Link to home
Start Free TrialLog in
Avatar of Titanium_Sniper
Titanium_Sniper

asked on

Increase VPN performance

I have a 7200 with an npe-200, how do I increase my remote access vpn performance since it is currently at 6-7 mbit?

Will an npe-225 help much?
Will an NSE-1 help much?
Will an SA-VAM help more?
Avatar of Mysidia
Mysidia
Flag of United States of America image

How much performance do you want it to have, and is the unit dedicated to the VPN, or does it have other load?

Cisco 7200?  http://www.cisco.com/en/US/products/hw/routers/ps341/ps348/
The npe-225 has about 30% more CPU power than a npe-200.

I'd be concerned that the npe-200 is end of life at this point, and not officially supported;  for that reason it may be best to upgrade the NPE first.
The SA-VAM requires a version of IOS software that supports it..
if you have a version already working that does, then you may be fortunate.
Getting  just the right software upgrade  from the manufacturer may be painful
if you need one,  and if for some reason recent versions have instability or
other issues with the old NPE.


A  SA-VAM may be best, actually, if you can make one work.  If you don't have a VPN accelerator card, then your routing engine has to perform all encryption operations.

These are done in software, and modern encryption algorithms like 3DES are CPU intensive.  It is best to offload these to specialized hardware crypto engines that a VPN accelerator card contains,  OR to get a NPE with a lot of CPU power.

But the npe-220 doesn't have a whole lot more CPU power than the 200.
It might be good enough, if you only need 10 megabits of VPN encrypted traffic.

I would not recommend  NSE-1.  

npe 300 or 400 do have much more CPU power, more than twice as much as a npe-225,  but unfortunately, those are only usable with  a VXR midplane.
And I believe the NSE1 is even the same
Avatar of Titanium_Sniper
Titanium_Sniper

ASKER

What IOS images support the VAM, or how do I make it work for PPTP VPN, I plugged it in and it didn't do anything besides turn on on.Currently I have an NPE-200 (which is not supported) but I will try on an NPE-225 (which is supported) and see if it works.

I was looking for near T3 performance, and i will upgrade to SA-VAM since it looks like it is what I need to get over 90 mbit, assuming it works.

If the NPE-225 is not enough, is there much difference between the NSE-1 and the NPE-300?
VAM support was integrated with the stable IOS at 12.3(1) mainline
There are some images in the experimental/technology series that supported the feature in 12.2 and 12.1.
See the 'feature history' section of this document
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vam_ps6922_TSD_Products_Configuration_Guide_Chapter.html

If the VAM module is operational, there should be a "show pas vam controller "   command available.

The NPE-300 / 400  are solid cards..

The NPE-300  is almost the same as the NSE-1, except that the NSE-1 has an additional special processor to support a feature called PXF  (Parallel Express Forwarding)  that has in the past been unstable, and did not work correctly in most IOS versions...

As far as I know,  Cisco abandoned development of the PXF function, issues may remain, and you won't find the feature on newer / higher-end  72xx engines.

In other words,  if you use that board, be prepared to try turning off PXF to try and stop your NSE from crashing...

It may not turn out to be an issue at all in your particular situation; I just consider NSE-1  a risky proposition, since i've seen so many problems with them reported.

I am using an NPE-225 and SA-VAM, but I did not notice a large increase in performance, it is currently at about 8 meg. Is there a way to see if the SA-VAM is doing anything, or if the packets are being process switched?
At a time of peak usage, run the command  
"show process cpu"
and    
show process cpu  | exclude 0.00%  0.00%  0.00%
a few times


See if CPU usage is close to 100%.  And if so, which process is eating it.

If that process happens to be the IP Input process, or similar, then yes, packets might be getting process switched...


If CPU usage is low, then something else is the bottleneck

Heres the sh proc c, the CCP manager is hit when I upload, and the ip input is hit when I am downloading. Is there some guide to redusing the amount of packets that are process switched, I tried putting ip cef in the config but it doesn't help.


Upload:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 37%/10%; one minute: 21%; five minutes: 5%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       15500     51406        301 19.43%  4.93%  1.30%   0 CCP manager
  53       40004     37870       1056  6.00%  9.69%  2.49%   0 IP Input
 148        9636     32878        293  1.83%  2.50%  0.64%   0 L2X Data Daemon
router#


Download:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 62%/7%; one minute: 15%; five minutes: 4%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       13552     49614        273  3.51%  3.50%  0.92%   0 CCP manager
  53       39044     36838       1059 39.11%  6.71%  1.66%   0 IP Input
 117         724       391       1851  2.23%  0.69%  0.18%   2 Virtual Exec
 148        9216     31503        292  9.27%  1.74%  0.43%   0 L2X Data Daemon
oh, I manually removed everything that was below like a percent to make the post easier to read.
At close to 40% CPU, it would appear something is being process switched.
Is this an IPsec VPN?

If your VPN tunnel is something else such as PPTP/L2P  +/ GRE,
config may be forcing process switching.

Check also use of types of ACLs in config and use of any special per-packet
features like policy routing  or  debugging options.


show crypto eli
^^^^^^^^^^^  should show if IKE/IPsec is going through the VAM

show pas vam interface
^^^^^^^^^^^^^^^^ to see if the VAM is processing packets


I was using PPTP because it was easier, and I do not really care how secure this is.
I can setup L2TP, but I don't think windows can do L2TP without IPSEC, at least I do not see an option for no IPSEC.

I am working on setting up IPSEC, but it is going slow since I have not found any guides other than ones for point to point connections. I will have to keep trying until it works, or install the CISCO VPN Client, which I expect would work.
Can a 6500 do PPTP?
I got one coming in the mail soon, assuming it works.
Software is not a problem, so I will have a K9 image on it.
ASKER CERTIFIED SOLUTION
Avatar of Mysidia
Mysidia
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It was only $26 :)
and a sup2 MSFC2 is not terribly expensive, and it seems much more powerful than an NPE-300.

Those SSC-400 w/ SPA-IPSEC-2g are incredibly expensive as are the fwm.

sup32, sup720, and rsp720 are way too expensive also.

Thanks for the link, c6k222-jk9sv-mz.122-14.SY5 looks good to me.