Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Encryption Cars and CPU performace

Reply
Thread Tools

VPN Encryption Cars and CPU performace

 
 
Nick Bailey
Guest
Posts: n/a
 
      10-18-2003
Hi

We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
on our 3600 routers to encrypt our wan links - but under load we are
seeing the CPU usage go so high that we are seeing dropped packets

Has anyone else seen this problem / solved this problem or been using
the cards with no problems.

Any help suggestion would be appreciated
 
Reply With Quote
 
 
 
 
Terry Baranski
Guest
Posts: n/a
 
      10-18-2003
On 18 Oct 2003 11:54:06 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed) (Nick Bailey) wrote:

>Hi
>
>We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
>on our 3600 routers to encrypt our wan links - but under load we are
>seeing the CPU usage go so high that we are seeing dropped packets


How much load? Are the encryption modules recognized by the IOS
versions in use?

-Terry
 
Reply With Quote
 
 
 
 
Jonathan Wilson
Guest
Posts: n/a
 
      10-19-2003
"Nick Bailey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hi
>
> We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
> on our 3600 routers to encrypt our wan links - but under load we are
> seeing the CPU usage go so high that we are seeing dropped packets



What is the load on the routers - how many T1s, or whatever, and what else
are they doing?

Are you attempting to use the new AES encryption? While it's supported on
recent IOS, it's only in software (or on the new series of AIMs - thanks,
Cisco), so that would definitely cause a problem.

We use AIM-VPN/BPs on full T1 VPN links with 2610 routers with 3DES
encryption and a dozen tunnels; CPU usage is typically around 10% under
load - and these routers are also doing lots of filtering/ firewalling.

Regards,
Jonathan Wilson


 
Reply With Quote
 
One Step Beyond
Guest
Posts: n/a
 
      10-19-2003
Hi,
You need to ensure that your IOS has recognised the modules. This was at
12.2.13T on the 3660 - you'll have to check on the 2600 series. If you do a
show ver then it should be listed in there if the IOS has seen the module.
If it is not listed you need to upgrade your IOS to a version that will
support the accelerator.

How much aggregate bandwidth have you coming from this router? If the WAN
links are modest, they will be the cause of the congestion and not the
accelerator. If you have 100 meg ethernet WAN links then you will drive the
CPU very high since it cannot possibly encrypt that amount of data (you'd
need something like the CAT 65xx with VPN module to do that). What is the
utlisation of the WAN links? Check that before condeming the encryption
system. IF the WAN links are congested then traffic will be dropped,
irrespective of encryption.

What form of encrytpion are you using? 3DES? IPsec tunnel mode? or IPSec
transport mode? Using GRE as well? If so, you could be fragmenting the
packets that will need to be put back together at the remote end by process
switching - effectively rendering the accelerator useless. IF this is the
case, put a "tcp mss 1402" command against the tunnels. That should sort
it. Post the configs here.

OSB
CCIE #11330




"Nick Bailey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hi
>
> We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
> on our 3600 routers to encrypt our wan links - but under load we are
> seeing the CPU usage go so high that we are seeing dropped packets
>
> Has anyone else seen this problem / solved this problem or been using
> the cards with no problems.
>
> Any help suggestion would be appreciated



 
Reply With Quote
 
Nick Bailey
Guest
Posts: n/a
 
      10-20-2003
Aggregate bandwidth on the router is 3 x T1s (of which 2 are
encrypted)

The cards are recognised and I see them working.

Utilisation is pretty high - but always has been - its only when we
turn on encryption and see the CPU hit 90-100 that we see packet loss
that hurts us

Using 3DES encryption not using GRE.

I'm not supposed to post configs (security) but I am going to try and
make them harmless and OK it with my manager.

Nick



"One Step Beyond" <(E-Mail Removed)> wrote in message news:<bmue22$q471l$(E-Mail Removed)-berlin.de>...
> Hi,
> You need to ensure that your IOS has recognised the modules. This was at
> 12.2.13T on the 3660 - you'll have to check on the 2600 series. If you do a
> show ver then it should be listed in there if the IOS has seen the module.
> If it is not listed you need to upgrade your IOS to a version that will
> support the accelerator.
>
> How much aggregate bandwidth have you coming from this router? If the WAN
> links are modest, they will be the cause of the congestion and not the
> accelerator. If you have 100 meg ethernet WAN links then you will drive the
> CPU very high since it cannot possibly encrypt that amount of data (you'd
> need something like the CAT 65xx with VPN module to do that). What is the
> utlisation of the WAN links? Check that before condeming the encryption
> system. IF the WAN links are congested then traffic will be dropped,
> irrespective of encryption.
>
> What form of encrytpion are you using? 3DES? IPsec tunnel mode? or IPSec
> transport mode? Using GRE as well? If so, you could be fragmenting the
> packets that will need to be put back together at the remote end by process
> switching - effectively rendering the accelerator useless. IF this is the
> case, put a "tcp mss 1402" command against the tunnels. That should sort
> it. Post the configs here.
>
> OSB
> CCIE #11330
>
>
>
>
> "Nick Bailey" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Hi
> >
> > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
> > on our 3600 routers to encrypt our wan links - but under load we are
> > seeing the CPU usage go so high that we are seeing dropped packets
> >
> > Has anyone else seen this problem / solved this problem or been using
> > the cards with no problems.
> >
> > Any help suggestion would be appreciated

 
Reply With Quote
 
Rob
Guest
Posts: n/a
 
      10-20-2003
My experience has been that the specs listed for 3DES performance on
Cisco VPN cards is overblown. They use 1400 byte packets in their
marketing material. I would cut it 20-25% of the listed performance
and use that as the real number for mixed packets.

ie. If an AIM-VPN/BP on Router 26XX is supposed to give 10Mbps 3DES
performance, it will be around 2.5Mbps before CPU or throughput hits a
ceiling.

I have several Cisco VPN's where I work. While my numbers may be a
bit off, if I use that as a rule-of-thumb, I am never disappointed in
the router I choose.

On a side note, how are you aggregating the three T1's? Some methods
such as MLPPP takes more CPU horsepower than IP CEF per-packet.
However, you would want to stay with MLPPP if its doing IPSEC anyway
as it preserves pack order. I'm trying both methods now and am
getting better throughput with MLPPP.

Also, make sure "no ip route-cache" doesn't appear anywhere in your
configs. If it does, ask why.

-Robert



On 20 Oct 2003 08:00:12 -0700, (E-Mail Removed) (Nick Bailey) wrote:

>Aggregate bandwidth on the router is 3 x T1s (of which 2 are
>encrypted)
>
>The cards are recognised and I see them working.
>
>Utilisation is pretty high - but always has been - its only when we
>turn on encryption and see the CPU hit 90-100 that we see packet loss
>that hurts us
>
>Using 3DES encryption not using GRE.
>
>I'm not supposed to post configs (security) but I am going to try and
>make them harmless and OK it with my manager.
>
>Nick


 
Reply With Quote
 
One Step Beyond
Guest
Posts: n/a
 
      10-21-2003
Fair enough. What type of 3DES are you using? Tunnel mode or transport
mode? Remember than fragmentation will occur on transport mode if the MTU
maxes the WAN links' MTU. IF this is happening, you need to drop the tcp
mss size. The Cisco crypro pre-fragment feature only works in tunnel mode
so that will not help you if you are using transport mode. It is difficult
to suggest further without seeing your configs. 3 Megabits worth of
encryption would be at the high end of the capabilities of a 2600, as
another poster suggested. Also, remeber that this figure will be the full
duplex figure so you can half that imediatly.
Steve

"Nick Bailey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Aggregate bandwidth on the router is 3 x T1s (of which 2 are
> encrypted)
>
> The cards are recognised and I see them working.
>
> Utilisation is pretty high - but always has been - its only when we
> turn on encryption and see the CPU hit 90-100 that we see packet loss
> that hurts us
>
> Using 3DES encryption not using GRE.
>
> I'm not supposed to post configs (security) but I am going to try and
> make them harmless and OK it with my manager.
>
> Nick
>
>
>
> "One Step Beyond" <(E-Mail Removed)> wrote in message

news:<bmue22$q471l$(E-Mail Removed)-berlin.de>...
> > Hi,
> > You need to ensure that your IOS has recognised the modules. This was

at
> > 12.2.13T on the 3660 - you'll have to check on the 2600 series. If you

do a
> > show ver then it should be listed in there if the IOS has seen the

module.
> > If it is not listed you need to upgrade your IOS to a version that will
> > support the accelerator.
> >
> > How much aggregate bandwidth have you coming from this router? If the

WAN
> > links are modest, they will be the cause of the congestion and not the
> > accelerator. If you have 100 meg ethernet WAN links then you will drive

the
> > CPU very high since it cannot possibly encrypt that amount of data

(you'd
> > need something like the CAT 65xx with VPN module to do that). What is

the
> > utlisation of the WAN links? Check that before condeming the encryption
> > system. IF the WAN links are congested then traffic will be dropped,
> > irrespective of encryption.
> >
> > What form of encrytpion are you using? 3DES? IPsec tunnel mode? or

IPSec
> > transport mode? Using GRE as well? If so, you could be fragmenting the
> > packets that will need to be put back together at the remote end by

process
> > switching - effectively rendering the accelerator useless. IF this is

the
> > case, put a "tcp mss 1402" command against the tunnels. That should

sort
> > it. Post the configs here.
> >
> > OSB
> > CCIE #11330
> >
> >
> >
> >
> > "Nick Bailey" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) m...
> > > Hi
> > >
> > > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
> > > on our 3600 routers to encrypt our wan links - but under load we are
> > > seeing the CPU usage go so high that we are seeing dropped packets
> > >
> > > Has anyone else seen this problem / solved this problem or been using
> > > the cards with no problems.
> > >
> > > Any help suggestion would be appreciated



 
Reply With Quote
 
Nick Bailey
Guest
Posts: n/a
 
      10-21-2003
We are not aggregating the T1s - they go to diff destinations.



Rob <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> My experience has been that the specs listed for 3DES performance on
> Cisco VPN cards is overblown. They use 1400 byte packets in their
> marketing material. I would cut it 20-25% of the listed performance
> and use that as the real number for mixed packets.
>
> ie. If an AIM-VPN/BP on Router 26XX is supposed to give 10Mbps 3DES
> performance, it will be around 2.5Mbps before CPU or throughput hits a
> ceiling.
>
> I have several Cisco VPN's where I work. While my numbers may be a
> bit off, if I use that as a rule-of-thumb, I am never disappointed in
> the router I choose.
>
> On a side note, how are you aggregating the three T1's? Some methods
> such as MLPPP takes more CPU horsepower than IP CEF per-packet.
> However, you would want to stay with MLPPP if its doing IPSEC anyway
> as it preserves pack order. I'm trying both methods now and am
> getting better throughput with MLPPP.
>
> Also, make sure "no ip route-cache" doesn't appear anywhere in your
> configs. If it does, ask why.
>
> -Robert
>
>
>
> On 20 Oct 2003 08:00:12 -0700, (E-Mail Removed) (Nick Bailey) wrote:
>
> >Aggregate bandwidth on the router is 3 x T1s (of which 2 are
> >encrypted)
> >
> >The cards are recognised and I see them working.
> >
> >Utilisation is pretty high - but always has been - its only when we
> >turn on encryption and see the CPU hit 90-100 that we see packet loss
> >that hurts us
> >
> >Using 3DES encryption not using GRE.
> >
> >I'm not supposed to post configs (security) but I am going to try and
> >make them harmless and OK it with my manager.
> >
> >Nick

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Small question with respect to scope and performace sravanreddy001 C++ 4 10-01-2011 03:14 AM
2811 VPN performace with adv security djoe Cisco 0 12-19-2006 09:26 PM
asp to asp.net + binary stream => performace issues David Purton ASP .Net 0 01-27-2006 02:10 AM
ASP.NET Page Performace Problem thisyr4leafs ASP .Net 2 08-26-2005 11:50 PM
VPN Encryption Cars and CPU performace Nick Bailey Cisco 0 10-18-2003 06:55 PM



Advertisments