IPsec speed limitation on cisco 3925

Jean-Marie Monod · ‎02-26-2020

Hello,

I've just been facing a strage behavior.

I've an IPsec tunnel VPN between a Cisco 2911 and 3925. Both have the SEC license, and the tunnel is UP. Routing is working, traffic goes through the tunnel.

I've set a GRE tunnel to goes through this IPSec tunnel, with OSPFv3 and all is good. Route are exchanged, all is working fine. I took special attention to all the MTU size because my 3925 is connected via Dialer interface (1492 MTU) and my 2911 via ethernet (1500).

CE router (2911) has a 100/20 Mbps line (down/up) and PE router (3295) has a 100/30 Mbps line (down/up).

When trying to get a NAS synchronisation, I see that my 3925 router caps the traffic at 10.5 Mbps in upload trough the VPN tunnel. If I use internet I have 30~32 Mbps. It's like there is a limitation somewhere with the VPN, but I don't know what it is and I can't get my hand on this issue.

I performed iPerf3 test to validate, the VPN is clearly saturated at 10.5 mbps from 3925 to 2911. But from 2911 to 3925 I can get 20Mbps (max upload of the line) trough the VPN. I'm just stuck for now.

Maybe someone has an idea ?

Georg Pauwen · ‎02-26-2020

Hello,

it is hard to figure out from your description what the actual problem is. Post a diagram showing your topology, and indicate what connection is slower than expected. Also, post the full configurations of both routers...

Cristian Matei · ‎02-26-2020

Hi,

I would look in two places:

- ensure your MTU is properly configured on both sides (so the routers don't end up fragmenting both before GRE and before IPsec; here's an amazing document to really understand the challenges: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

- upgrade to a more stable IOS version, maybe you hit a bug

Regards,

Cristian Matei.

Jean-Marie Monod · ‎02-26-2020

Hi,

Thank you for responding.

@Cristian Matei i've set up my network following the document you provided. It's a really good reference. This is mainly why I'm stuck, even with all recommendation, I have this limitation only in transmit on the 3925.

I'm on IOS 15.7(3)M3, on both ends, I'll follow your advise to upgrade to another version.

@Georg Pauwen

Scenario 1 : Upload measure with direct internet

Site A 20 Mbps ISP Upload, Cisco 2911

Site B 36 Mbps ISP Upload, Cisco 3925

PC1 ==== Router A ===== [Internet] ===== Router B ==== PC2

When I Upload from PC1 with iPerf3 in TCP, I receive 20Mbps at PC2

When I Upload from PC2 with iPerf3 in TCP, I receive 34Mbps at PC1

This test proves that my upload at both sides are honored by both ISPs and both routers are capable of handling it.

Scenario 2 : Upload measure with direct internet

Site A 20 Mbps ISP Upload, Cisco 2911

Site B 36 Mbps ISP Upload, Cisco 3925

PC1 ==== Router A ===== [vpn tunnel through internet] ===== Router B ==== PC2

When I Upload from PC1 with iPerf3 in TCP, I receive 20Mbps at PC2

When I Upload from PC2 with iPerf3 in TCP, I receive 10.5Mbps at PC1

This test shows the upload from the 3925 trough the VPN, doesn't go higher than 10.5Mbps.
The VPN, Tunne and routing are the same on both ends. MTU are good, and the Cisco 2911 goes higher than the 3925 with the same config.

Thanks for your time guys.

Regards

Jim

Georg Pauwen · ‎02-27-2020

Hello,

post the full running configurations, maybe we can spot something...