Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1601
Views
0
Helpful
9
Replies

low Performance with IPSEC and GRE

wolfram.girg
Level 1
Level 1

‎08-31-2004 12:23 AM - edited ‎02-21-2020 01:19 PM

Hi guys,

we are facing slow performance with the following setup:

(Branch)Cisco801 with GRE -->Pix/encrypt GRE traffic with IPSEC --Internet--Cisco2621XM/terminates GRE and IPSEC(HQ)

The branch Cisco801 has a MTU of 1412 configured on his tunnel interface

The HQ 2621 is configured with tcp-adjust mss 1412

Using ADSL 1,5 MB on branch site; 2MB SDSL for the HQ

With a ftp to the internet (from branch LAN - without GRE and IPSEC) we get a 1/3 faster connection (ca.75 b/s) then the ftp to the HQ site.(GRE+IPSEC)(ca.48 b/s)

-bandwith on the central site sufficient.

-router CPU's normal

-ping times (to internet and HQ) bad (reply's range from 70 up to 800ms!)

Is there a pos. to get it troubleshooted the right way ?

thanks for feedback

W.

Labels:
0 Helpful
9 Replies 9

vimal1980
Level 1
Level 1

‎08-31-2004 04:02 AM

Hi!

You can do the troubleshooting in the following ways.

1. First do the transfer with GRE alone.

2. Check the traceroute and find where ur getting high latency.

3. From that point you can do toruble shooting.

4. In IPSEC are you using single DES or 3 DES. if it is 3 DES change it to single.

HTH.

Rgds

Vimal

0 Helpful

wolfram.girg
Level 1
Level 1
In response to vimal1980

‎08-31-2004 04:53 AM

Hi..thanks for the quick reply...

1. GRE alone is not possible because the connection is using the Internet as transport medium and the customer has only one IPSEC/GRE Router Cisco2621x in the HQ and permit only encry. traffic from the branches

2.with a traceroute the latency is somewhere in the internet (but ftp to a host in the internet is fast enough - it seems the performance is lost in GRE or IPSEC. We are running now pure IPSEC (without GRE) as a test, but the performance is not better.)

3. For us the Internetconnection is transparent.

4. We are using 3Des as is requested in customers Security Policy.We can't change them.

..may be some other advices..debugging possibilities or tuning tipps in GRE or IPSEC .. similar expirence?

thanks a lot

W.

0 Helpful

keithredfield
Level 1
Level 1

‎09-13-2004 11:51 PM

Note that searches on "gre performance" show a large number of new forum questions...I think 12.3 has a problem. We are using GRE with 12.3(8T) no encryption and seeing performance with TCP is 1/3 performance with UDP (which is near rated speed). My suspicion is re-transmits/backoff since only TCP seems to be affected. Our config is as simple as you can make a GRE tunnel and only 6 hops, 20ms between DSL routers (same ISP)

0 Helpful

aacole
Level 5
Level 5
In response to keithredfield

‎09-16-2004 03:20 AM

This performance impact is probably down to the process switching for GRE. I recall bringing this up with Cisco in a TAC case sometime ago, and I'm sure that the explanation was that GRE is switched twice, going via process switching at least once. I'll try and look up the case details if it would be any help here.

Some platforms, probably higher end routers can do this in hardware.

Andy

0 Helpful

jmia
Level 7
Level 7
In response to aacole

‎09-16-2004 03:33 AM

Andy - Hi,

How are things? Just read this post and I'd be interested on that Cisco TAC case if you can find it as I've come across this problem myself. Email it to me at jmia@ohgroup.co.uk - when you locate it.

Thanks / Jay

0 Helpful

aacole
Level 5
Level 5
In response to jmia

‎09-21-2004 02:52 AM

Hi Jay,

I'll send you the details. I still dont get email updates when replies are posted though. Also I've got the go ahead for CCIE Security, so am looking for problems to research.

Andy

0 Helpful

keithredfield
Level 1
Level 1
In response to aacole

‎09-16-2004 07:32 AM

That's a good lead. I guess a good test will be setting up a tunnel on fastethernet. If the tunnel performance is independent of the bandwidth, it's likely the switching path.

TX

0 Helpful

aacole
Level 5
Level 5
In response to keithredfield

‎09-21-2004 07:09 AM

The test I was trying was using a single FTP session between 2 compaq servers, on a pair of 3725 routers connected together over 100Meg FD links.

Using FTP to send a large file without GRE I got an excellent throughput rate. When GRE was running the rate halved, with a large increase in CPU loading.

The quote from the tac engineer is given here:

Note also that even with CEF performance of GRE headend router is somewhat

slower than performance of just forwarding router. The reason is that GRE

packet requires two passes thru routing (first one to determine that it is GRE

packet and strip the header; the second one is to determine where resulting

packet should go). So at best you can expect router's performance

something closer to 50% of numbers you read in marketing documents.

Quite how that fits in with a VPN application I suppose depends on the router architecture, on a low end unit that equates to a lot of process switching probably.

Andy

0 Helpful

aacole
Level 5
Level 5
In response to aacole

‎09-21-2004 07:11 AM

The other point I should make is that the GRE adds 24 bytes of header, so if the router starts to fragment packets that will add even more load.

0 Helpful
Customers Also Viewed These Support Documents