[nsp] IPSEC throughput impact?

Raymond, Steven steven_raymond at eli.net
Tue Jul 6 15:33:57 EDT 2004



> -----Original Message-----
> From: Streiner, Justin [mailto:streiner at stargate.net]
> Sent: Tuesday, July 06, 2004 10:55 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] IPSEC throughput impact?
> 
> 
> I'm diagnosing a case where a customer who has a site-to-site 
> VPN tunnel
> with us is complaining that their throughput degrades 
> significantly when
> the site-to-site traffic is routed across 3 private T1s 
> between them and
> us.  The 3 T1s are running CEF per-packet load-sharing on 
> both sides and
> are short-haul only, so I feel pretty confident in ruling out RTT
> variance across the 3 circuits interfering with the load-sharing and
> eventual packet reassembly/decryption in this case.
> 
> The customer sees throughput of about 2.1 Mb/s across the T1s 
> with the VPN
> traffic routed across them.

What hardware platforms are you using?  Have seen a 2620XM hit 99% CPU with
a single PTP ipsec VPN with ~250 packets per second at about 350,000 bits
per second.  This is using two T1s in an MLPPP bundle with GRE and NAT, plus
CBAC.  Removing only the crypto map from the MLPPP interfaces droped CPU to
17%.  Apparently there is a hardware crypto accelerator available.



More information about the cisco-nsp mailing list