• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 705
  • Last Modified:

Increase VPN performance

I have a 7200 with an npe-200, how do I increase my remote access vpn performance since it is currently at 6-7 mbit?

Will an npe-225 help much?
Will an NSE-1 help much?
Will an SA-VAM help more?
0
Titanium_Sniper
Asked:
Titanium_Sniper
  • 7
  • 5
1 Solution
 
MysidiaCommented:
How much performance do you want it to have, and is the unit dedicated to the VPN, or does it have other load?

Cisco 7200?  http://www.cisco.com/en/US/products/hw/routers/ps341/ps348/
The npe-225 has about 30% more CPU power than a npe-200.

I'd be concerned that the npe-200 is end of life at this point, and not officially supported;  for that reason it may be best to upgrade the NPE first.
The SA-VAM requires a version of IOS software that supports it..
if you have a version already working that does, then you may be fortunate.
Getting  just the right software upgrade  from the manufacturer may be painful
if you need one,  and if for some reason recent versions have instability or
other issues with the old NPE.


A  SA-VAM may be best, actually, if you can make one work.  If you don't have a VPN accelerator card, then your routing engine has to perform all encryption operations.

These are done in software, and modern encryption algorithms like 3DES are CPU intensive.  It is best to offload these to specialized hardware crypto engines that a VPN accelerator card contains,  OR to get a NPE with a lot of CPU power.

But the npe-220 doesn't have a whole lot more CPU power than the 200.
It might be good enough, if you only need 10 megabits of VPN encrypted traffic.

I would not recommend  NSE-1.  

npe 300 or 400 do have much more CPU power, more than twice as much as a npe-225,  but unfortunately, those are only usable with  a VXR midplane.
And I believe the NSE1 is even the same
0
 
Titanium_SniperAuthor Commented:
What IOS images support the VAM, or how do I make it work for PPTP VPN, I plugged it in and it didn't do anything besides turn on on.Currently I have an NPE-200 (which is not supported) but I will try on an NPE-225 (which is supported) and see if it works.

I was looking for near T3 performance, and i will upgrade to SA-VAM since it looks like it is what I need to get over 90 mbit, assuming it works.

If the NPE-225 is not enough, is there much difference between the NSE-1 and the NPE-300?
0
 
MysidiaCommented:
VAM support was integrated with the stable IOS at 12.3(1) mainline
There are some images in the experimental/technology series that supported the feature in 12.2 and 12.1.
See the 'feature history' section of this document
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vam_ps6922_TSD_Products_Configuration_Guide_Chapter.html

If the VAM module is operational, there should be a "show pas vam controller "   command available.

The NPE-300 / 400  are solid cards..

The NPE-300  is almost the same as the NSE-1, except that the NSE-1 has an additional special processor to support a feature called PXF  (Parallel Express Forwarding)  that has in the past been unstable, and did not work correctly in most IOS versions...

As far as I know,  Cisco abandoned development of the PXF function, issues may remain, and you won't find the feature on newer / higher-end  72xx engines.

In other words,  if you use that board, be prepared to try turning off PXF to try and stop your NSE from crashing...

It may not turn out to be an issue at all in your particular situation; I just consider NSE-1  a risky proposition, since i've seen so many problems with them reported.

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Titanium_SniperAuthor Commented:
I am using an NPE-225 and SA-VAM, but I did not notice a large increase in performance, it is currently at about 8 meg. Is there a way to see if the SA-VAM is doing anything, or if the packets are being process switched?
0
 
MysidiaCommented:
At a time of peak usage, run the command  
"show process cpu"
and    
show process cpu  | exclude 0.00%  0.00%  0.00%
a few times


See if CPU usage is close to 100%.  And if so, which process is eating it.

If that process happens to be the IP Input process, or similar, then yes, packets might be getting process switched...


If CPU usage is low, then something else is the bottleneck

0
 
Titanium_SniperAuthor Commented:
Heres the sh proc c, the CCP manager is hit when I upload, and the ip input is hit when I am downloading. Is there some guide to redusing the amount of packets that are process switched, I tried putting ip cef in the config but it doesn't help.


Upload:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 37%/10%; one minute: 21%; five minutes: 5%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       15500     51406        301 19.43%  4.93%  1.30%   0 CCP manager
  53       40004     37870       1056  6.00%  9.69%  2.49%   0 IP Input
 148        9636     32878        293  1.83%  2.50%  0.64%   0 L2X Data Daemon
router#


Download:
router#sh proc c | e 0.00%  0.00%  0.00%
CPU utilization for five seconds: 62%/7%; one minute: 15%; five minutes: 4%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   3       13552     49614        273  3.51%  3.50%  0.92%   0 CCP manager
  53       39044     36838       1059 39.11%  6.71%  1.66%   0 IP Input
 117         724       391       1851  2.23%  0.69%  0.18%   2 Virtual Exec
 148        9216     31503        292  9.27%  1.74%  0.43%   0 L2X Data Daemon
0
 
Titanium_SniperAuthor Commented:
oh, I manually removed everything that was below like a percent to make the post easier to read.
0
 
MysidiaCommented:
At close to 40% CPU, it would appear something is being process switched.
Is this an IPsec VPN?

If your VPN tunnel is something else such as PPTP/L2P  +/ GRE,
config may be forcing process switching.

Check also use of types of ACLs in config and use of any special per-packet
features like policy routing  or  debugging options.


show crypto eli
^^^^^^^^^^^  should show if IKE/IPsec is going through the VAM

show pas vam interface
^^^^^^^^^^^^^^^^ to see if the VAM is processing packets


0
 
Titanium_SniperAuthor Commented:
I was using PPTP because it was easier, and I do not really care how secure this is.
I can setup L2TP, but I don't think windows can do L2TP without IPSEC, at least I do not see an option for no IPSEC.

I am working on setting up IPSEC, but it is going slow since I have not found any guides other than ones for point to point connections. I will have to keep trying until it works, or install the CISCO VPN Client, which I expect would work.
0
 
Titanium_SniperAuthor Commented:
Can a 6500 do PPTP?
I got one coming in the mail soon, assuming it works.
Software is not a problem, so I will have a K9 image on it.
0
 
MysidiaCommented:
I see there's at least one 6500 image that has PPTP and MPPE as supported in the enterprise featureset.

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=display&HMajorRelease=12.2SY&HDDMRelDet=6752&HRN_But=&HDDMPlatFamDet=0&HPF_But=&HDDMFeatSetDet=0&HFS_But=Update

So yes.. with the proper cards and software loaded on the msfcs, it should be possible.


Hardware accelerated PPTP encryption on the 6500 may be lacking.
With a VPN Services module or IPSec VPN port adapter, the 6500 can reportedly perform IPsec at high throughput, but  (at least officially), no  PPTP.

With beefy supervisors,  this may be faster than the 72xx.


The ASA has dropped PPTP support in recent versions entirely (7.x and newer), and the  PIX  VPN capabilities on the Firewall services module for the 6500 are crippled.  

I wouldn't be too shocked to see something similar happening even in IOS; pptp's security issues are causing it to go away.

I guess I would have considered a failover pair of sufficiently beefy and upgraded VPN 3xxx concentrator for use as a PPTP access server before a massive chassis switch like a 65xx.

0
 
Titanium_SniperAuthor Commented:
It was only $26 :)
and a sup2 MSFC2 is not terribly expensive, and it seems much more powerful than an NPE-300.

Those SSC-400 w/ SPA-IPSEC-2g are incredibly expensive as are the fwm.

sup32, sup720, and rsp720 are way too expensive also.

Thanks for the link, c6k222-jk9sv-mz.122-14.SY5 looks good to me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now