RE: Site-to-site IPSec + GRE Tunnel maxm throughput? from Joseph L. Brunner on 2009-08-26 (Ccielab archives 08/2009)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Wed, 26 Aug 2009 13:19:17 -0400

Can you please post your sanitized configurations and the output of

Show ip traffic
Show interfaces switching

We'll get to the bottom of this for you friend.

-Joe

-----Original Message-----
From: Vijayaram VR [mailto:vj2106_at_gmail.com]
Sent: Wednesday, August 26, 2009 1:17 PM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Hi,

I've tested lowering the MTU & MSS values earlier but didn't make any
difference. Both routers are reporting high cpu.

Rgds, VJ
On Wed, 2009-08-26 at 13:02 -0400, Joseph L. Brunner wrote:
> Yes more than stayed alive...
>
> Are you sure you traffic is not stuck in the process path from fragment re-assembly at the far end
>
> You must prevent fragmented packets to avoid latency and issues even with AIM cards installed as all fragmentation re-assembly is done in the SLOWEST path.
>
> I would also run 12.4T latest Adv IP svcs code
>
> Try
>
> Int f0/0
> Description LAN facing
> Ip mtu 1412
> ip tcp adjust-mss 1360
>
> Do that at both sides and reconfirm results
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Vijayaram VR
> Sent: Wednesday, August 26, 2009 11:42 AM
> To: Cisco certification
> Subject: Site-to-site IPSec + GRE Tunnel maxm throughput?
>
> Hi All,
>
> I've been trying to setup an site-to-site IPSec tunnel using C2851 on
> one end and C3825 on the other with hardware encryption (AIM) installed.
> Both routers also performing NAT and GRE.
>
> My problem is whenever the traffic rate on the tunnel interfaces is more
> than 20Mbps, router cpu hits 100% and it crashes. When I checked show
> process cpu, 93% of the utilisation is due to interrupts, means it is
> being CEF switched. My suspicion is on the GRE, as IPSec is offloaded to
> AIM. I've gone through many Cisco docs and couldn't find convincing
> answer on the maximum throughput supported by GRE tunnel.
>
> Did any of you ever tried to pump more than 30Mbps over a GRE tunnel?
> and did the router stayed alive?
>
> Thanks.
>
> Rgds, VJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 13:19:17 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART