Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
6
Replies

IPsec Tunnel Performance

ImanHg72
Level 1
Level 1

‎10-24-2021 12:53 AM - edited ‎10-28-2021 08:17 AM

Hi guys.

I ran site to site VPN between 3845 and 2811 routers based on Cisco " IOS VPN Config Guide" Manual and  I'm using L2 Service with 30 Mb/s Bandwidth from My ISP on One side (HQ) and 10Mb/s On the Other Side.

Both of routers using onboard VPN accelerator.Routers Don't show any packet drop or high CPU load with or without using IPsec encryption.

Without using any IPsec encryption config ,i get full bandwidth , but as i use IPsec bandwidth drops below 2Mb/s or even less by  testing with FTP file transfer or using iPerf tool.

in many forums and manuals suggested change MTU  and TCPAdjust Size. I tested them , changed Queue Type to fair queue,  used QoS to guarantee minimum bandwidth but did not make any sense.

Here is my Config :

 

crypto isakmp policy 11
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key ******** address *******
!
!
crypto ipsec transform-set VPN11.TRS esp-3des esp-md5-hmac
!
crypto map VPN11 1 ipsec-isakmp
set peer **********
set transform-set VPN11.TRS
match address 111



interface Tunnel11
bandwidth 100000

ip mtu 1400
ip pim sparse-dense-mode
keepalive 5 2
tunnel source GigabitEthernet0/0.11
tunnel destination *****************8

 

 

interface GigabitEthernet0/0

no ip address
duplex full
speed 1000

interface GigabitEthernet0/0.1
encapsulation dot1Q 1
ip directed-broadcast
ip accounting output-packets
ip pim neighbor-filter 1
ip pim sparse-dense-mode
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip directed-broadcast
ip accounting output-packets
ip pim neighbor-filter 1
ip pim sparse-dense-mode
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip accounting output-packets
!
interface GigabitEthernet0/0.11
encapsulation dot1Q 11
no keepalive
no cdp enable
crypto map VPN11

 

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-24-2021 01:52 AM

how are you testing? FTP or any other method, i would suggest doing iperf test with more sessions.

 

Some time windows you get less ? if you do more sessions you may see more bandwidth (multiple sessions as an example).

 

First, i would test without any QoS and tweak TCP MTU and MSS, start with lower and start increasing high level, see the performance improve anywhere (this should be done both the sides.

 

Do Wireshark and see the fragmentation, so you can tweak based on the capture.

 

A good reference for MTU 

 

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#t15

 

Good thread for reference :

 

https://community.cisco.com/t5/vpn/slow-traffic-on-cisco-ipsec-vpn-tunnels/td-p/2221371/page/2

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎10-24-2021 11:55 PM

In the partial config that is posted the only attempt to manipulate mtu that we see is on the tunnel interface. If there have been attempts to use tcp adjust-mss we do not see it. If there have been attempts to manipulate interface mtu (rather than ip mtu) we do not see them.

We do not see any IP addresses on any interface. This makes it difficult to understand what is going on. We do not see access list 111 which makes it difficult to understand what is going on.

HTH

Rick
0 Helpful

ImanHg72
Level 1
Level 1
In response to Richard Burts

‎10-28-2021 08:18 AM

These Configs are Currently  Runnig on each side.

 

///// HQ

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ******** address 172.16.215.0 255.255.255.248
!
!
crypto ipsec transform-set VPN11-TRS esp-3des esp-md5-hmac
!
crypto map VPN11-MAP 10 ipsec-isakmp
set peer 172.16.215.3
set transform-set VPN11-TRS
match address 107
crypto map VPN11-MAP 20 ipsec-isakmp
set peer 172.16.215.2
set transform-set VPN11-TRS
match address 115
crypto map VPN11-MAP 30 ipsec-isakmp
set peer 172.16.215.4
set transform-set VPN11-TRS
match address 109

 

!
!
interface Tunnel104
bandwidth 100000
ip address 10.3.104.1 255.255.255.252
ip mtu 1420
ip pim sparse-dense-mode
keepalive 5 2
tunnel source GigabitEthernet0/0.204
tunnel destination 192.168.220.2
!
!
interface Tunnel106
bandwidth 100000
ip address 10.3.106.1 255.255.255.0
ip mtu 1420
ip pim sparse-dense-mode
keepalive 5 2
tunnel source GigabitEthernet0/0.204
tunnel destination 192.168.220.6
!
!
interface Tunnel107
description IPsec To Site1
bandwidth 100000
ip address 172.16.107.1 255.255.255.252
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1340
keepalive 5 2
tunnel source GigabitEthernet0/0.115
tunnel destination 172.16.215.3
!
!
interface Tunnel108
bandwidth 100000
ip address 10.3.108.1 255.255.255.0
ip mtu 1420
ip pim sparse-dense-mode
keepalive 5 2
tunnel source GigabitEthernet0/0.204
tunnel destination 192.168.251.3
!
!
interface Tunnel109
description IPsec To Site3
bandwidth 100000
ip address 172.16.109.1 255.255.255.252
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1360
keepalive 5 2
tunnel source GigabitEthernet0/0.115
tunnel destination 172.16.215.4
!
!
interface Tunnel115
description IPsec To Site1
bandwidth 100000
ip address 172.16.115.1 255.255.255.252
ip directed-broadcast
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1340
keepalive 5 2
tunnel source GigabitEthernet0/0.115
tunnel destination 172.16.215.2
!
!
interface Tunnel209
bandwidth 100000
ip address 10.3.209.1 255.255.255.252
ip pim sparse-dense-mode
ip ospf cost 2
keepalive 5 2
tunnel source GigabitEthernet0/0.204
tunnel destination 192.168.220.9
!
!


!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
fair-queue
no cdp enable
!
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.1.2 255.255.255.0
ip directed-broadcast
ip accounting output-packets
ip pim sparse-dense-mode
shutdown
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.2.2 255.255.255.0
ip accounting output-packets
ip pim sparse-dense-mode
!
interface GigabitEthernet0/0.115
description FOR-IPsec
encapsulation dot1Q 115
ip address 172.16.215.1 255.255.255.248
no keepalive
no cdp enable
crypto map VPN11-MAP
!
interface GigabitEthernet0/0.204
encapsulation dot1Q 204
ip address 192.168.220.1 255.255.255.248
!


!
!
access-list 107 permit gre host 172.16.215.1 host 172.16.215.3
access-list 109 permit gre host 172.16.215.1 host 172.16.215.4
access-list 115 permit gre host 172.16.215.1 host 172.16.215.2
!
////////////////////////////////////////////////////////////////
//////////// Site1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ************ address 172.16.215.1
!
!
crypto ipsec transform-set VPN11-TRS esp-3des esp-md5-hmac
!
crypto map VPN11-MAP 10 ipsec-isakmp
set peer 172.16.215.1
set transform-set VPN11-TRS
match address 115
!
!
!
interface Tunnel115
bandwidth 100000
ip address 172.16.115.2 255.255.255.252
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1360
keepalive 5 2
tunnel source FastEthernet0/1
tunnel destination 172.16.215.1
!

!
interface FastEthernet0/1
description TO HQ
ip address 172.16.215.2 255.255.255.248
duplex auto
speed auto
fair-queue
no cdp enable
crypto map VPN11-MAP

!
access-list 115 permit gre host 172.16.215.2 host 172.16.215.1
!
!

////////////////////////////////////////////////////////////////
//////////// Site2

!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ********** address 172.16.215.1
!
!
crypto ipsec transform-set VPN11-TRS esp-3des esp-md5-hmac
!
crypto map VPN11-MAP 10 ipsec-isakmp
set peer 172.16.215.1
set transform-set VPN11-TRS
match address 115
!
!
interface Tunnel107
bandwidth 100000
ip address 172.16.107.2 255.255.255.252
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1360
keepalive 5 2
tunnel source FastEthernet0/1
tunnel destination 172.16.215.1
!
interface FastEthernet0/1
description TO HQ
ip address 172.16.215.3 255.255.255.248
duplex auto
speed auto
no cdp enable
crypto map VPN11-MAP
!
access-list 115 permit gre host 172.16.215.3 host 172.16.215.1
!
////////////////////////////////////////////////////////////////
//////////// Site3


!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ************ address 172.16.215.1
!
!
crypto ipsec transform-set VPN11-TRS esp-3des esp-md5-hmac
!
crypto map VPN11-MAP 10 ipsec-isakmp
set peer 172.16.215.1
set transform-set VPN11-TRS
match address 115
!
!
interface Tunnel109
bandwidth 100000
ip address 172.16.109.2 255.255.255.252
ip mtu 1400
ip pim sparse-dense-mode
ip tcp adjust-mss 1360
keepalive 5 2
tunnel source FastEthernet0/1
tunnel destination 172.16.215.1
!
interface FastEthernet0/1
description TO HQ
ip address 172.16.215.4 255.255.255.248
duplex auto
speed auto
no cdp enable
crypto map VPN11-MAP
!
access-list 115 permit gre host 172.16.215.4 host 172.16.215.1
!

0 Helpful

ImanHg72
Level 1
Level 1
In response to Richard Burts

‎10-28-2021 08:21 AM

These Configs are using now without QoS

Preview file
6 KB
0 Helpful

ImanHg72
Level 1
Level 1
In response to balaji.bandi

‎10-28-2021 08:24 AM

I tested  with ftp and iperf result was same

On Wireshark sometimes shows some packets with same SPI two times

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ImanHg72

‎10-28-2021 09:24 AM

there may be duplication, do you have that capture file to look ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents