?
Solved

Increase VPN performance

Posted on 2008-11-09
13
Medium Priority
?
703 Views
Last Modified: 2012-05-05
I have a 7200 with an npe-200, how do I increase my remote access vpn performance since it is currently at 6-7 mbit?

Will an npe-225 help much?
Will an NSE-1 help much?
Will an SA-VAM help more?
0
Comment
Question by:Titanium_Sniper
  • 7
  • 5
12 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 22918647
How much performance do you want it to have, and is the unit dedicated to the VPN, or does it have other load?

Cisco 7200?  http://www.cisco.com/en/US/products/hw/routers/ps341/ps348/
The npe-225 has about 30% more CPU power than a npe-200.

I'd be concerned that the npe-200 is end of life at this point, and not officially supported;  for that reason it may be best to upgrade the NPE first.
The SA-VAM requires a version of IOS software that supports it..
if you have a version already working that does, then you may be fortunate.
Getting  just the right software upgrade  from the manufacturer may be painful
if you need one,  and if for some reason recent versions have instability or
other issues with the old NPE.


A  SA-VAM may be best, actually, if you can make one work.  If you don't have a VPN accelerator card, then your routing engine has to perform all encryption operations.

These are done in software, and modern encryption algorithms like 3DES are CPU intensive.  It is best to offload these to specialized hardware crypto engines that a VPN accelerator card contains,  OR to get a NPE with a lot of CPU power.

But the npe-220 doesn't have a whole lot more CPU power than the 200.
It might be good enough, if you only need 10 megabits of VPN encrypted traffic.

I would not recommend  NSE-1.  

npe 300 or 400 do have much more CPU power, more than twice as much as a npe-225,  but unfortunately, those are only usable with  a VXR midplane.
And I believe the NSE1 is even the same
0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 22918869
What IOS images support the VAM, or how do I make it work for PPTP VPN, I plugged it in and it didn't do anything besides turn on on.Currently I have an NPE-200 (which is not supported) but I will try on an NPE-225 (which is supported) and see if it works.

I was looking for near T3 performance, and i will upgrade to SA-VAM since it looks like it is what I need to get over 90 mbit, assuming it works.

If the NPE-225 is not enough, is there much difference between the NSE-1 and the NPE-300?
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22919402
VAM support was integrated with the stable IOS at 12.3(1) mainline
There are some images in the experimental/technology series that supported the feature in 12.2 and 12.1.
See the 'feature history' section of this document
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vam_ps6922_TSD_Products_Configuration_Guide_Chapter.html

If the VAM module is operational, there should be a "show pas vam controller "   command available.

The NPE-300 / 400  are solid cards..

The NPE-300  is almost the same as the NSE-1, except that the NSE-1 has an additional special processor to support a feature called PXF  (Parallel Express Forwarding)  that has in the past been unstable, and did not work correctly in most IOS versions...

As far as I know,  Cisco abandoned development of the PXF function, issues may remain, and you won't find the feature on newer / higher-end  72xx engines.

In other words,  if you use that board, be prepared to try turning off PXF to try and stop your NSE from crashing...

It may not turn out to be an issue at all in your particular situation; I just consider NSE-1  a risky proposition, since i've seen so many problems with them reported.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 22936335
I am using an NPE-225 and SA-VAM, but I did not notice a large increase in performance, it is currently at about 8 meg. Is there a way to see if the SA-VAM is doing anything, or if the packets are being process switched?
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22936819
At a time of peak usage, run the command  
"show process cpu"
and    
show process cpu  | exclude 0.00%  0.00%  0.00%
a few times


See if CPU usage is close to 100%.  And if so, which process is eating it.

If that process happens to be the IP Input process, or similar, then yes, packets might be getting process switched...


If CPU usage is low, then something else is the bottleneck

0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 22939235
Heres the sh proc c, the CCP manager is hit when I upload, and the ip input is hit when I am downloading. Is there some guide to redusing the amount of packets that are process switched, I tried putting ip cef in the config but it doesn't help.


Upload:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 37%/10%; one minute: 21%; five minutes: 5%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       15500     51406        301 19.43%  4.93%  1.30%   0 CCP manager
  53       40004     37870       1056  6.00%  9.69%  2.49%   0 IP Input
 148        9636     32878        293  1.83%  2.50%  0.64%   0 L2X Data Daemon
router#


Download:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 62%/7%; one minute: 15%; five minutes: 4%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       13552     49614        273  3.51%  3.50%  0.92%   0 CCP manager
  53       39044     36838       1059 39.11%  6.71%  1.66%   0 IP Input
 117         724       391       1851  2.23%  0.69%  0.18%   2 Virtual Exec
 148        9216     31503        292  9.27%  1.74%  0.43%   0 L2X Data Daemon
0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 22939248
oh, I manually removed everything that was below like a percent to make the post easier to read.
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22946003
At close to 40% CPU, it would appear something is being process switched.
Is this an IPsec VPN?

If your VPN tunnel is something else such as PPTP/L2P  +/ GRE,
config may be forcing process switching.

Check also use of types of ACLs in config and use of any special per-packet
features like policy routing  or  debugging options.


show crypto eli
^^^^^^^^^^^  should show if IKE/IPsec is going through the VAM

show pas vam interface
^^^^^^^^^^^^^^^^ to see if the VAM is processing packets


0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 22953199
I was using PPTP because it was easier, and I do not really care how secure this is.
I can setup L2TP, but I don't think windows can do L2TP without IPSEC, at least I do not see an option for no IPSEC.

I am working on setting up IPSEC, but it is going slow since I have not found any guides other than ones for point to point connections. I will have to keep trying until it works, or install the CISCO VPN Client, which I expect would work.
0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 23060343
Can a 6500 do PPTP?
I got one coming in the mail soon, assuming it works.
Software is not a problem, so I will have a K9 image on it.
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 200 total points
ID: 23061107
I see there's at least one 6500 image that has PPTP and MPPE as supported in the enterprise featureset.

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=display&HMajorRelease=12.2SY&HDDMRelDet=6752&HRN_But=&HDDMPlatFamDet=0&HPF_But=&HDDMFeatSetDet=0&HFS_But=Update

So yes.. with the proper cards and software loaded on the msfcs, it should be possible.


Hardware accelerated PPTP encryption on the 6500 may be lacking.
With a VPN Services module or IPSec VPN port adapter, the 6500 can reportedly perform IPsec at high throughput, but  (at least officially), no  PPTP.

With beefy supervisors,  this may be faster than the 72xx.


The ASA has dropped PPTP support in recent versions entirely (7.x and newer), and the  PIX  VPN capabilities on the Firewall services module for the 6500 are crippled.  

I wouldn't be too shocked to see something similar happening even in IOS; pptp's security issues are causing it to go away.

I guess I would have considered a failover pair of sufficiently beefy and upgraded VPN 3xxx concentrator for use as a PPTP access server before a massive chassis switch like a 65xx.

0
 
LVL 5

Author Comment

by:Titanium_Sniper
ID: 23061718
It was only $26 :)
and a sup2 MSFC2 is not terribly expensive, and it seems much more powerful than an NPE-300.

Those SSC-400 w/ SPA-IPSEC-2g are incredibly expensive as are the fwm.

sup32, sup720, and rsp720 are way too expensive also.

Thanks for the link, c6k222-jk9sv-mz.122-14.SY5 looks good to me.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question