RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

From: Tony Varriale <tvarriale_at_flamboyaninc.com>
Date: Wed, 26 Aug 2009 14:37:21 -0500

There really isn't any reason to set the ip mtu on the FE.

Here's a good article that explains most of the situations you will
encounter:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800d6979.shtml

Also, there are tons of bugs in latest 12.4T. I would recommend something
later in mainline or in a lower 12.4T (<20T) that's somewhat stable.

There are a few peeps on this list with extensive experience in IPSec and
related issues. If you don't feel you are getting anywhere feel free to
ping me or one of them offlist.

tv

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Wednesday, August 26, 2009 12:02 PM
To: Vijayaram VR; Cisco certification
Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Yes more than stayed alive...

Are you sure you traffic is not stuck in the process path from fragment
re-assembly at the far end

You must prevent fragmented packets to avoid latency and issues even with
AIM cards installed as all fragmentation re-assembly is done in the SLOWEST
path.

I would also run 12.4T latest Adv IP svcs code

Try

Int f0/0
Description LAN facing
Ip mtu 1412
ip tcp adjust-mss 1360

Do that at both sides and reconfirm results

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Vijayaram VR
Sent: Wednesday, August 26, 2009 11:42 AM
To: Cisco certification
Subject: Site-to-site IPSec + GRE Tunnel maxm throughput?

Hi All,

I've been trying to setup an site-to-site IPSec tunnel using C2851 on
one end and C3825 on the other with hardware encryption (AIM) installed.
Both routers also performing NAT and GRE.

My problem is whenever the traffic rate on the tunnel interfaces is more
than 20Mbps, router cpu hits 100% and it crashes. When I checked show
process cpu, 93% of the utilisation is due to interrupts, means it is
being CEF switched. My suspicion is on the GRE, as IPSec is offloaded to
AIM. I've gone through many Cisco docs and couldn't find convincing
answer on the maximum throughput supported by GRE tunnel.

Did any of you ever tried to pump more than 30Mbps over a GRE tunnel?
and did the router stayed alive?

Thanks.

Rgds, VJ

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 14:37:21 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART