Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
4
Replies

Thoughput issue on DMVPN with IPSec

matthewthw
Level 1
Level 1

‎03-27-2019 05:36 PM

I have setup a DMVPN network over a ISP MPLS network.

 

And I have conduct file transfer test from one end to the other end though the DMVPN network, and find that the thoughput is 80% of the link bandwidth (e.g the link bandwidth is 10Mbps but the actual thoughput is arpund 8Mbps)

 

My setup on the IPSec is ESP-AES with ESP-SHA-Hmac and on the tunnel,

Mtu size 1400 and ip tcp adjust mss is 1360 according to thw best pratice from Cisco.

 

Is there any way to fine tune my parameter to enhance the thoughput to reach 10Mbps?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-27-2019 05:39 PM - edited ‎03-27-2019 05:42 PM

what kind of device in the network, what is the IOS Code you running on them

show can you provide show version, and show running config .

 

Important check the CEF config on tunnel interface.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-27-2019 08:18 PM

Hi,

Can you share some more information as Hardware details, IOS details, Both end Internet connection Bandwidth, Delay between your ISP (Check online) and other Internet uses and CEF status?

 

Second, As you are getting 80% throughout of your total bandwidth so I am not looking any issue with configuration or etc. Of course, you will not  100% throughput over the VPN because of VPN is also an overlay communication. Somehow it will depend on the underlying network.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Georg Pauwen
VIP
VIP

‎03-28-2019 12:02 AM

Hello,

 

on a side note, you could try and configure tunnel path mtu discovery on your tunnel interfaces:

 

interface Tunnel0
tunnel path-mtu-discovery

 

Also, depending on your tunnel configuration, if you use mode transport, that will slightly decrease the MSS payload (not sure if that makes much of a difference when it comes to throughput in your case):

 

crypto ipsec transform-set TS esp-aes 192 esp-sha-hmac
mode transport

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-28-2019 06:21 AM

How/what are you measuring for 8 Mbps throughput? Is this a the data transfer measurement? If so, besides the "lost" bandwidth to the tunnel and IPSec, don't forget the "lost" bandwidth due to L4 (TCP), L3 (IP) and L2 (frame) overhead as often 10 Mbps of link bandwidth is often noted for the physical bandwidth.

Also keep in mind, unless you've tuned the hosts for exactly the right number of buffers for the BDP, protocols like TCP will either under perform (i.e. they self limit their bandwidth usage due to insufficient buffers) or will exceed available physical bandwidth and back-off their transmission rate (due to too many buffers). The latter will generally average less than the maximum available bandwidth (the transmission rate graph tends to look saw tooth).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card