Show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.0.0.250  10.250.250.250   QM_IDLE           2048    0 ACTIVE

IPv6 Crypto ISAKMP SA

Show crypto IPSec sa

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.50.50.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.60.60.0/255.255.0.0/0/0)

   current_peer 10.0.0.250 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 54674464, #pkts encrypt: 54674464, #pkts digest: 54674464

    #pkts decaps: 129026472, #pkts decrypt: 129026472, #pkts verify: 129026472

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 12, #recv errors 1

     local crypto endpt.: 10.250.250.250, remote crypto endpt.: 10.0.0.250

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0xFFC2592F(4290926895)

     inbound esp sas:

      spi: 0xD7D78B06(3621227270)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 167, flow_id: AIM-VPN/BPII-PLUS:167, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4584891/1972)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xFFC2592F(4290926895)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 168, flow_id: AIM-VPN/BPII-PLUS:168, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4592040/1972)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Try this :-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#tunnelest

Manish

I'll try it but I read the optimal was 1400 which we're using.

verify it using extended Ping with high mtu + DF bit on , just be sure about.

Check for any asymmetrical routing going on with packets using a different path for getting to VPN devices as you mentioned these are dedicated vpn devices.

Manish

Thanks that improved it to 2.28mbps but I'd prefer faster.

What config did Cisco use to test the 40mbps throughput they show is can handle at 1400?

did you adjusted MSS for TCP on both ends of tunnel ?

Also, I just saw what cisco is saying is that 1841 gives you 25-40 mbps for 1400 byte packets + internet mix traffic , so traffic in production is not what the sales pitch is normally ;-) .

Manish

Yes both ends are 1300.

Sorry for being a noob but:

Does imix really apply when these are only being used for p2p tunnel for certain subnets?

Also do I need to lower the mtu for the tunnel from 1500 to a lower number than the physical interface, currently 1300?

Thanks

IMIX = internet mix traffic , I think they mean the traffic with which the device was tested was a mix of TCP , UDP etc protocols and not just one protocol but in addition they say + 1400 byte packets which  I don't understand why as general internet mix traffic random size as well.

you can  try the :-

tunnel path-mtu-discovery on the tunnel interfaces.

Manish

Anything else you see in my config that would limit the speed?

Not really for what being posted , but as I said please check for any asymmetrical routing when traffic is being pushed through the tunnel. You can also change the transform set from aes256 to 3des but that wouldn't make a big difference.

Manish