From: Paul Cosgrove (paul.cosgrove@heanet.ie)
Date: Mon Feb 11 2008 - 18:30:13 ARST
Jian Gu wrote:
> hi, all,
>
> I have a real world problem that I am scratching my head to find the root
> cause. We have a local data center at site A and a remote backup server at
> site B, site A and site B has its own service provider, the connection
> bandwidth is well above 50M in either site, traffic will traverse a
> GRE/IPsec tunnel which is configured between two 2800 routers, both routers
> have hardware accelerated IPSec encryption/decrytion module installed.
>
> It is interesting that traffic from site A to site B is extremely slow,
> performance is only around 10s packets/second, but FTP transferring data
> from site B to site A is reasonably fast, which is around 8Mb/sec. I am
> pretty sure service provider of site A is not rate limiting incoming traffic
> (even it does, noway they will rate limit to 10s packets/sec). What could be
> the root cause of such poor performance, any server experts here can give me
> a clue?
>
> Thanks,
> Jian
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
Hi Jian Gu,
Perhaps you do not notice delay or drops with FTP transfer because you
do not see the individual packets being dropped/retransmitted? With
pings this will be more readily apparent. How are you testing the link?
Which direction does most of the traffic flow in?
The number of packets per second is very important for encryption, more
so than the throughput in terms of Kbps. Sending lots of small packets
will normally have more of an impact than sending a few large ones (such
as FTP).
Other than pps, also watch for fragmentation. Check what GRE IP MTU you
are using, as unless your GRE IP MTU allows for the encryption header
being added later your GRE packets will be fragmented.
GRE adds 24 bytes, IPSEC is variable because of the padding but (I
think) is about 80 bytes.
Also keep in mind that the router will also have to perform
fragmentation if the incoming IP packet is larger than the GRE IP MTU,
and setting the TCP MSS lower using "ip tcp adjust-mss" can help with
that (but only for TCP). Path MTU discovery on end hosts/servers is
also a good way to reduce fragmentation, and thereby reduce load on the
device.
According to the folowing link the 2811 is capable of 55 Mbps with AES
or 3DES, but you often have to quite cautious when shown encryption
stats without pps or packet size.
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf
Paul.
-- Paul Cosgrove HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 3666 web: http://www.heanet.ie/
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST