               Compression: Yes

                      DES: Yes

                     3 DES: Yes

                   AES CBC: Yes (128,192,256)

                 AES CNTR: No

     Maximum buffer length: 0000

         Maximum DH index: 0000

         Maximum SA index: 0000

       Maximum Flow index: 3600

     Maximum RSA key size: 0000

       crypto engine name: Cisco VPN Software Implementation

       crypto engine type: software

             serial number: 2172EDC3

       crypto engine state: installed

     crypto engine in slot: N/A

Spaniard141
Level 1
Level 1

I keep seeing this in the logs:

Oct 22 19:52:44.250: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Could this be related? I have read that the SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic.

I just expected to see higher numbers than 30.

Thanks

Hi Raul,

The very first thing that comes to mind is that the Gig interfaces have been set to auto negotiate the speed. Can you check what speeds have the interfaces negotiated to? If it is 1000 Mbps the line speed is more that the carrier contracted BW of 100 Mbps which means anything above 100 mbps sent over that will be discarded by the carrier. You can limit the interface capacity by hard coding the speed to 100 mbps which is the best option and if thats not possible try traffic shaping the BW down to 100 mbps.

HTH

Regards

Umesh Shetty

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I keep seeing this in the logs:

Oct 22 19:52:44.250: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.

Could this be related? I have read that the SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic.

I just expected to see higher numbers than 30.

Yes, I would see that as an impediment.  It also would imply you're bursting above 85 Mbps.  More over, if going above this limit drop packets, and/or packets are being dropped if you're able to burst above your MetroE limits (as also noted by Umesh), either can be very adverse to TCP transfer performance.

Raul,

A 2900 router does not have the "oomph" to push 100 Mbps. 

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Actually Cisco documents a 2921's maximum IPSec performance at 207 Mbps and a 2951's maximum at 282 Mbps, so in theory either could push (but barely) 100 Mbps (duplex), but their recommendation bandwidths, still for IPSec, are 72 and 103 Mbps, respectively.  (Note: bandwidths are aggregates.)

In attachment, see tables 2 and 7.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco