[c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC

Mark Kent mark at noc.mainstreet.net
Tue Jan 6 21:45:04 EST 2009


I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7.  I've got them
back-to-back, configured as shown below.

With a single file transfer (tcp) through the boxes I am able to jam
the processor at 99%/96%, which tells me I must be missing something.

I checked and the "ip tcp adjust-mss 1360" is working, so it is not
fragmentation that is the culprit.  I do get about 35Mbs throughput,
but I'm bugged that the main cpu is jammed.  I did check "sh cry eng
acc stat" and see that the HW module is being used, but I would have
thought that the actual 2811 cpu would be only modestly busy.

Am I missing anything here?

Thanks,
-mark

---

 crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 5
  lifetime 300
 !
 crypto isakmp key foo address 10.10.10.2 no-xauth
 !
 crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac 
 !
 crypto map GREVPN local-address FastEthernet0/0
 !
 ip access-list extended TUNNEL
  permit gre host 10.10.10.1 host 10.10.10.2
 !
 crypto map GREVPN 20 ipsec-isakmp 
  set peer 10.10.10.2
  set transform-set GREVPN 
  match address TUNNEL
 !         
 interface Tunnel0
  ip address 192.0.2.1 255.255.255.252
  ip mtu 1476
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel destination 10.10.10.2
 !         
 interface FastEthernet0/0
  description x-conn to other 2811
  ip address 10.10.10.1 255.255.255.252
  crypto map GREVPN
  crypto ipsec fragmentation before-encryption
 !         
 interface FastEthernet0/1
  ip address <test1 network, test2 is on other 2811>
 !         
 ip route <test2 network> 192.0.2.2

---

 2811-expt-TWO#sh cry engine acc stat

 Device:   AIM-VPN/SSL-2
 Location: AIM Slot: 0
 Virtual Private Network (VPN) Module in slot : 0
	 Statistics for Hardware VPN Module since the last clear
	  of counters 42 seconds ago
	  126270 packets in                      126270 packets out           
       127941213 bytes in                     124977694 bytes out             
	    3006 paks/sec in                       3006 paks/sec out          
	   23865 Kbits/sec in                     23312 Kbits/sec out         
	   42555 packets decrypted                83715 packets encrypted     
	 5854456 bytes before decrypt         119123238 bytes encrypted       
	 2790517 bytes decrypted              125150696 bytes after encrypt   
	       0 packets decompressed                 0 packets compressed    
	       0 bytes before decomp                  0 bytes before comp     
	       0 bytes after decomp                   0 bytes after comp      
	       0 packets bypass decompr               0 packets bypass compres
	       0 bytes bypass decompres               0 bytes bypass compressi
	       0 packets not decompress               0 packets not compressed
	       0 bytes not decompressed               0 bytes not compressed  
	   1.0:1 compression ratio                1.0:1 overall
	       4 commands out                         4 commands acknowledged 
	 Last 5 minutes: 
	   53276 packets in                       53276 packets out           
	    1268 paks/sec in                       1268 paks/sec out          
	10792372 bits/sec in                   10542446 bits/sec out          
	 1178581 bytes decrypted               50240550 bytes encrypted       
	  235716 Kbits/sec decrypted           10048110 Kbits/sec encrypted   
	   1.0:1 compression ratio                1.0:1 overall

 Errors:
    ppq full errors         :        0   ppq rx errors           :        0
    cmdq full errors        :        0   cmdq rx errors          :        0
    ppq down errors         :        0   cmdq down errors        :        0
    no buffer               :        0   replay errors           :        0
    dest overflow           :        0   authentication errors   :        0
    Other error             :        0   Raw Input Underrun      :        0
    IPSEC Unsupported Option:        0   IPV4 Header Length      :        0
    ESP Pad Length          :        0   IPSEC Decompression     :        0
    AH ESP seq mismatch     :        0   AH Header Length        :        0
    AH ICV Incorrect        :        0   IPCOMP CPI Mismatch     :        0
    IPSEC ESP Modulo        :        0   Unexpected IPV6 Extensio:        0
    Unexpected Protocol     :        0   Dest Buf overflow       :        0
    IPSEC Pkt is fragment   :        0   IPSEC Pkt src count     :        0
    Invalid IP Version      :        0   Unwrappable             :        0
    SSL Output overrun      :        0   SSL Decompress failure  :        0
    SSL BAD Decomp History  :        0   SSL Version Mismatch    :        0
    SSL Input overrun       :        0   SSL Conn Modulo         :        0
    SSL Input Underrun      :        0   SSL Connection closed   :        0
    SSL Unrecognised content:        0   SSL record header length:        0
    PPTP Duplicate packet   :        0   PPTP Exceed max missed p:        0
    RNG self test fail      :        0   DF Bit set              :        0
    Hash Miscompare         :        0   Unwrappable object      :        0
    Missing attribute       :        0   Invalid attrribute value:        0
    Bad Attribute           :        0   Verification Fail       :        0
    Decrypt Failure         :        0   Invalid Packet          :        0
    Invalid Key             :        0   Input Overrun           :        0
    Input Underrun          :        0   Output buffer overrun   :        0
    Bad handle value        :        0   Invalid parameter       :        0
    Bad function code       :        0   Out of handles          :        0
    Access denied           :        0   Out of memory           :        0
    NR overflow             :        0   pkts dropped            :        0

 Warnings:
    sessions_expired        :        0   packets_fragmented      :        0
	    general:                :        0

 HSP details:
    hsp_operations          :    35231   hsp_sessions            :        3


More information about the cisco-nsp mailing list