Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
3
Replies

GRE with IPSec performance question

bhsuzuki
Level 1
Level 1

‎07-01-2004 01:20 AM - edited ‎03-02-2019 04:45 PM

We are currently testing this in the lab:

Two C3745's with a PC connected to each and a 100MB switch in the middle. This is to simulate the eventual Internet VPN solution that it will become a part of. Both C3745's have AIM-VPN/HPII modules (hardware encryption).

The problem is that when we have encryption (3DES) enabled and the line speed set at 100Mbps the throughput is terrible (~20Mbps). With the default MTU (1514) the performance is worse (~11Mbps) but setting it lower (anywhere from 1000-1440) yields around ~20Mbps. This seems to be the best we are able to get out of it.

I realize that there is overhead to be had with encryption but does this not seem rather heavy?

The intersting thing is that when the linespeed is set to 10Mbps the throughput with encryption is roughly 8Mbps. Looking at the dramatic performance drop with the linespeed at 100Mbps I would have expected it to be much worse at 10Mbps.

Just for reference without encryption we were getting ~70Mbps throughput. We were expecting to see around 40-45Mbps with encryption.

Just wondering if anyone has been in this situation and found a work around. Any advice would be greatly appreciated. Many thanks.

Labels:
0 Helpful
3 Replies 3

rwcrowe
Level 1
Level 1

‎07-01-2004 10:50 AM

Hardware acceleration is on by default but I would do this just to make sure.

1) make sure that "crypto engine accelerator" command is entered in global config for both routers

2) issue "clear crypto accelerator engine counter" on both routers to reset the hardware encryption statistics. Then send some traffic over the VPN connection. Run "show crypto accelerator engine statistic" on both routers and make sure that the hardware is doing the encryption, instead of IOS.

3) issue "show crypto engine connections" to see if the transfer you are sending is listed as active hardware session.

4) open a tac case, you should be getting well over 100mbps through-put (rated at 180)

0 Helpful

bhsuzuki
Level 1
Level 1
In response to rwcrowe

‎07-01-2004 07:33 PM

Thanks for the response, much appreciated!

Went through all of the above and they all checked out but still have the same results.

If anyone can offer some further pointers/advice I'm all ears. Thx.

0 Helpful

bhsuzuki
Level 1
Level 1

‎07-07-2004 02:31 AM

Just wanted to update for any others who may come across a similar issue, we have resolved the issue and found the answer.

Once the command "ip cef" was enabled in the config we began seeing throughput of around ~70Mbps. Things are good.

By default "ip cef" wss disabled on our routers. Done.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card