VPN Encryption Cars and CPU performace

Discussion in 'Cisco' started by Nick Bailey, Oct 18, 2003.

  1. Nick Bailey

    Nick Bailey Guest

    Hi

    We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    on our 3600 routers to encrypt our wan links - but under load we are
    seeing the CPU usage go so high that we are seeing dropped packets

    Has anyone else seen this problem / solved this problem or been using
    the cards with no problems.

    Any help suggestion would be appreciated
     
    Nick Bailey, Oct 18, 2003
    #1
    1. Advertising

  2. On 18 Oct 2003 11:54:06 -0700, (Nick Bailey) wrote:

    >Hi
    >
    >We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    >on our 3600 routers to encrypt our wan links - but under load we are
    >seeing the CPU usage go so high that we are seeing dropped packets


    How much load? Are the encryption modules recognized by the IOS
    versions in use?

    -Terry
     
    Terry Baranski, Oct 18, 2003
    #2
    1. Advertising

  3. "Nick Bailey" <> wrote in message
    news:...
    > Hi
    >
    > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    > on our 3600 routers to encrypt our wan links - but under load we are
    > seeing the CPU usage go so high that we are seeing dropped packets



    What is the load on the routers - how many T1s, or whatever, and what else
    are they doing?

    Are you attempting to use the new AES encryption? While it's supported on
    recent IOS, it's only in software (or on the new series of AIMs - thanks,
    Cisco), so that would definitely cause a problem.

    We use AIM-VPN/BPs on full T1 VPN links with 2610 routers with 3DES
    encryption and a dozen tunnels; CPU usage is typically around 10% under
    load - and these routers are also doing lots of filtering/ firewalling.

    Regards,
    Jonathan Wilson
     
    Jonathan Wilson, Oct 19, 2003
    #3
  4. Hi,
    You need to ensure that your IOS has recognised the modules. This was at
    12.2.13T on the 3660 - you'll have to check on the 2600 series. If you do a
    show ver then it should be listed in there if the IOS has seen the module.
    If it is not listed you need to upgrade your IOS to a version that will
    support the accelerator.

    How much aggregate bandwidth have you coming from this router? If the WAN
    links are modest, they will be the cause of the congestion and not the
    accelerator. If you have 100 meg ethernet WAN links then you will drive the
    CPU very high since it cannot possibly encrypt that amount of data (you'd
    need something like the CAT 65xx with VPN module to do that). What is the
    utlisation of the WAN links? Check that before condeming the encryption
    system. IF the WAN links are congested then traffic will be dropped,
    irrespective of encryption.

    What form of encrytpion are you using? 3DES? IPsec tunnel mode? or IPSec
    transport mode? Using GRE as well? If so, you could be fragmenting the
    packets that will need to be put back together at the remote end by process
    switching - effectively rendering the accelerator useless. IF this is the
    case, put a "tcp mss 1402" command against the tunnels. That should sort
    it. Post the configs here.

    OSB
    CCIE #11330




    "Nick Bailey" <> wrote in message
    news:...
    > Hi
    >
    > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    > on our 3600 routers to encrypt our wan links - but under load we are
    > seeing the CPU usage go so high that we are seeing dropped packets
    >
    > Has anyone else seen this problem / solved this problem or been using
    > the cards with no problems.
    >
    > Any help suggestion would be appreciated
     
    One Step Beyond, Oct 19, 2003
    #4
  5. Nick Bailey

    Nick Bailey Guest

    Aggregate bandwidth on the router is 3 x T1s (of which 2 are
    encrypted)

    The cards are recognised and I see them working.

    Utilisation is pretty high - but always has been - its only when we
    turn on encryption and see the CPU hit 90-100 that we see packet loss
    that hurts us

    Using 3DES encryption not using GRE.

    I'm not supposed to post configs (security) but I am going to try and
    make them harmless and OK it with my manager.

    Nick



    "One Step Beyond" <> wrote in message news:<bmue22$q471l$-berlin.de>...
    > Hi,
    > You need to ensure that your IOS has recognised the modules. This was at
    > 12.2.13T on the 3660 - you'll have to check on the 2600 series. If you do a
    > show ver then it should be listed in there if the IOS has seen the module.
    > If it is not listed you need to upgrade your IOS to a version that will
    > support the accelerator.
    >
    > How much aggregate bandwidth have you coming from this router? If the WAN
    > links are modest, they will be the cause of the congestion and not the
    > accelerator. If you have 100 meg ethernet WAN links then you will drive the
    > CPU very high since it cannot possibly encrypt that amount of data (you'd
    > need something like the CAT 65xx with VPN module to do that). What is the
    > utlisation of the WAN links? Check that before condeming the encryption
    > system. IF the WAN links are congested then traffic will be dropped,
    > irrespective of encryption.
    >
    > What form of encrytpion are you using? 3DES? IPsec tunnel mode? or IPSec
    > transport mode? Using GRE as well? If so, you could be fragmenting the
    > packets that will need to be put back together at the remote end by process
    > switching - effectively rendering the accelerator useless. IF this is the
    > case, put a "tcp mss 1402" command against the tunnels. That should sort
    > it. Post the configs here.
    >
    > OSB
    > CCIE #11330
    >
    >
    >
    >
    > "Nick Bailey" <> wrote in message
    > news:...
    > > Hi
    > >
    > > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    > > on our 3600 routers to encrypt our wan links - but under load we are
    > > seeing the CPU usage go so high that we are seeing dropped packets
    > >
    > > Has anyone else seen this problem / solved this problem or been using
    > > the cards with no problems.
    > >
    > > Any help suggestion would be appreciated
     
    Nick Bailey, Oct 20, 2003
    #5
  6. Nick Bailey

    Rob Guest

    My experience has been that the specs listed for 3DES performance on
    Cisco VPN cards is overblown. They use 1400 byte packets in their
    marketing material. I would cut it 20-25% of the listed performance
    and use that as the real number for mixed packets.

    ie. If an AIM-VPN/BP on Router 26XX is supposed to give 10Mbps 3DES
    performance, it will be around 2.5Mbps before CPU or throughput hits a
    ceiling.

    I have several Cisco VPN's where I work. While my numbers may be a
    bit off, if I use that as a rule-of-thumb, I am never disappointed in
    the router I choose.

    On a side note, how are you aggregating the three T1's? Some methods
    such as MLPPP takes more CPU horsepower than IP CEF per-packet.
    However, you would want to stay with MLPPP if its doing IPSEC anyway
    as it preserves pack order. I'm trying both methods now and am
    getting better throughput with MLPPP.

    Also, make sure "no ip route-cache" doesn't appear anywhere in your
    configs. If it does, ask why.

    -Robert



    On 20 Oct 2003 08:00:12 -0700, (Nick Bailey) wrote:

    >Aggregate bandwidth on the router is 3 x T1s (of which 2 are
    >encrypted)
    >
    >The cards are recognised and I see them working.
    >
    >Utilisation is pretty high - but always has been - its only when we
    >turn on encryption and see the CPU hit 90-100 that we see packet loss
    >that hurts us
    >
    >Using 3DES encryption not using GRE.
    >
    >I'm not supposed to post configs (security) but I am going to try and
    >make them harmless and OK it with my manager.
    >
    >Nick
     
    Rob, Oct 20, 2003
    #6
  7. Fair enough. What type of 3DES are you using? Tunnel mode or transport
    mode? Remember than fragmentation will occur on transport mode if the MTU
    maxes the WAN links' MTU. IF this is happening, you need to drop the tcp
    mss size. The Cisco crypro pre-fragment feature only works in tunnel mode
    so that will not help you if you are using transport mode. It is difficult
    to suggest further without seeing your configs. 3 Megabits worth of
    encryption would be at the high end of the capabilities of a 2600, as
    another poster suggested. Also, remeber that this figure will be the full
    duplex figure so you can half that imediatly.
    Steve

    "Nick Bailey" <> wrote in message
    news:...
    > Aggregate bandwidth on the router is 3 x T1s (of which 2 are
    > encrypted)
    >
    > The cards are recognised and I see them working.
    >
    > Utilisation is pretty high - but always has been - its only when we
    > turn on encryption and see the CPU hit 90-100 that we see packet loss
    > that hurts us
    >
    > Using 3DES encryption not using GRE.
    >
    > I'm not supposed to post configs (security) but I am going to try and
    > make them harmless and OK it with my manager.
    >
    > Nick
    >
    >
    >
    > "One Step Beyond" <> wrote in message

    news:<bmue22$q471l$-berlin.de>...
    > > Hi,
    > > You need to ensure that your IOS has recognised the modules. This was

    at
    > > 12.2.13T on the 3660 - you'll have to check on the 2600 series. If you

    do a
    > > show ver then it should be listed in there if the IOS has seen the

    module.
    > > If it is not listed you need to upgrade your IOS to a version that will
    > > support the accelerator.
    > >
    > > How much aggregate bandwidth have you coming from this router? If the

    WAN
    > > links are modest, they will be the cause of the congestion and not the
    > > accelerator. If you have 100 meg ethernet WAN links then you will drive

    the
    > > CPU very high since it cannot possibly encrypt that amount of data

    (you'd
    > > need something like the CAT 65xx with VPN module to do that). What is

    the
    > > utlisation of the WAN links? Check that before condeming the encryption
    > > system. IF the WAN links are congested then traffic will be dropped,
    > > irrespective of encryption.
    > >
    > > What form of encrytpion are you using? 3DES? IPsec tunnel mode? or

    IPSec
    > > transport mode? Using GRE as well? If so, you could be fragmenting the
    > > packets that will need to be put back together at the remote end by

    process
    > > switching - effectively rendering the accelerator useless. IF this is

    the
    > > case, put a "tcp mss 1402" command against the tunnels. That should

    sort
    > > it. Post the configs here.
    > >
    > > OSB
    > > CCIE #11330
    > >
    > >
    > >
    > >
    > > "Nick Bailey" <> wrote in message
    > > news:...
    > > > Hi
    > > >
    > > > We are using the Cisco AIM-VPN/BP on our 2600 routers and the NM-VPN
    > > > on our 3600 routers to encrypt our wan links - but under load we are
    > > > seeing the CPU usage go so high that we are seeing dropped packets
    > > >
    > > > Has anyone else seen this problem / solved this problem or been using
    > > > the cards with no problems.
    > > >
    > > > Any help suggestion would be appreciated
     
    One Step Beyond, Oct 21, 2003
    #7
  8. Nick Bailey

    Nick Bailey Guest

    We are not aggregating the T1s - they go to diff destinations.



    Rob <> wrote in message news:<>...
    > My experience has been that the specs listed for 3DES performance on
    > Cisco VPN cards is overblown. They use 1400 byte packets in their
    > marketing material. I would cut it 20-25% of the listed performance
    > and use that as the real number for mixed packets.
    >
    > ie. If an AIM-VPN/BP on Router 26XX is supposed to give 10Mbps 3DES
    > performance, it will be around 2.5Mbps before CPU or throughput hits a
    > ceiling.
    >
    > I have several Cisco VPN's where I work. While my numbers may be a
    > bit off, if I use that as a rule-of-thumb, I am never disappointed in
    > the router I choose.
    >
    > On a side note, how are you aggregating the three T1's? Some methods
    > such as MLPPP takes more CPU horsepower than IP CEF per-packet.
    > However, you would want to stay with MLPPP if its doing IPSEC anyway
    > as it preserves pack order. I'm trying both methods now and am
    > getting better throughput with MLPPP.
    >
    > Also, make sure "no ip route-cache" doesn't appear anywhere in your
    > configs. If it does, ask why.
    >
    > -Robert
    >
    >
    >
    > On 20 Oct 2003 08:00:12 -0700, (Nick Bailey) wrote:
    >
    > >Aggregate bandwidth on the router is 3 x T1s (of which 2 are
    > >encrypted)
    > >
    > >The cards are recognised and I see them working.
    > >
    > >Utilisation is pretty high - but always has been - its only when we
    > >turn on encryption and see the CPU hit 90-100 that we see packet loss
    > >that hurts us
    > >
    > >Using 3DES encryption not using GRE.
    > >
    > >I'm not supposed to post configs (security) but I am going to try and
    > >make them harmless and OK it with my manager.
    > >
    > >Nick
     
    Nick Bailey, Oct 21, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick Bailey
    Replies:
    0
    Views:
    408
    Nick Bailey
    Oct 18, 2003
  2. GeneralTso

    Gas and Cars

    GeneralTso, Sep 5, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    519
    Blinky the Shark
    Sep 5, 2005
  3. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    Which hard drive encryption program has the strongest tested encryption & security?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    3,970
    Kornholio
    Feb 20, 2008
  4. low light video capture performace

    , Feb 7, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    296
  5. djoe
    Replies:
    0
    Views:
    349
Loading...

Share This Page