07-29-2011 02:06 PM
VPN connection only able to hit a max of 1.7mbps
Using a 2811 with 512MB ram and AIM-SSL module connected to a 1841 with 256MB ram and AIM-VPN module
Both sites are able to transfer ~100mbps between the two but through VPN only ~1.7mbps
1841:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 5
crypto isakmp key q###090909333 address 10.0.0.250 no-xauth
crypto isakmp peer address 10.0.0.250
!
!
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
crypto ipsec transform-set clients esp-aes 256 esp-sha-hmac
crypto ipsec transform-set default-3des esp-3des esp-sha-hmac
crypto ipsec transform-set default-comp esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec transform-set null esp-null esp-sha-hmac
crypto ipsec transform-set default-alt ah-sha-hmac esp-aes 256
crypto ipsec df-bit clear
!
crypto map crypto-map local-address Loopback104
crypto map crypto-map 10 ipsec-isakmp
set peer 10.0.0.250
set transform-set default
set pfs group5
match address VPN-1000250
!
!
interface Loopback104
ip address 10.0.0.250 255.255.255.255
ip nat inside
no ip virtual-reassembly
crypto map crypto-map
!
ip access-list extended VPN-1000250
permit ip 10.50.50.0 0.0.255.255 10.60.60.0 0.0.255.255
Is there any setting I can change to significantly increase the throughput? These devices are ONLY used for VPN we have separate routers and firewalls.
07-29-2011 02:12 PM
Post output of
Show crypto isakmp sa
And
Show crypto IPSec sa
Sent from Cisco Technical Support iPad App
07-29-2011 02:24 PM
Show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.0.250 10.250.250.250 QM_IDLE 2048 0 ACTIVE
IPv6 Crypto ISAKMP SA
Show crypto IPSec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (10.50.50.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.60.60.0/255.255.0.0/0/0)
current_peer 10.0.0.250 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 54674464, #pkts encrypt: 54674464, #pkts digest: 54674464
#pkts decaps: 129026472, #pkts decrypt: 129026472, #pkts verify: 129026472
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 1
local crypto endpt.: 10.250.250.250, remote crypto endpt.: 10.0.0.250
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xFFC2592F(4290926895)
inbound esp sas:
spi: 0xD7D78B06(3621227270)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 167, flow_id: AIM-VPN/BPII-PLUS:167, crypto map: crypto-map
sa timing: remaining key lifetime (k/sec): (4584891/1972)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFFC2592F(4290926895)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 168, flow_id: AIM-VPN/BPII-PLUS:168, crypto map: crypto-map
sa timing: remaining key lifetime (k/sec): (4592040/1972)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
07-29-2011 03:03 PM
07-29-2011 03:06 PM
I'll try it but I read the optimal was 1400 which we're using.
07-29-2011 03:18 PM
verify it using extended Ping with high mtu + DF bit on , just be sure about.
Check for any asymmetrical routing going on with packets using a different path for getting to VPN devices as you mentioned these are dedicated vpn devices.
Manish
07-29-2011 03:23 PM
Thanks that improved it to 2.28mbps but I'd prefer faster.
What config did Cisco use to test the 40mbps throughput they show is can handle at 1400?
07-29-2011 03:42 PM
did you adjusted MSS for TCP on both ends of tunnel ?
Also, I just saw what cisco is saying is that 1841 gives you 25-40 mbps for 1400 byte packets + internet mix traffic , so traffic in production is not what the sales pitch is normally ;-) .
Manish
07-29-2011 03:49 PM
Yes both ends are 1300.
Sorry for being a noob but:
Does imix really apply when these are only being used for p2p tunnel for certain subnets?
Also do I need to lower the mtu for the tunnel from 1500 to a lower number than the physical interface, currently 1300?
Thanks
07-29-2011 04:03 PM
IMIX = internet mix traffic , I think they mean the traffic with which the device was tested was a mix of TCP , UDP etc protocols and not just one protocol but in addition they say + 1400 byte packets which I don't understand why as general internet mix traffic random size as well.
you can try the :-
tunnel path-mtu-discovery on the tunnel interfaces.
Manish
07-29-2011 04:27 PM
Anything else you see in my config that would limit the speed?
07-29-2011 04:33 PM
Not really for what being posted , but as I said please check for any asymmetrical routing when traffic is being pushed through the tunnel. You can also change the transform set from aes256 to 3des but that wouldn't make a big difference.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide