Cisco 2911 SEC/K9 IPSec VPN throughput issue

timur.huseynov · ‎01-22-2015

Hi. I have IPSec site-to-site VPN between 2 Cisco 2911 SEC/K9 (C2900-UNIVERSALK9-M, Version 15.3(3)M2). They are connected via leased FO channel, so I can ping each side using ordinary routing too. The throughput without encryption is 92-94 mbps, but when i enable VPN tunnel it decreases to 50-60 mbps.(I'm using jperf to measure bandwith) Regarding cisco official datasheet - maximum throughput for IPSec encryption for 2911 SEC/K9 is 85 mbps. At my previous workplace the same routers provided real 80 mbps, but now something is going wrong.

here is a piece of config

crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto ipsec transform-set VPN_TRANSFORM esp-aes 256 esp-sha256-hmac
mode tunnel

I used various types of encryption and hashing too, but got the same 50-60 mbps. What could be the reason of this problem? Should i use GRE over IPSec instead of odinary IPSec VPN?

Thank you in advance

Marcin Latosiewicz · ‎01-23-2015

The most common causes for performance problems in IPv4 are:

- packet loss

- latency

- fragmentation

Are you seeing packet loss? is the latency as it was with other setup? is the any fragmentation either on encrypted or plaintext side?

Are the IPsec flows handled in software or hardware (onboard chip I'd assume?).

M.

timur.huseynov · ‎01-26-2015

Hi. There is no any packet loss and latency is ok (1-2 ms). Fragmentation isn't used.

I think Ipsec flows handled in hardware due to sh inv output : "C2911 Mother board 3GE, integrated VPN and 4W on Slot 0"