Significant decline in performance on the GRE tunnel after using cryptographic protection

Hi all

I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

No idea as to why this is?

My conclusions:
According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

My config:

crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
Group 20
isakmp encryption key * address *.
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
transport mode
!
Profile of crypto ipsec VPN
game of transformation-ESP-AES256-SHA
!
Tunnel10
IP 10.251.251.1 255.255.255.0
no ip redirection
no ip proxy-arp
load-interval 30
source of tunnel FastEthernet0
tunnel destination *.
tunnel path-mtu-discovery
Tunnel VPN ipsec protection profile
!

Output:

ISR1811 #sh crypto ipsec his
Interface: Tunnel10
Tag crypto map: addr Tunnel10-head-0, local *.

protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
current_peer * port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
#pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

endpt local crypto. : *, remote Start crypto. : ***
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
current outbound SPI: 0x8D9A911E (2375717150)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0xD6F42959 (3606325593)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563208/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:
SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x8D9A911E (2375717150)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563239/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:
outgoing CFP sas:

ISR1811 #show in detail his crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
T - cTCP encapsulation, X - IKE Extended Authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP Security Association

C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
2015 * * ACTIVE aes sha5 psk 20 12:42:50
Engine-id: Conn-id = SW: 15
2016 * * ACTIVE aes sha5 psk 20 12:42:58
Engine-id: Conn-id = SW: 16
IPv6 Crypto ISAKMP Security Association

Use of CPU for the transfer with crypto:

ISR1811 #sh proc cpu its

ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

544444555555555544444444445555544444555556666644444555555555
355555000001111133333888884444444444333333333377777666662222
100
90
80
70
60                                          *****     *****
50 ****************     **********     ************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)

ISR1812 #sh proc cpu history

ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

666666666666666666666666666666666666666666655555444445555544
777888883333344444555555555566666777770000055555777776666666
100
90
80
70 ********          ********************
60 ************************************************     *****
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)

I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.

Tags: Cisco Security

Similar Questions

  • The GRE Tunnel descends?

    So here's my setup:

    Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

    Internal Cluster ASA a configured PAT production internal then all the VLANS.

    The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

    The external control point is configured with NAT for the incoming and outgoing traffic.

    The branch is a DSL router with a static IP address.

    The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

    The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

    The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

    I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

    I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

    However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

    1 = to branch tunnel

    Tunnel of 100 = internal

    002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
    002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
    002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
    002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
    002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
    002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
    002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

    The IPSec tunnel, for the branch remains in place throughout.

    Can anyone help!?

    The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

    This is how the branch was to learn the route to the tunnel destination:

    Tunnel1 interface

    Tandragee Sub Station router VPN Tunnel description

    bandwidth 64

    IP 172.17.205.62 255.255.255.252

    no ip-cache cef route

    delay of 20000

    KeepAlive 10 3

    source of tunnel Loopback1

    tunnel destination 172.17.255.23

    be-idz-vpn-01 #sh ip route 172.17.255.23

    Routing for 172.17.255.23/32 entry

    Through the 'static', the metric distance 1 0 known

    Routing descriptor blocks:

    * 172.17.252.129

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/25 entry

    Known via 'connected', distance 0, metric 0 (connected, via the interface)

    Routing descriptor blocks:

    * directly connected by GigabitEthernet0/1

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #.

    This is how the next hop as learned GRE Tunnel between internal and DMZ routers

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/27 entry

    By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

    Redistribution via eigrp 1

    Last updated on Tunnel100 192.168.5.66, ago 00:07:25

    Routing descriptor blocks:

    * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

    Path metric is 40258816, 1/number of shares of traffic is

    Time total is 10110 microseconds, minimum bandwidth 64 Kbps

    Reliability 255/255, MTU minimum 1476 bytes

    Loading 1/255, 2 hops

    We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

    This case causes the Tunnel 1 drops.

    The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

    The solution we applied:

    Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

    Router eigrp 1

    distribute-list 1

    Network 10.10.10.0 0.0.0.3

    network 172.17.203.56 0.0.0.3

    network 172.17.203.60 0.0.0.3

    network 172.17.205.60 0.0.0.3

    network 172.19.98.18 0.0.0.0

    network 192.168.5.64 0.0.0.3

    passive-interface Loopback1

    be-idz-vpn-01 #sh access-list 1

    IP access list standard 1

    10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

    20 permit (1230 matches)

    be-idz-vpn-01 #.

    Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

  • Backup of the GRE Tunnel using the address IP of Seconadary

    Is it possible to configure a GRE Tunnel to backup using an IP of Seconadary address on the WAN interface.  The router is a

    Cisco 871.  Any help would be greatly appreciated.

    Thank you.

    Nicholas

    I'm not sure it would work for use a secondary address on the WAN interface for a GRE tunnel. Maybe if you tell us more about what you're trying to do we could be able to help find alternatives that would work.

    Two tunnels from the same interface (even though you could use a secondary address) to another router would not provide a backup, if they work at all. Work of two tunnels of the same interface of router (and two using the main address) fairly well if they go to different remote routers, and it is a common way to provide backup for the GRE tunnels.

    HTH

    Rick

  • How can I get rid of the razor tool after use.

    I am a new user.  I can't get rid of the razor tool after use.  Help

    Press a to return to the normal cursor. or use the tool window.

  • I still do the full backup after using Data Guard?

    In our system, there is a physical database standby data protection configuration. Is it still necessary to do a full backup and an incremental backup?

    Jackliusr wrote:
    In our system, there is a physical database standby data protection configuration. Is it still necessary to do a full backup and an incremental backup?

    Preferred to have full backup of every day.
    May be you can perform failover of your sleep, in which case there is no availability on the primary database. So do you think that the stability of the monitoring system is the same as elementary school and can give the same performance?
    location of Eve may be too far and it's only disaster.
    Allows another case, suppose that your wait is behind that primary for 4-5 days due to some problems. At the same time your production crashed while you have the chance of data fo loose 4-5 days. Recommended to have a full backup still database primary.

    If you check the stability of database daily watch and able to check your data by opening properly and you want RMAN backup, it is fine. But it is highly recommended to have RMAN backup.

    BTW, you can have RMAN backup full standby, if you want to avoid the resources to be used on the primary

  • Should I update all the files from the Toshiba site after using the recovery CD

    I just used my recovery CD and update the Windows Update System.

    The question is: should I update all files in the files on this site download section as well?

    Usually after using the Toshiba Recovery CD everything should works and works correctly
    To my knowledge from time to time Toshiba has released new version of some tools or drivers. For example the BT stack will be developed all the time.
    But I think that if you have any problems with your system and peripherals, then you don't need t to update anything.
    Small is my opinion...

  • I get the context menu after using firfox as my browser: Exc in ev handl: error: Bad NPObject as private data!

    In the last few days I've been doing the following popup when I use firefox as my browser: Exc in ev handl: error: Bad NPObject as private data!

    I guess it comes from your last update. I have windows vista with a 64-bit processor, and I use the latest version of firefox. I checked to see if I was getting the same error message with explore and I'm not. It seems to be some sort of conflict with java script. This can be corrected?

    You have to remove and re - install anything. I had the same problem and simply disabled the McAfee Siteadvisor module without deleting. I then restarted Firefox and the problem was solved.

    But here's the important part: I reactivated the add-on and then restarted Firefox twice. The problem is not returned!

    Just so disable, reboot, re-enable and restart. It worked for me!

  • Is it possible to reinstall Vista OEM on the HP laptop after using the Norton Ghost software?

    Hello

    I'm in a bit of trouble. Please help me. In 2007, I bought a HP laptop which of course came with a preinstalled Windows Vista. My friend did a back-up for me using Norton Ghost. Now I do not use Ghost. I would like to re - install Windows Vista on a CD and save by using the product key given in the back of my knees (OEM - his name I guess). Since I use all the same material I hope it will be accepted but I'm not sure. My question is if it will work? Is it legal this Windows already registered in my name for 3.5 years. Please help me and answer me.

    It is also possible to download Windows Vista from www.microsoft.com?
    Thanks in advance.
    Kind regards.
    Abid.

    As long as you use the same reinstall OEM or restore DVD (Vista is too big to fit on a CD) initially provided with the laptop, you will have no problem.

  • I can't open the MHT file after using the cutting tool

    I used the cutting tool on my Acer laptop in the past to save things as MHT files for later use.  Today I used it again after several weeks.  I was unable to open the saved MHT files.  Can someone help me restore this useful facility?

    Hello

    Thanks for the reply...

    I would like you to click on the following link:

    http://answers.Microsoft.com/en-us/IE/Forum/IE8-windows_other/i-am-trying-to-print-an-MHT-document-from-IE7-it/b023c10e-1e0f-45c7-B51A-66520d12573d

    Let us know if that helps.

  • The mouse disappears after using the touch screen

    I have an ASUS PC S400CA-DH51T (touch screen) that I had for about two weeks and worked without problems. But since maybe two days ago my cursor randomly started to disappear after I installed a slider custom (from DeviantArt, with three files .cur, normal, for the small hand selector and a third for the hourglass near the cursor). FN + f7 does nothing, and not more than to do a clean boot.

    I noticed that the problem seems to be that the cursor disappears when I touch the screen when I have a defined custom cursor and does not come when I move the mouse with the touch pad. But I can touch the screen and mouse just once that I move it once I reset the pointer to default.
    I just tried using a different custom cursor, and the same problem occurs. But in both cases, my mouse is displayed whenever I have spend on something, or the hourglass next to my mouse is displayed (which I have customized for cursors). Is it possible to fix this? I don't want to use the default windows cursor.

    It worked for me, and I think it will be for everyone. Great work!

  • Error of the IDE controller after using vCenter Converter Standalone

    I usually get the following two messages when you click on the "Edit Settings... "the virtual machine created by using the operation"convert the Machine ":

    "An IDE controller is found but the virtual machine does not support this option."

    After clicking on the 'OK' button, I get this:

    "A flat backup option is not found."

    After clicking OK, the open Virtual Machine properties and hard disk 1 is summarized as 'not supported '.

    This occurred during the conversion of a source type of powered on the machine to a virtual machine of VMware Infrastructure, but also a source of VMware Infrustructure to another virtual machine of VMware Infrustructure.

    It can be the cause and the VM may be edited to prevent this. Happen using a Windows 2003 server that is powered on the source machine and a XP Pro Sp3 virtual machine running on ESX. XP has been installed directly as a virtual machine using an ISO file. The converted XP machine powers up to a GUI. I tried other machines, but the conversion operation fails at the beginning, probably because it was "multiboot" machines.

    Thank you

    Homerun.

    A virtual machine with the version 4 hardware does not support IDE hard drives. Try to upgrade the hardware VM to version 7

  • Message "Unable to locate the hard drive" after using XP Pro recovery disk

    I used my reinstall windows Home drive to recover a file system corrupted on a windows operating system pro. I hit the 'R' to repair key when he asked but now when I rebooted... I get a message "unable to locate the hard drive. Does anyone have an idea what went wrong? And I order a Windows OEM Pro installation disc and just do a clean install?


  • Focus of the window resets after using PUT

    It comes to Dreamweaver 12.1 build on OSX Mountain Lion 10.8.2 5949

    I have been using Dreamweaver since years and CMD + SHIFT + U which puts the file that I working on one of my favorite shortcuts. I like it, but since the last updates of Fireworks came out (maybe the past 2) when I use this command Dreamweaver switches developed the CODE VIEW (I'm in that) to the FILES window. Here's an overview of how I run this:

    -type the code in code view

    -make CMD + SJIFT + U

    -CMD + TAB to go to the browser

    -hit refresh to check the page

    -CMD + TAB to Dreamweaver

    -Start typing... but now I'm in the FILES window and if I hit BACKSPACE then it asks if I want to delete the file.

    It's annoying, especially because I look at the keyboard when I type so when I'm back in dreamweaver, I'm already typing a string, then I get and I am removing entire folders instead... or file structure... very frustrating...

    Perhaps someone can offer a glimpse into a better way to run this... no I will not use LIVE CODE VIEW... this thing is lame.

    Hello

    This problem has been fixed in the CCM update of 12.2. Please upgrade to this latest version. Some users have confirmed the fix as well.

    -Jones

  • Help with the line on the image final after using the magnetic lasso + layers

    I worked on an image that has some distortion of the lens in the.  I need to change the background and the subject separately because the colors are similar and there is simply too much work to do to try and spot heal the whole thing.  I cut out the subject with the lasso, magnetic, and created 2 separate the layers, a topic, a single background.  I then used the layers: adjustment layer: hue / saturation to correct the distortion.  When I did, I flattened the image.  Now I have a gray line on my final image where the lasso tool had cut the image apart.  I have no idea why it's there or how to get rid of.  It is very thin and probably not noticeable on smaller images, but I am determined to blow this up BIG picture where every mistake will be visible.  Any suggestions on how to avoid this line in the first place?  I don't think that I can remove it without going by one pixel.  Thank you!

    A better way to make your adjustments is to simply use the same mask and avoid creating separate layers:

    Here's the original:

    1. Select the "subject."
    2. Add a Hue/Saturation layer, which will be automatically hidden from the subject.
    3. Adjust the H/S in function.
    4. Duplicate this layer H/S.
    5. Select the mask of the H/S duplicate layer and press Ctrl + I, which will reverse the colors of mask (which means that the area of "background" will be affected).
    6. Adjust this new H/W layer in function.
    7. Your layers will look like this:

    The final image:

    No no cutting, no copy, etc. - the mask and its reversal will give a perfect edge.

    Ken

  • Using Gre Tunnel between devices on the same LAN

    Hello world

    When we need to use the Gre Tunnel on same side means on 2 devices to each other on the LAN?

    Whats is advantage of using GRe Tunnel on LAN?

    Thank you

    MAhesh

    In general, GRE tunnel is not on the same side/network.

    It serves to connect 2 networks and to get through the traffic.

    GRE advantage is that it can participate in routing protocols, then it becomes a little jump through the tunnel instead of several jumps across different devices. As a result, the GRE is also used for tunnel traffic that is not natively supported by these devices where the type not supported traffic cannot pass through.

Maybe you are looking for

  • does not load the pages of the last session - 2015 Mac Book pro

    Hello You just bought a new Mac Book Pro 13. Safari and Chrome using for navigation. My user account is admin and in both browsers the classified are marked 'open the pages of last session', but it does not work. need help. Thank you

  • Time interval step loop

    Hi guys,. I want to run a loop on a stage (using the loop configuration), but, in addition, to set a waiting time betweed each iteration... I have not found a wait in the expressions Explorer function, or another way to do it. Does anyone have an ide

  • game of virtual villager of opening gives error code oxc8660160

    Vitrual village (games) I'll download the virtual villagers game and when I try and run it, it says Error failed to open oxc8660160 error code how can I fix? or whats wrong?

  • I did a restore to when my computer ran right. Several different errors now show

    Original title: I did a restore to when my computer ran good... now, I do not receive either where... I need help I don't remember when the last time was this computer ran right... I did a system restore to what computer ran from... now gettting lnk

  • Deleting files off Vista this state you do not have permission

    I am trying to install the Windows 7 upgrade, but a program was discovered during installation, noting it is not compatible with Windows 7 and I had to stop the installation to remove the file.  When I go into Control Panel to remove the program it s