cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1850
Views
0
Helpful
6
Replies

Getting Latency over DMVPN TUNNEL

md.irfan.khans
Level 1
Level 1

Hey Everyone , 

I am getting some latency over DMVPN tunnel from SPOKE router to reach to HUB router Tunnel interface Ip address . 

Latency for public ip address of HUB router which is used to DMVPN is fine . Only getting latancy for tunnel Ip address 

Had checked all the interface and crypto Ipsec sa status now error found in any where . 

What can be the issue for Latancy issue 

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

What model spoke router are you using and what software version is it?

What model hub router are you using and what software version is it?

How are you measuring the latency?

How much extra latency are you getting over the tunnel compared to between the public IP addresses?

Is the problem intermittent or permanent?

The Model of HUB router and spoke is 

Spoke : C2951  Software version : C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(4)M8, RELEASE SOFTWARE (fc2

HUB :  C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(4)M8, RELEASE SOFTWARE (fc2)

I am measuring the Latency By Ping response , As i am getting latency 50 ms from spoke router to reach to HUB Public ip address of HUB router . 

And from the same Spoke router i am getting 90 Ms to reach(NHS) tunnel ip address for HUB router . 

This problem is permanent 

Since the test you are doing is through a ping from router to router, then the problem is most likely related to the fact that you are forcing the CPU to handle all the operations required for this communication.

When you ping between public addresses, the CPU of the spoke will generate the ICMP packet and send it through the best path to the Hub, then the Hub's CPU receives the packet, processes it, creates a response and sends it back. When the DMPVN tunnel is involved, then the Spoke has to create the packet, send it through the best path (tunnel), realize it must be encapsulated (GRE) and encrypted (IPSEC) and do the operations by software, even if you have a hardware encryption module or chip in your router. The same thing will happen on the Hub site which adds to the time it takes for the round-trip of the communication. Also depending on the level of encryption you are using it will take more or less time (DES against 3DES or AES). So by testing with a stream of packets generated and handled by the CPU itself you are not using the advantage of hardware encryption and forcing the CPU to work a little more when the DMVPN connection is used.

Also bear in mind that if at some point the routers have a higher CPU utilization due to something else happening on the network, this same test will show an even bigger delay because the CPU is already busy handling some more important operations than encapsulating and encrypting an ICMP packet.

A better test might be to send a ping from a device behind the Spoke to a device behind the Hub, so that the hardware encryption and CEF takes place to deal with the packets in a faster way.

HI Ricardo , 

We have multiple spoke sites , Its seems to be issue with only one site . 

Have already checked the memory and CPU utilization on HUB and SPOKE router its seems to be fine not going more then 5 % . 

And we are not using any module for Crypto 

Have also checked by pinging behind the HUB and Spoke the latency is same as i am getting from ROUTER to ROUTER 

Are you able to upgrade both devices to a gold star release like 15.4.3M5?

I've used 15.4.3M5 for what you are doing a lot and it has been rock solid reliable.

Carlos Villagran
Cisco Employee
Cisco Employee

Hi!

This behavior could be caused because of High CPU in Spoke Router can you check it using the show process cpu sorted?

This behavior can be caused for high throughput in the tunnel interface since tunnel traffic is software processed.

Best regards!

JC

Review Cisco Networking for a $25 gift card