RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Small packet sizes and high packet rates are what kill the AIM cards.

tv

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Luan
Nguyen
Sent: Wednesday, August 26, 2009 12:53 PM
To: 'Joseph L. Brunner'; vj2106_at_gmail.com
Cc: 'Cisco certification'
Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

If you get 20M throughput for GRE/IPSEC with NAT on a 2851 platform with
AIM-VPN/EPII-PLUS, you should be happy even the CPU roams around 100% and
crashes your router :)
Under ideal packet size, you could get that. Try smaller packet size like
512 for example and see the result.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net

-----------------------------------

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Wednesday, August 26, 2009 1:19 PM
To: vj2106_at_gmail.com
Cc: Cisco certification
Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Can you please post your sanitized configurations and the output of

Show ip traffic
Show interfaces switching

We'll get to the bottom of this for you friend.

-Joe

-----Original Message-----
From: Vijayaram VR [mailto:vj2106_at_gmail.com]
Sent: Wednesday, August 26, 2009 1:17 PM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Hi,

I've tested lowering the MTU & MSS values earlier but didn't make any
difference. Both routers are reporting high cpu.

Rgds, VJ
On Wed, 2009-08-26 at 13:02 -0400, Joseph L. Brunner wrote:
> Yes more than stayed alive...
>
> Are you sure you traffic is not stuck in the process path from fragment
re-assembly at the far end
>
> You must prevent fragmented packets to avoid latency and issues even with
AIM cards installed as all fragmentation re-assembly is done in the SLOWEST
path.
>
> I would also run 12.4T latest Adv IP svcs code
>
> Try
>
> Int f0/0
> Description LAN facing
> Ip mtu 1412
> ip tcp adjust-mss 1360
>
> Do that at both sides and reconfirm results
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Vijayaram VR
> Sent: Wednesday, August 26, 2009 11:42 AM
> To: Cisco certification
> Subject: Site-to-site IPSec + GRE Tunnel maxm throughput?
>
> Hi All,
>
> I've been trying to setup an site-to-site IPSec tunnel using C2851 on
> one end and C3825 on the other with hardware encryption (AIM) installed.
> Both routers also performing NAT and GRE.
>
> My problem is whenever the traffic rate on the tunnel interfaces is more
> than 20Mbps, router cpu hits 100% and it crashes. When I checked show
> process cpu, 93% of the utilisation is due to interrupts, means it is
> being CEF switched. My suspicion is on the GRE, as IPSec is offloaded to
> AIM. I've gone through many Cisco docs and couldn't find convincing
> answer on the maximum throughput supported by GRE tunnel.
>
> Did any of you ever tried to pump more than 30Mbps over a GRE tunnel?
> and did the router stayed alive?
>
> Thanks.
>
> Rgds, VJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 14:38:33 ART