DMVPN ipsec transform-set and slowness

Selectabilty · ‎09-05-2018

Could the following ipsec transform-set config be set to high and thus creating a bottleneck? Currently the config works but traffic is really, really slow over the DMVPN. I thought it may have been due to fragmentation and have adjusted the MTU settings and all that did was stop packet loss but did not help with speed issues. I should mention the hub router internet connection is 100 mb down and 40 mb up fiber. The spoke routers vary from ADSL2+ to 100/40 mb fiber. Any help would be greatly appreciated.

crypto isakmp policy 1
 encr aes 256
 hash sha512
 authentication pre-share
 group 14

crypto ipsec transform-set IPSEC-T-SET esp-aes 256 esp-sha512-hmac
 mode tunnel

Rob Ingram · ‎09-06-2018

Hi,
I don't necessarily consider the algorthims in use to be too high. For sure using IKEv2 is faster then IKEv1 which you are using, also Group19 is faster then Group 14.

What MTU/MSS values have you configured?
What hardware are you using for the Hub and spokes?
What license do you have on the Hub? Perhaps you could be hitting the 85Mb crypto limit, you'd need the HSEC license.

HTH

Selectabilty · ‎09-06-2018

Thanks RJI, the MTU and MSS settings are different across the sites bases on the results I got from doing ping test with the df flag set. On the hub router the WAN interface mtu is set to default of 1500, the gre tunnel mtu is set to 1360 and the inside interfaces have the adjust-mss set to 1320.

The hub router is a ISR4331 and the spoke routers are ISR4321's. I probably should mention that these routers are also running ISR-WAAS which does not seem to do much other than create extra overheads.

Index 1 Feature: appxk9
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 2 Feature: uck9
        Period left: Not Activated
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 3 Feature: securityk9
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 4 Feature: ipbasek9
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Medium
Index 5 Feature: FoundationSuiteK9
        Period left: Not Activated
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 6 Feature: AdvUCSuiteK9
        Period left: Not Activated
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 7 Feature: cme-srst
        Period left: Not Activated
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: 0/0  (In-use/Violation)
        License Priority: None
Index 8 Feature: hseck9
Index 9 Feature: throughput
        Period left: Not Activated
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None
Index 10 Feature: internal_service