RE: Site-to-site IPSec + GRE Tunnel maxm throughput?

Hi,

I didn't try MTU size below 1300. However I used different image
12.4(15)T9 which is a MD release, but no luck.

Yes, the router is also performing NAT.

Today, on one side Cisco router was released from IPSec and GRE duty,
which was transferred to Juniper SSG550. Only NAT is turned on in Cisco
router. Combined bandwidth on the tunnel is about 10Mbps with avg cpu of
25%. It was another team which did this and I didn't have much say in
continuing with Cisco troubleshooting.

I will extract relevant configs from Cisco gear for analysis.

Rgds, VJ

On Wed, 2009-08-26 at 14:37 -0500, Tony Varriale wrote:
> There really isn't any reason to set the ip mtu on the FE.
>
> Here's a good article that explains most of the situations you will
> encounter:
>
> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
> 800d6979.shtml
>
> Also, there are tons of bugs in latest 12.4T. I would recommend something
> later in mainline or in a lower 12.4T (<20T) that's somewhat stable.
>
> There are a few peeps on this list with extensive experience in IPSec and
> related issues. If you don't feel you are getting anywhere feel free to
> ping me or one of them offlist.
>
> tv
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joseph L. Brunner
> Sent: Wednesday, August 26, 2009 12:02 PM
> To: Vijayaram VR; Cisco certification
> Subject: RE: Site-to-site IPSec + GRE Tunnel maxm throughput?
>
> Yes more than stayed alive...
>
> Are you sure you traffic is not stuck in the process path from fragment
> re-assembly at the far end
>
> You must prevent fragmented packets to avoid latency and issues even with
> AIM cards installed as all fragmentation re-assembly is done in the SLOWEST
> path.
>
> I would also run 12.4T latest Adv IP svcs code
>
> Try
>
> Int f0/0
> Description LAN facing
> Ip mtu 1412
> ip tcp adjust-mss 1360
>
> Do that at both sides and reconfirm results
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Vijayaram VR
> Sent: Wednesday, August 26, 2009 11:42 AM
> To: Cisco certification
> Subject: Site-to-site IPSec + GRE Tunnel maxm throughput?
>
> Hi All,
>
> I've been trying to setup an site-to-site IPSec tunnel using C2851 on
> one end and C3825 on the other with hardware encryption (AIM) installed.
> Both routers also performing NAT and GRE.
>
> My problem is whenever the traffic rate on the tunnel interfaces is more
> than 20Mbps, router cpu hits 100% and it crashes. When I checked show
> process cpu, 93% of the utilisation is due to interrupts, means it is
> being CEF switched. My suspicion is on the GRE, as IPSec is offloaded to
> AIM. I've gone through many Cisco docs and couldn't find convincing
> answer on the maximum throughput supported by GRE tunnel.
>
> Did any of you ever tried to pump more than 30Mbps over a GRE tunnel?
> and did the router stayed alive?
>
> Thanks.
>
> Rgds, VJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Rgds, VJ
Blogs and organic groups at http://www.ccie.net