Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
4
Replies

DMVPN ipsec over GRE - throughput issue

J_Vansen_S
Level 3
Level 3

‎11-21-2011 07:03 PM - edited ‎02-21-2020 05:43 PM

Hi All,

We managed to deployed a Dual HUB and SPOKE dmvpn environment with Cisco ISR routers

We have received issues with regards to throughput issues.

Clients and Telco it making claims that it has to do with our VPN configurations.

Spokre(Remote) site is subscribing on a 5mb link.

Can anyone please advise, on how we can determine or baseline ourself from the allegation?

The most i can think of is; to do test "with and without" the IPSEC encryption.

but how can i determine the results?

Please advise

Labels:
0 Helpful
4 Replies 4

ajay chauhan
Level 7
Level 7

‎11-23-2011 02:52 AM

Do you have tunnel bandwidth configured ? Please it also depend upon the hardware you are using encryption consume lot of CPU ,I would also sugegst you to have a look on router health check. To check if you are getting proper bandwidth you can use extended ping with packet size .

Thanks

Ajay

0 Helpful

J_Vansen_S
Level 3
Level 3
In response to ajay chauhan

‎11-28-2011 08:52 PM

Hi, thanks for your reply.

I do have bandwidth 1000 configured in my tunnel as below

!

interface Tunnel0

bandwidth 1000

ip address x.x.x.x 255.255.252.0

ip mtu 1400

ip nhrp authentication abc

ip nhrp map multicast x.x.x.x

ip nhrp map x.x.x.x x.x.x.x

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs x.x.x.x

delay 1000

tunnel source GigabitEthernet0/0

tunnel destination x.x.x.x

tunnel key 100000

tunnel protection ipsec profile dmvpn

!

According to this thread on Cisco Learning

https://learningnetwork.cisco.com/message/133625

"The bandwidth statement doesn't make data move faster or slower by itself, but it can be used by some technologies."

Ive checked on the router process cpu. Barely get 1% cpu utilization.

Below is my iperf throughput results.

Remote Site 1: 10MB(subscribed)

Iperf Results  (Bytes sent per 10 Seconds)

1.       0.0-10.0 sec  54.2 MBytes  45.4 Mbits/sec

2.       0.0-10.0 sec  60.0 MBytes  50.3 Mbits/sec

3.       0.0-10.0 sec  60.1 MBytes  50.3 Mbits/sec

Remote Site 2: 5MB(subscribed)

Iperf Results  (Bytes sent per 10 Seconds)

4.       0.0-10.0 sec  18.1 MBytes  15.2 Mbits/sec

5.       0.0-10.0 sec  21.0 MBytes  17.6 Mbits/sec

6.       0.0-10.0 sec  20.1 MBytes  16.8 Mbits/sec

For testing purpose, ISP has upgraded Remote Site 2 link to 20MB temporary just to see if there is any improvement. Unfortunately we are getting same results.

Please advise

0 Helpful

J_Vansen_S
Level 3
Level 3

‎11-28-2011 11:49 PM

Hi,

Did a quick test using TTCP on routers itself.

Apparently by removing the IPSEC encryption totally from the tunnel

I get double the throughput.

Can someone please advise, on whether if its the IPSEC that is causing the issue?

If so, how can i tweek it.

Below is my simple crypto config

crypto ipsec transform-set transet esp-aes 256 esp-md5-hmac

mode transport

!

crypto ipsec profile dmvpn

set transform-set transet

!

interface Tunnel0

bandwidth 1000

tunnel protection ipsec profile dmvpn

0 Helpful

ajay chauhan
Level 7
Level 7
In response to J_Vansen_S

‎11-29-2011 12:44 AM

Can you also monitor CPU while pushing data and post cpu history?

0 Helpful
Customers Also Viewed These Support Documents