05-19-2020 05:14 AM
Hi
We have a 4431 running as a VPN head end and have roughly 700x users connecting concurrently.
I'm having difficulty understanding what the IPSEC throughput should be and how to measure it?
The router has the HSEC and throughput licences and shows 1000Mbps for the throughput command. In the diagram below you can see that clients terminate on the 'outside' interface and then access internal resources and the internet (via proxy) via the 'inside' interface. These are physical Gig ints with a VRF for the inside and outside.
Understand that as we are effectively tromboning the traffic there is really only 500Mbps for user bandwidth but with 700x users connected it hits around 200Mbps max when I run the 'sh plat hard qfp act datapath util'
I can see that the hsec and throughput licences are installed and enabled with 'sh lic feat'
Q1 - I understand real world throughput on a 4431 is about 900Mbps but should I be seeing more than 200Mbps going through?
Q2 - is there an accurate way of displaying the ipsec throughput on the router?
05-19-2020 09:17 AM
05-19-2020 09:23 AM - edited 05-19-2020 09:24 AM
CPU never goes above 20%
It's certainly not the nature of the users as they are constantly complaining about performance, there is no split tunnel so all traffic goes over the VPN tunnel.
05-19-2020 02:32 PM
05-19-2020 09:37 AM
Hello,
post the full running configuration of your 4331, maybe we can spot something...
05-20-2020 01:32 AM
I'll have to edit the config to hide data as it's a govt customer so need to be careful around disclosing info.
I'm more concerned that a new windows RRAS solution is being put in using SSTP on the basis this will solve all the issues and I'm worried that the issue isn't with the 4431 so it won't be resolved.
Q - Is there a way of displaying the IPSEC throughput or bandwidth usage? even if it's just a real time display / command.
Q - Am I correct in thinking that this router with these licences should be capable of 1Gbps IPSEC throuhput and if so is that shared across the interfaces so that the inside and outside interfaces will effectively handle 500Mbps each or have 1Gbps each?
05-20-2020 02:07 AM - edited 05-20-2020 03:22 AM
05-20-2020 09:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide