Not enough TCP throughput through tunnel with ipsec protection

Tunnel established between Cat6509 with VPNSM and 7206VXR with

VAM2+ and tunnel protection by IPSEC is used.

When I send traffic in one session between Windows 2000 servers (located on

6509 and 7206 sites respectively) by this tunnel, I have 110 Mbit/s NetBIOS TCP

throughput (3 parallel sessions - up to 185 Mbit/s). When both servers are

located in one site - TCP throughput between them may reach up to 320 Mbit/s. I

think problem in 7206 with VAM2+ (but CPU load on 7206 is 26%/26%). In

datasheets VAM2+ has maximum throughput 270 Mbit/s. Why I don't get this

for one TCP session? I've tried to change MTU, enable PMTUD, change

servers pairs, but I've got nothing. How can I get more adecuate throughput for my


In the IPSec virtual tunnel interface encryption occurs in the tunnel. Traffic is encrypted when it is forwarded to the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static IP routing can be used to route the traffic to the virtual tunnel interface.

Question was not enough throughput through tunnel for one session. You are trying to teach me how to build tunnels? :-)

The VAM2+ spec of 260Mbits/sec will be for full size (1500 byte) frames, the performance will fall off for smaller frame sizes, so that may be part of your issue.

You could enable Netflow on an unencrypted interface, then the stats would indicate the average packet sizes in the flow, this may give you some useful data.

Also you see if the router is performing fragmentation, use `show ip traffic to view the stats. If the receiving router is having to do the reassembly then that may impact on throughput.

Have you tried running the same server to server test across the router and switch without encryption?


Packet size in my case is 1400 bytes, PMTUD is enabled on servers, and ip mtu on tunnels is 1400 bytes.

Fragmentation of packets affects only CPU load in my case, not throughput. With or without fragmentation on 7206 I have 110 Mbit.

I couldn't test performance without encryption because I use VPNSM. I've tried to use null transform set, but performance the same.

Performance between servers on routed/switched environment is 300 Mbit/s

