10-22-2013 07:22 PM - edited 03-04-2019 09:23 PM
I am troubleshooting a performance issue on a GRE over IPSEC tunnel between two sites.
After a lot of research, I ended up lowering the MTU size and configuring an mss value and this has reduced 99% of the fragmentation I was experiencing. The issue now is that the throughput is only a portion of the WAN link. Both sites are connected by a 100 Mbps metro e but when doing testing on it I can't seem to get any higher than 25-30 Mbps. I figured I would lose some due to the tunnel but not as much as I am.
See the configuration of the tunnel interface below:
Router 1
interface Tunnel0
bandwidth 100000
ip address X.X.X.X X.X.X.X
ip mtu 1400
ip tcp adjust-mss 1360
delay 1
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination X.X.X.X X.X.X.X
and the physical interface:
interface GigabitEthernet0/0
description BlahBlah
ip address interface GigabitEthernet0/0
ip address X.X.X.X X.X.X.X
duplex auto
speed auto
crypto map CM
Router 2
interface Tunnel0
bandwidth 100000
ip address X.X.X.X X.X.X.X
ip mtu 1400
ip tcp adjust-mss 1360
delay 2970
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel destination X.X.X.X
Physical interface:
interface GigabitEthernet0/0
ip address X.X.X.X X.X.X.X
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CM
Also eigrp is being used
Any ideas as to how to address this problem?
Thanks
Solved! Go to Solution.
10-23-2013 09:16 AM
Hi Raul,
The very first thing that comes to mind is that the Gig interfaces have been set to auto negotiate the speed. Can you check what speeds have the interfaces negotiated to? If it is 1000 Mbps the line speed is more that the carrier contracted BW of 100 Mbps which means anything above 100 mbps sent over that will be discarded by the carrier. You can limit the interface capacity by hard coding the speed to 100 mbps which is the best option and if thats not possible try traffic shaping the BW down to 100 mbps.
HTH
Regards
Umesh Shetty
10-24-2013 05:50 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Actually Cisco documents a 2921's maximum IPSec performance at 207 Mbps and a 2951's maximum at 282 Mbps, so in theory either could push (but barely) 100 Mbps (duplex), but their recommendation bandwidths, still for IPSec, are 72 and 103 Mbps, respectively. (Note: bandwidths are aggregates.)
In attachment, see tables 2 and 7.
10-22-2013 07:54 PM
2 questions. What model router? Have you tried a speed test or file transfer without the IPSec tunnel to see if you're truly getting 100Mbps on the link?
Sent from Cisco Technical Support iPad App
10-23-2013 07:59 AM
Jeff
The router models are 2951 and 2921.
I have not tested just GRE without IPSEC. I have been testing with an application called iperf which sends files between a server and a client and reports the file sizes and transfer rate.
10-22-2013 08:12 PM
The issue now is that the throughput is only a portion of the WAN link. Both sites are connected by a 100 Mbps metro e but when doing testing on it I can't seem to get any higher than 25-30 Mbps.
Hmmmm ... I'm suspecting you are using a 2900 router.
Can you please post the following commands:
1. sh version; and
2. sh crypto engine brief
10-23-2013 07:58 AM
Leo
The hardware is
2951 on one end and 2921 on the other
10-23-2013 08:11 AM
Leo
See below the Output of the requested commands.
Thanks
R1#sh ver
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.3(2)T, RELE ASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 28-Mar-13 13:17 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)
R1 uptime is 26 weeks, 3 days, 21 hours, 1 minute
System returned to ROM by reload at 17:52:23 UTC Sat Apr 20 2013
System image file is "flash:c2951-universalk9-mz.SPA.153-2.T.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco CISCO2951/K9 (revision 1.1) with 487424K/36864K bytes of memory.
Processor board ID FTX1628AL00
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2951/K9 FTX1628AL00
Technology Package License Information for Module:'c2951'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc None None None
data None None None
Configuration register is 0x2102
R1#sh crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 1
Time running: 4294967 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 8000
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 10EEF1A5
crypto engine state: installed
crypto engine in slot: N/A
RTR02#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 07-Nov-12 14:08 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
RTR02 uptime is 26 weeks, 5 days, 22 hours, 55 minutes
System returned to ROM by reload
System restarted at 12:08:45 Eastern Thu Apr 18 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M2.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco CISCO2921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1711ALHK
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2921/K9 FTX1711ALHK
Technology Package License Information for Module:'c2900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc None None None
data None None None
Configuration register is 0x2102
RTR02#sh crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 0000
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 3600
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 2172EDC3
crypto engine state: installed
crypto engine in slot: N/A
10-23-2013 08:36 AM
I keep seeing this in the logs:
Oct 22 19:52:44.250: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Could this be related? I have read that the SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic.
I just expected to see higher numbers than 30.
Thanks
10-23-2013 09:16 AM
Hi Raul,
The very first thing that comes to mind is that the Gig interfaces have been set to auto negotiate the speed. Can you check what speeds have the interfaces negotiated to? If it is 1000 Mbps the line speed is more that the carrier contracted BW of 100 Mbps which means anything above 100 mbps sent over that will be discarded by the carrier. You can limit the interface capacity by hard coding the speed to 100 mbps which is the best option and if thats not possible try traffic shaping the BW down to 100 mbps.
HTH
Regards
Umesh Shetty
10-23-2013 10:48 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I keep seeing this in the logs:Oct 22 19:52:44.250: %CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
Could this be related? I have read that the SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic.
I just expected to see higher numbers than 30.
Yes, I would see that as an impediment. It also would imply you're bursting above 85 Mbps. More over, if going above this limit drop packets, and/or packets are being dropped if you're able to burst above your MetroE limits (as also noted by Umesh), either can be very adverse to TCP transfer performance.
10-24-2013 02:34 PM
Raul,
A 2900 router does not have the "oomph" to push 100 Mbps.
10-24-2013 05:50 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Actually Cisco documents a 2921's maximum IPSec performance at 207 Mbps and a 2951's maximum at 282 Mbps, so in theory either could push (but barely) 100 Mbps (duplex), but their recommendation bandwidths, still for IPSec, are 72 and 103 Mbps, respectively. (Note: bandwidths are aggregates.)
In attachment, see tables 2 and 7.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide