Solved: Re: ASR1000-X Encryption Throughput

hotpackets · ‎03-12-2020

I'm looking at an ASR1K-X with an ESP40. Datasheets shows up to 12Gbps encrypted aggregate throughput.

If I exceed those numbers, is there a command that would show drops that occurred due to hitting encryption/decryption limits?

Is it QOS aware? With encryption happening before queuing and scheduling, would it still encrypt/decrypt PQ1 and PQ2 packets first?

Cristian Matei · ‎03-13-2020

Hi,

This is the command you're looking for, as you're looking for data-plane drops: "show platform hardware qfp statistics drop". Take look at this document for further reference:

https://community.cisco.com/t5/security-documents/troubleshooting-vpn-issues-on-asr-where-to-start/ta-p/3113897

Regards,
Cristian Matei.

View solution in original post

Joseph W. Doherty · ‎03-12-2020

"With encryption happening before queuing and scheduling, would it still encrypt/decrypt PQ1 and PQ2 packets first?"

I don't know for sure, but doubt it would. I suspect encryption/decryption is FIFO.

hotpackets · ‎03-12-2020

That's my suspicion, but I wanted to see if anyone knew for sure.

hotpackets · ‎04-07-2020

I received confirmation from a Cisco engineer that the crypto module will indiscriminately drop traffic when its capacity is exceeded.

Cristian Matei · ‎03-13-2020

Hi,

This is the command you're looking for, as you're looking for data-plane drops: "show platform hardware qfp statistics drop". Take look at this document for further reference:

https://community.cisco.com/t5/security-documents/troubleshooting-vpn-issues-on-asr-where-to-start/ta-p/3113897

Regards,
Cristian Matei.

hotpackets · ‎03-13-2020

Thanks! That document appears to have what I'm looking for.