01-19-2016 01:18 PM
Hello Everyone, I got 2851 router with on-board encryption module.
C2851#sho version
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1)
C2851#sho crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 01100200
Time running: 267280 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0300
Maximum SA index: 0300
Maximum Flow index: 0600
Maximum RSA key size: 2048
Decided to test maximum speed via Site-to-Site IPSec tunnel. WAN link speed is 100 Mbits/s on both sites.
When I am trying to get a big iso image from a web server over ipsec tunnel, maximum speed is around 50 Mbits/s.
CPU usage is shown below:
C2851#sho processes cpu sorted 5sec
CPU utilization for five seconds: 68%/67%; one minute: 60%; five minutes: 25%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 2288 774 2956 0.40% 0.35% 0.16% 322 SSH Process
2 8904 53440 166 0.24% 0.19% 0.09% 0 Load Meter
68 25052 8344642 3 0.24% 0.18% 0.10% 0 EAP Framework
84 41852 249960 167 0.16% 0.13% 0.05% 0 IP Input
37 2364 209918 11 0.08% 0.01% 0.00% 0 Net Background
110 1332 267619 4 0.08% 0.00% 0.00% 0 Socket Timers
140 10936 2671154 4 0.08% 0.07% 0.03% 0 RBSCP Background
7 0 2 0 0.00% 0.00% 0.00% 0 Timers
C2851#sho processes cpu hist
100
90
80
70 **************************** ***************
60 ************************************************************
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
C2851#sho crypto engine accelerator statistic
Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 267620 seconds ago
14135441 packets in 14135444 packets out
15232129666 bytes in 14818862406 bytes out
52 paks/sec in 52 paks/sec out
455 Kbits/sec in 442 Kbits/sec out
4097956 packets decrypted 10037485 packets encrypted
496703064 bytes before decrypt 14322163623 bytes encrypted
217394458 bytes decrypted 15014738200 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
2240094 packets in 2240070 packets out
7466 paks/sec in 7466 paks/sec out
63999789 bits/sec in 62351221 bits/sec out
36476760 bytes decrypted 2223948402 bytes encrypted
985858 Kbits/sec decrypted 60106713 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
Then I tested download of the same iso file without IPSec using PAT(redirected to webserver). Speed was around 85 Mbits/s, CPU usage was around 40%. Please advise how to determine why speed over IPSec tunnel is only 50 Mbits/s and why encrypted traffic is using 70% of CPU.
Thank you
01-19-2016 04:04 PM
Look at this document (routerperformance.pdf). 2851 is slated for 112 Mbps. This value is expressed as one-way-traffic (send or receive) and no encryption.
Half the value and you'll get one-way-traffic plus encryption. Half this value further and you'll get two-way-traffic plus encryption.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide