Low throughput VPN tunnels.

Jpadams23 · ‎06-14-2012

We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.

I have included parts of my config and screen shots of bandwidth usage to help with the troubleshooting.

Head End - 2921

(config)

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 1440

!

crypto isakmp key secret address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec transform-set ERS-AES-SHA esp-aes 256 esp-sha-hmac

!

interface Tunnel0

bandwidth 10000

bandwidth receive 50000

ip address 172.16.1.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication ERS2Way

ip nhrp map multicast dynamic

ip nhrp network-id 990

ip nhrp holdtime 360

ip tcp adjust-mss 1360

delay 1000

cdp enable

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 4515

tunnel protection ipsec profile ersvpn

!

router eigrp 100

network 172.16.0.0

redistribute static

Remote End - 2811

(config)

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 1440

crypto isakmp key secret address 1.1.1.1

!

crypto ipsec transform-set ERS-AES-SHA esp-aes 256 esp-sha-hmac

!

crypto ipsec profile ersvpn

set transform-set ERS-AES-SHA

!

interface Tunnel0

bandwidth 20000

bandwidth receive 20000

ip address 172.16.1.4 255.255.255.0

ip mtu 1400

ip nhrp authentication ERS2Way

ip nhrp map 172.16.1.1

ip nhrp network-id 990

ip nhrp holdtime 360

ip nhrp nhs 172.16.1.1

ip tcp adjust-mss 1360

no ip mroute-cache

delay 1000

qos pre-classify

cdp enable

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

tunnel key 4515

tunnel protection ipsec profile ersvpn

!

router eigrp 100

network 172.16.0.0

network 192.168.34.0

auto-summary

caplinktech · ‎06-14-2012

John,

You are most likely running into an issue with the remote router process switching the VPN tunnel packets.

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

The 2811 is only capable of 1.6 Mbps of throughput for process switched packets which matches the throughput you are getting.

Jpadams23 · ‎06-14-2012

Is there a way to use ip cef instead of process switching on the routers?

All of my remote offices are 2811 and my tower locations 881.

Jpadams23 · ‎06-14-2012

I guess I should verify stuff before I post.

I did a show ip cef and it shows all of my tunnel addresses. I then ran a sh cef int tun 0 and it shows the following.

Corresponding hwidb fast_if_number 8

Corresponding hwidb firstsw->if_number 8

Internet address is 172.16.1.4/24

ICMP redirects are always sent

Per packet load-sharing is disabled

IP unicast RPF check is disabled

Inbound access list is not set

Outbound access list is not set

Interface is marked as point to point interface

Interface is marked as tunnel interface

Hardware idb is Tunnel0

Fast switching type 14, interface type 0

IP CEF switching enabled

IP CEF Feature Fast switching turbo vector

Input fast flags 0x2000000, Input fast flags2 0x0, Output fast flags 0x208000, Output fast flags2 0x0

ifindex 5(5)

Slot -1 Slot unit -1 Unit 0 VC -1

Transmit limit accumulator 0x0 (0x0)

IP MTU 1400

Real output interface is FastEthernet0/0

So how would I disable the process switching so it will run on cef only.