Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
3
Replies

IPsec Performance on 3945 with Crypto Engine

kurti
Level 4
Level 4

‎03-11-2014 12:47 PM - edited ‎02-21-2020 07:33 PM

Hello,

I recently configured an IPsec tunnel over an 1GE-Connection. As we need nearly 1GBit we decided to use two 3945 with Crypto Engine.

Now that we configured the connection unfortunately the speed is quite slower than expected. We tried to copy a large file using Windows through this connection an we got approx 30 MB/s. Same tests in internal networks leads to 80 to 100 MB/s (thats what I nearly expected). PRTG says something about 240 MBit/s

So first of all two questions:

- Has anybody values to compare?

- Any ideas how to get this faster? Now I am using AES. The Crypto Engine is enabled (show crypto engine configuration tells me VPN Module onboard - disabled / ISM VPN Accelerator in Slot 0 - enabled)

Last idea I had was the line not being real 1 GE, but that is a bit more difficult to check without interrrupting traffic.

Any help is appreciated, thanks in advance,

Andreas

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-11-2014 10:17 PM

All other factors being negligible and assuming a 3945E with HSEC license, you should be able to get about 800 Mbps of IPsec throughput with IMIX traffic over a single tunnel IPSec VPN. Without the HSEC license you will be artifically limited.

If you add zone-based firewall and QoS features the performance will decrease.

That said, your provider contract or service portal should define the actual commited rate on the 1 Gbps physical interface. Here in the US at least, it is often less that the full 1 Gbps.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎03-12-2014 12:57 AM

To add a bit, SMB is probably the worst protocol to measure performance with, use iperf at least. That being said for single flow TCP performance we were dealing with recently: https://tools.cisco.com/bugsearch/bug/CSCui60221/?reffering_site=dumpcr Check out the workaround. I'm not sure it applies to VPN ISM, but it's worth a try.
0 Helpful

kurti
Level 4
Level 4
In response to Marcin Latosiewicz

‎03-16-2014 10:41 AM

Hello, thanks for the replies. There shouldn't be a licensing issue (we bought a security-bundle, so this is fine). Of course I know, that SMB is nothing to to performance testing, but this is the application the customer needs - and it is his baseline, so I have to cope with it. ;-( The router only does static routing for this particular line and nothing else (no qos, acls ...). I thought about some bugs in the IOS, but I am not sure where to go to. 5.2 or 5.4. As routing even does not work properly, I have to upgrade either. Thanks so far, Regards, Andreas
0 Helpful
Customers Also Viewed These Support Documents