A speed and duplex mismatch will result in performance similar to this(I have encountered this numerous times) which results in speeds around 1 mbps.

Naidu

As indicated in the other post there are a number of things, including setting of TCP parameters, which can affect the throughput speed. If we knew more about your situation we might be able to provide better answers. But as a starting point I would list these as things to investigate:

- you tell us that it is a 10 Mb connection. But you do not tell us whether this connection is direct to the peer router, or is it (more likely) a connection to an ISP who then forwards the traffic to the peer router? If it is a connection to an ISP it might be closer to 10 Mb to that provider but only 1.5 getting through the Internet to the peer router.

- you tell us that it is DMVPN which tells us that there is encryption involved. How is the overhead of encryption being handled on the router? And how is it handled on the other router (since performance issues on the other router will impact how quickly your router traffic is handled and how quickly responses  are generated for your router)?

- does your 1841 have the hardware to handle encryption in hardware rather than in the main CPU? And is the encryption hardware really working? I had an experience at a customer recently with an 1841 that does have the hardware module for encryption and the performance of the router was really bad. In troubleshooting the problem I found that performance actually improved when I disabled the hardware encryptor. (needless to say an RMA was arranged for that hardware).

- was there other traffic using the link at the same time that you were testing?

- how much distance is there between the peer routers? the longer the distance the greater the impact on performance of the connection?

- is it possible that there were out of order packets? For TCP out of order is not a big problem and TCP has mechanisms to recognize and deal with out of order packets. But when using IPSec (for DMVPN) out of order packets cause errors in the IPSec processing.

HTH

Rick

Hi Rick and All,

Thanks for your response.

Below is the clear information..

The WAN interface settings at my end which is connected to ISP router at site is set to dupled full and speed 100.

- you tell us that it is a 10 Mb connection. But you do not tell us whether this connection is direct to the peer router, or is it (more likely) a connection to an ISP who then forwards the traffic to the peer router? If it is a connection to an ISP it might be closer to 10 Mb to that provider but only 1.5 getting through the Internet to the peer router.
My 1841 router is connected to ISP rotuer at site through FastEthernet0/0.

- you tell us that it is DMVPN which tells us that there is encryption involved. How is the overhead of encryption being handled on the router? And how is it handled on the other router (since performance issues on the other router will impact how quickly your router traffic is handled and how quickly responses  are generated for your router)?
The encryption is being handled fine it seems on the router and there is only one router at site. Is there any ways to check how the encryption is handling on the router?

- does your 1841 have the hardware to handle encryption in hardware rather than in the main CPU? And is the encryption hardware really working? I had an experience at a customer recently with an 1841 that does have the hardware module for encryption and the performance of the router was really bad. In troubleshooting the problem I found that performance actually improved when I disabled the hardware encryptor. (needless to say an RMA was arranged for that hardware).

Yes, it have onboard AIM module on the router.
#sh hardwa
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 23-Mar-10 04:46 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

BremenRTR uptime is 6 weeks, 1 day, 19 hours, 26 minutes
System returned to ROM by reload at 14:20:35 utc Sat Jan 1 2011
System image file is "flash:c1841-advsecurityk9-mz.124-24.T3.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.
Processor board ID FCZ1037221F
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Is that informaiton fine to get to know AIM module status, or else can you please tell me how i can check the onboard vpn module status.

- was there other traffic using the link at the same time that you were testing?
No, I tested in off-peak hours.

- how much distance is there between the peer routers? the longer the distance the greater the impact on performance of the connection?
Both My 1841 and PE are in the same building as PE router is directly connected to the Fa0/0 on my 1841.

- is it possible that there were out of order packets? For TCP out of order is not a big problem and TCP has mechanisms to recognize and deal with out of order packets. But when using IPSec (for DMVPN) out of order packets cause errors in the IPSec processing.

There is no TCP out of order packets parameters configure on my router.

vmiller, 
I would be curious on how you tested. there are some tcp parameters that govern how much data a given device tries to

I have tested the speed using "iperf" a tool to test wan link bandwidth.
Can you let me know what are those parameters that govern how much data a given device tries to?

Please suggest me.

Regards,
Naidu.

- Have you spoken to your ISP about your concerns? There may be a fault within their network.

- Have you tried measuring bandwidth consumption on your link using SNMP? There are several free SNMP network monitoring tools out there that you can use. Several providers also offer 30 day free trial versions.

- If you perform the iperf test at different times in the day do you get the same results?

- What is CPU and memory consumption like on the router?

- Do you have QoS enabled on your router?

Performing the iperf test after hours may not always be the best time. This is often the time the server guys are remotely backing up servers or distributing new virus updates to PCs etc.

Naidu

There is one part of your response that I would like to explore before we consider the other parts. You tell us that your router is set for 100 Mb and full duplex. Just to be clear - you are saying that your router interface is configured duplex full?

In this case I would suggest that you talk to the ISP and verify how their router is configured and how it is operating. In my experience most ISP equipment is set for auto negotiation of duplex. If your router is configured for full duplex and their router is configured for auto, then the result is that your router operates in full duplex and their router operates in half duplex. The duplex mismatch would certainly impact performance. So verify with the ISP how their router is configured and what its operating state is and let us know the results.

HTH

Rick

Hi All,

Sorry for the delay response as I am in IST zone.

Both my end and provider and interfaces are set to duplex ful and speed 100.
ISP saying me that there is no any problems in their network.
I measured the link utilization with SolarWinds and it is 30% avg.
CPU average utilization on the router is 50% for last 60 minutes and spikes up to 90% in rare times.
No QoS on the router.

Leo...
Regarding the MTU I have specified "ip mtu 1400" on my dmvpn tunnel.
And when I tested ping to google.com from my wan interface with size 55535 the packt completely dropping even with size 5535 also
But when I tested with size 535 it is pining and no packet drops. Please find the below for the same and tell me what I need to ask provider.

#pi 74.125.79.99 size 55535 repe 100 source fastEthernet 0/0

Type escape sequence to abort.
Sending 100, 55535-byte ICMP Echos to 74.125.79.99, timeout is 2 seconds:
Packet sent with a source address of xxx.xx.xx.xxx
.............
Success rate is 0 percent (0/13)
BremenRTR#pi 74.125.79.99 size 35535 repe 100 source fastEthernet 0/0

Type escape sequence to abort.
Sending 100, 35535-byte ICMP Echos to 74.125.79.99, timeout is 2 seconds:
Packet sent with a source address of xxx.xx.xx.xxx
....................
Success rate is 0 percent (0/20)
BremenRTR#pi 74.125.79.99 size 5535 repe 100 source fastEthernet 0/0

Type escape sequence to abort.
Sending 100, 5535-byte ICMP Echos to 74.125.79.99, timeout is 2 seconds:
Packet sent with a source address of xxx.xx.xx.xxx
................
Success rate is 0 percent (0/16)
BremenRTR#pi 74.125.79.99 size 535 repe 100 source fastEthernet 0/0

Type escape sequence to abort.
Sending 100, 535-byte ICMP Echos to 74.125.79.99, timeout is 2 seconds:
Packet sent with a source address of xxx.xx.xx.xxx
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 40/59/104 ms

Please suggest me if you need any more tests.

Regards,
Naidu.