[c-nsp] SA-VAM2+ usage problem?

Jens S Andersen jsa at aua.auc.dk
Tue Sep 30 14:11:21 EDT 2008 

Hi

It could be related to MTU size.

If the sending router has to fragment the encrypted packet the receiving
router must reassemble the packet before decrypting can take place.
Defragmentation is done at process-level.

show ip traffic will show this.

On my GRE/IPSEC tunnels i have

 ip mtu 1418
 ip tcp adjust-mss 1300


-Jens

>Hello,

>I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with
>SA-VAM2+ modules.

>I have a tunnel interface between this routers. If I make a ~24Mbit/sec
>traffic into this tunnel, the routers CPU's goes to 90%. It was the
>performance without VAM2+ too. So the VAM2+ modul doesn't use?

>Our routers config same, only the IP addresses different. The Tunnel
>interface very important, because i run an OSPF protokoll into them.

>vpn0# sh pas vam interface
>VPN Acceleration Module Version II+ in slot : 1
>	Statistics for Hardware VPN Module since the last clear
>	of counters 4294967 seconds ago
>    988980327 packets in                   988980327 packets out
>302199518411 bytes in                  318057273220 bytes out
>          230 paks/sec in                        230 paks/sec out
>          562 Kbits/sec in                       592 Kbits/sec out
>            0 pkts compressed                      0 pkts not compressed
>            0 bytes before compress                0 bytes after compress
>        1.0:1 compression ratio                1.0:1 overall
>       526096 commands out                    526096 commands acknowledged
>	Last 5 minutes:
>         2854900 packets in                     2854900 packets out

>            9516 paks/sec in                       9516 paks/sec out

>        24058078 bits/sec in                   25240088 bits/sec out


>In this last line the 24058078 bit/s traffic is normal, it is the
>aggregated traffic on my tunnel0 interface. But the "562 Kbit/sec in"
>and "592 Kbits/sec out" is to small, i think it should ~24000 Kbit/sec.

>Config:

>crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>crypto isakmp key abcabc address 192.168.1.1
>!
>crypto ipsec security-association replay window-size 1024
>!
>crypto ipsec transform-set vpn-standard esp-3des esp-sha-hmac
>!
>crypto map vpnmap 20 ipsec-isakmp
>  set peer 192.168.1.1
>  set transform-set vpn-standard
>  match address VPN
>!
>interface Tunnel0
>  description VPN0-VPN1
>  ip address 10.0.0.1 255.255.255.252
>  ip ospf cost 100
>  load-interval 30
>  keepalive 2 2
>  tunnel source 192.168.0.1
>  tunnel destination 192.168.1.1
>!
>interface GigabitEthernet0/1.2
>  description VPN1
>  encapsulation dot1Q 2
>  ip address 192.168.0.1
>  no ip redirects
>  no ip proxy-arp
>  ip nat outside
>  no ip virtual-reassembly
>  crypto map vpnmap
>!
>ip access-list extended VPN
>  permit gre host 192.168.0.1 host 192.168.1.1


>Any idea?

>Thanks!

>Regards,
>Laszlo
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


Jens S Andersen                 Email:  jsa at adm.aau.dk
Aalborg University              Telf:   9940 9464
Selma Lagerlöfs Vej 300, 4.1.03 Fax:    9940 7593
9220 Aalborg
Denmark

More information about the cisco-nsp mailing list