cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2613
Views
0
Helpful
7
Replies

VPN performance for 3725 router with AIM-VPN/EPII-PLUS IPSec accelerator

Hello

I am trying to determine what is the maximum VPN throughput achieved by a 3725 router with AIM-VPN/EPII-PLUS IPSec accelerator module.

I have two routers connected back-to-back using a cross-over cable. An IPSec VPN tunnel is established between routers, encrypting IP traffic between an FTP client and a FTP server. It is a very simple setup, specially built for testing.

The IPSec tunnel works well for low throughput transmissions. If I download a large file, the CPU on router is skyrocketing to 98%. Data is encrypted, and packets pass through the tunnel ? however, the router becomes unresponsive because of the high CPU utilization. Other flows through the router suffer too.

LAB-3725#show proc cpu sorted

CPU utilization for five seconds: 98%/78%; one minute: 27%; five minutes: 6%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

2 2456 504 4873 19.05% 3.66% 0.80% 0 Load Meter

5 2264 254 8913 0.36% 0.07% 0.06% 0 Check heaps

117 8 367 21 0.07% 0.00% 0.00% 0 TCP Timer

188 928 1964 472 0.07% 0.35% 0.21% 98 Virtual Exec

41 40 2507 15 0.07% 0.01% 0.00% 0 Per-Second Jobs

What is the real IPSec performance of a 3725 router with AIM-VPN/EPII-PLUS hardware accelerator module? The AIM-VPN/EPII-PLUS accelerator is supposed to encrypt more than 100 Mbps of traffic, and should offload IPSec processing from CPU.

I attached the show runn, and some IPSec statistics.

Thank you,

Cristian

7 Replies 7

-

Files attaches

dgahm
Level 8
Level 8

Cristian,

Do you have CEF enabled?

ip cef

interface ethernet0/0

ip route-cache

! Ensure that you will not hit flow switching.

no ip route-cache flow

Please rate helpful posts.

Dave

Hello Dave,

Thank you for your suggestion. CEF was enabled globally (my mistake, I attached initially only the IPSec related commands). I enabled CEF also per interface, as you recommended.

Unfortunately enabling CEF did not make a difference.

I downloaded again a 700 Mbytes file via FTP, with similar results - the download works, I get throughputs around 60 Mbps. Sadly the CPU on router reaches almost 100%, making the whole setup unusable.

The busiest process is "Load Meter".

LAB-3725#show proc cpu sorted

CPU utilization for five seconds: 98%/83%; one minute: 62%; five minutes: 18%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

2 12016 2767 4342 15.21% 3.90% 0.92% 0 Load Meter

1 0 3 0 0.00% 0.00% 0.00% 0 Chunk Manager

3 0 1 0 0.00% 0.00% 0.00% 0 chkpt message ha

4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN

5 10500 1406 7467 0.00% 0.07% 0.05% 0 Check heaps

6 0 2 0 0.00% 0.00% 0.00% 0 Pool Manager

7 0 2 0 0.00% 0.00% 0.00% 0 Timers

Load Meter "computes the load average for the different processes every five seconds, and the five minute exponentially-decayed busy time"

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1828/products_tech_note09186a00800a65d0.shtml

It seems that the router is hitting its limits - anybody experienced similar issues?

Thank you,

Cristian

I'm interested in the answer to this too. I my tests without the AIM, I got about 4mbit throughput, and 50% cpu usage.

We're looking at DMVPN for 50+ sites that have 2811s now. Current thinking is use 1811 security bundles as an add-on just for VPN. Cisco says the 2811 is fine alone... but what happens when 30 VOIP users are on SRST mode on a 2811 that is at 50% CPU or higher?

2811 Routers have a built-in VPN accelerator card, which is supposed to handle 55 Mbps of encrypted traffic.

http://www.cisco.com/en/US/partner/netsol/ns461/netbr09186a00801f0a72.html

The 55 Mbps performance seems to be just another marketing number...

Hi Cristian,

I don't have any experience with VPN acceleration on 3750, but what I'd like to note, is that you wouldn't expect to see as much as 100Mbps from a 100M interface. Depending on packet size you would get between 65-80Mbps. 100MB is only seen at L2. Obviously the high CPU report is indicative of the router working at its limits. It all depends on the ultimate intended use of the tunnel and router. If you are not that fast about the throughput on the tunnel, you could rate limit the FE interface, so that the other flows don't suffer.

Regards,

Anthony