Hi all,
I'm experiencing problems with the newest IOS version, I will try to explain here exactly what happened.
I'm running a GRE tunnel with IPSEC AES protection. Both IOS versions running exactly the same configuration file. With these results:
c1841-advipservicesk9-mz.151-4.M6 : 1,7MByte/s (uni) [99%/96% cpu]
: 1,7MByte/s (uni-16mbit) [96%/93% cpu]
c1841-advipservicesk9-mz.124-25g : 2,9MByte/s (uni) [99%/97% cpu]
2,0MByte/s (uni-16mbit) [77%/74% cpu]
Obviously the router isn't capable of retreiving the line speed provided by my ISP, therefore I've set a service-policy to cap the bandwidth at 16mbit for this tunnel. For the 12.4 version it will be sufficient, but the 15.1 version will still be running above it's capability.
This is my tunnel configuration:
interface Tunnel16
bandwidth 16384
ip address 10.0.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1352
tunnel source Loopback16
tunnel destination 4.4.4.4
tunnel bandwidth transmit 16384
tunnel bandwidth receive 16384
service-policy input 16MBIT (police cir 16777000 bc 375000 be 750000)
I've also tried rate-limit instead of service-policy giving me exactly the same results.
These are the related IPSEC configured settings:
crypto ipsec transform-set TRAN esp-aes 256 esp-sha-hmac
set transform-set TRAN
set pfs group2
The general information for this router:
Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ121210U5
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
250880K bytes of ATA CompactFlash (Read/Write)
I will show you here some results, that were significantly different from the other IOS:
15.1:
dsc#sh buffers
Buffer elements:
169 in free list (500 max allowed)
11451 hits, 0 misses, 617 created
Public buffer pools:
Small buffers, 104 bytes (total 71, permanent 50, peak 71 @ 00:42:26):
65 in free list (20 min, 150 max allowed)
21927 hits, 32 misses, 0 trims, 21 created
13 failures (0 no memory)
Middle buffers, 600 bytes (total 88, permanent 25, peak 88 @ 00:01:54):
76 in free list (10 min, 150 max allowed)
198539 hits, 196 misses, 0 trims, 63 created
28 failures (0 no memory)
Big buffers, 1536 bytes (total 134, permanent 50, peak 134 @ 00:40:34):
84 in free list (5 min, 150 max allowed)
369375 hits, 1088 misses, 0 trims, 84 created
593 failures (0 no memory)
VeryBig buffers, 4520 bytes (total 18, permanent 10, peak 18 @ 00:03:11):
18 in free list (0 min, 100 max allowed)
560 hits, 33 misses, 0 trims, 8 created
33 failures (0 no memory)
Large buffers, 5024 bytes (total 5, permanent 0, peak 5 @ 00:03:11):
5 in free list (0 min, 10 max allowed)
15 hits, 18 misses, 0 trims, 5 created
18 failures (0 no memory)
Huge buffers, 18024 bytes (total 1, permanent 0, peak 1 @ 00:43:04):
1 in free list (0 min, 4 max allowed)
5 hits, 13 misses, 0 trims, 1 created
13 failures (0 no memory)
Interface buffer pools:
Syslog ED Pool buffers, 600 bytes (total 133, permanent 132, peak 133 @ 00:42:26):
12.4:
Buffer elements:
1117 in free list (1119 max allowed)
5928 hits, 0 misses, 619 created
Public buffer pools:
Small buffers, 104 bytes (total 54, permanent 50, peak 54 @ 00:33:36):
51 in free list (20 min, 150 max allowed)
692009 hits, 26 misses, 0 trims, 4 created
0 failures (0 no memory)
Middle buffers, 600 bytes (total 52, permanent 25, peak 52 @ 00:20:09):
51 in free list (10 min, 150 max allowed)
713928 hits, 66 misses, 0 trims, 27 created
43 failures (0 no memory)
Big buffers, 1536 bytes (total 56, permanent 50, peak 56 @ 00:20:09):
56 in free list (5 min, 150 max allowed)
1321119 hits, 111 misses, 0 trims, 6 created
70 failures (0 no memory)
VeryBig buffers, 4520 bytes (total 11, permanent 10, peak 11 @ 00:24:12):
11 in free list (0 min, 100 max allowed)
53 hits, 17 misses, 0 trims, 1 created
17 failures (0 no memory)
Large buffers, 5024 bytes (total 1, permanent 0, peak 1 @ 00:24:12):
1 in free list (0 min, 10 max allowed)
1 hits, 16 misses, 0 trims, 1 created
16 failures (0 no memory)
Huge buffers, 18024 bytes (total 1, permanent 0, peak 1 @ 00:24:12):
1 in free list (0 min, 4 max allowed)
1 hits, 15 misses, 0 trims, 1 created
15 failures (0 no memory)
Interface buffer pools:
Syslog ED Pool buffers, 600 bytes (total 150, permanent 150):
118 in free list (150 min, 150 max allowed)
I noticed there are more big buffer failures in the 15.1 version, also there are less buffer elements allowed. Could this be the reason for the performance degradation? I've also checked the status of all interfaces, not displaying any errors.
I've also checked the AIM config on both versions, and they seem to be different:
15.1:
dsc#sh crypto engine conf
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 0300
Maximum RSA key size: 0000
12.4:
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0150
Maximum SA index: 0150
Maximum Flow index: 0300
Maximum RSA key size: 0000
As you can see the DH/SA index is 0000 with the 15.1 version compared to 0150 with the 12.4 version. Is this a driver bug, configuration error or unrelated to this issue?
What I'd like to know if this performance issue is related to a bug in IOS or a faulty-configuration even though they both run exactly the same config? Or are these results as expected since the IOS 15.1 performance is generally lower?
Regards,
