Solved: Slow throughput on VTI

gchevalley · ‎10-16-2013

Recently I have configured a VTI interface between two 2921 routers. The link between the two routers is 100 Mb but the tunnel doesn't seem to be able to pass that much traffic. I've noticed some differences between the MTU and bandwidth in the Tunnel interface versus the physical interface. Is this normal for a VTI?

Tunnel1 is up, line protocol is up

Hardware is Tunnel

Internet address is 192.168.193.127/31

MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 43/255, rxload 99/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1**.***.***.1, destination 1**.***.***.2

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Tunnel transport MTU 1422 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "RD_VTI")

Last input 4w2d, output 4w6d, output hang never

Last clearing of "show interface" counters 4w2d

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 176

Queueing strategy: fifo

Output queue: 0/0 (size/max)

30 second input rate 123000 bits/sec, 157 packets/sec

30 second output rate 1994000 bits/sec, 233 packets/sec

836701737 packets input, 47577560492 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1506226971 packets output, 1926214877370 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out 30 second input rate 123000 bits/sec, 157 packets/sec

Joseph W. Doherty · ‎10-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Without deep analysis, your adjust-mss seems overly small; IP MTU less 40 is the common setting.

There are benefits to enabling PMTUD on the tunnel interface (see my earlier Cisco white paper reference).

So what does the shaper at 95% shape at? Why are you shaping?

View solution in original post

Joseph W. Doherty · ‎10-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Cisco recommends the 2921 for up to 50 Mbps of WAN bandwidth, and also notes 207 Mbps throughput for IPSec. I.e. 100 Mbps (duplex) might be near the limits of a 2921's performance.

However, IPSec performance can be adversely impacted by fragmentation, something an optimal configuration avoids.

You may find this helpful: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

gchevalley · ‎10-16-2013

Here is the tunnel config.

policy-map DR

class class-default

shape average percent 95

crypto isakmp policy 1

encr aes 256

hash sha256

authentication pre-share

group 5

crypto isakmp key 6 address 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set ESP-AES-ESP-SHA512-HMAC esp-aes esp-sha512-hmac

mode tunnel

!

crypto ipsec profile RD_VTI

set transform-set ESP-AES-ESP-SHA512-HMAC

interface Tunnel2112

ip address 192.168.193.127 255.255.255.254

ip mtu 1418

no ip route-cache

ip tcp adjust-mss 1300

load-interval 30

tunnel source 1**.***.***.1

tunnel mode ipsec ipv4

tunnel destination 1**.***.***.2

tunnel protection ipsec profile RD_VTI

service-policy output DR

interface GigabitEthernet0/1

ip address 1**.***.***.1 255.255.255.252

no ip route-cache

duplex full

speed 100

!

Joseph W. Doherty · ‎10-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Without deep analysis, your adjust-mss seems overly small; IP MTU less 40 is the common setting.

There are benefits to enabling PMTUD on the tunnel interface (see my earlier Cisco white paper reference).

So what does the shaper at 95% shape at? Why are you shaping?

gchevalley · ‎10-16-2013

Thanks for the white paper, it's been helpful.

Shaping at 95% shapes bassed on the interface bandwidth. When I configured that I was under the impression that it would use the physical interface bandwidth but now do not believe that is the case.

I used the following white paper as a guide for the configuration and is where the idea of the service policy came from:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

Joseph W. Doherty · ‎10-16-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You would normally only need to shape if there was a lower logical cap. For example, your hand-off was gig but with a 100 Mbps logical cap.

If you have full 100 Mbps, and your interface is also 100 Mbps, no need to shape.

gchevalley · ‎10-18-2013

I have change the MTU size to 1422 and the MSS to 1382 with great success. I configured PMTUD for a bit but some of our Oracle servers seemed to have some problems with it so I had to that command.

Thanks for the help.

Joseph W. Doherty · ‎10-19-2013

Thanks for letting us know.