I am having problems with CPU load on 2811 with AIM-VPN-II. There is a GRE+IPSec over E3 WAN link and the authentication is done using RSA, but even that there is around 10Mb/s of traffic I have a 70 - 85%. I also have another WAN link with router 2811 that doesn't have a AIM-VPN, and that one reach 95% CPU once the traffic goes up to 5 Mb/s.
Are there any recommendations that RSA authentication is not supportted for hardward encryption? It worries me, becouse have more sitautions like this.
I recently inherited a small network. There is an existing 1.5mbps Internet connection (fa0/0) (includes MPLS as well/same provider). We added a new ISP that allows for 50mb down/5mb up. I added the new ISP to fa0/1 and modified the NAT overload statements accordingly. I alo changed the default route to ONLY use the new, faster ISP connection. Using speedguide.net, I am only able to get 6 to 10mb down, most of the time. if I plug a laptop into the cable modem then I get 37 to 50mb down. Why the 2811 is so slow?
I have attached the config and various show outputs (nat, sh ver, memory, etc.). the file called "latest logs" contains a "sh ip traffic, sh int switching and a sh proc cpu sorted". [code]
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps. What could be causing this slowdown? Should SSL VPN performance be on par with IPSEC? Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.
I have a client that uses the ASA 5520 as both a firewall and VPN termination device. Day to day VPN usage is 30-50 users and the memory (512 MB) is typically at 50% while the CPU is mostly under 30%. I've suggested the RAM be upgrade to 1GB.The client would like to add a large block of VPN users which could see 250-300 concurrent users. What kind of a system resource hit should the expect with this level of load?
I have 7206 VXR with VAM2+ card. I am seeing close to 4500 IPSec conenction with the router. The traffic is low and utilization is below 10%. I am just wondering is it an alarming condition since the router is touching the documented tunnel capacity of VAM2+(5000)?
Would request experts to comment on the router behaviour if the tunnels cross beyond 5000. I do not think it would be justified to upgrade the hardware since other capacity parameters are well within the limits.
We have a remote office that needs to be connected to the central office through a site to site ipsec VPN.At the central site there is a 2811, and at the remote site there is 1841.Most of the traffic will be VoIP traffic and small amounts of data.
I need to setup some QoS that would firstly prefer the VPN traffic over internet access and then inside the VPN I need some QoS that will preffer VoIP over data.
I have a 2811 that is my HQ router with a 10MB pipe. I was trying to configure a IPSEC tunnel to connect to my ASA that has access to our companies internal servers on the 10.33. and 172.16.31 network. I am having a problem getting phase 1 to even come up. I've looked over the configurations and unless i'm overlooking something I dont see what could be keeping it from at least completing phase 1
Below are the configs. 2811-CFG crypto isakmp policy 10 encr 3des hash md5 [Code] ....
I am trying to get a 2811 to accept two IPSec peers however can only get one working at a time. I have setup fa0/0 and fa0/1 with their own public facing IP addresses with crypto maps associated to each interface however can only establish connectivity to one interface at any one time.
I am trying to setup a L2L IPSec VPN between cisco VPN3020 concentrator and Cisco 2811 something is not working and I don't understand why.I describe my situation in detail my router has 2 interfaces
External interface Fa 0/1 ip 193.P.Q.R Internal interface Fa 0/0 141.G.H.254 Lan on internal interface is 141.G.H.0/24
remote VPN concentrator has 2 interfaces
Public interface 131.A.B.C Private interface 131.A.I.E
I have to set up L2L so that host 141.G.H.10 can talk to host 131.A.H.D whici is behind the VPN concentrator my router config:
crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2crypto isakmp key * address 131.A.B.C!crypto ipsec transform-set presid-set esp-3des esp-md5-hmac !crypto map presid-map 5 ipsec-isakmp set peer 131.A.B.C set transform-set presid-set match address presid!interface FastEthernet0/1 ip address 193.P.Q.R 255.255.255.252 duplex full speed 100 crypto map presid-map!interface FastEthernet0/0 ip address 141.G.H.254 255.255.255.0 duplex auto speed auto! ip access-list extended presid permit ip host 141.G.H.10 host 131.A.H.D ip route 0.0.0.0 0.0.0.0 193.P.Q.S
Then I configured VPN3020 accordingly creating a lan to lan profile with the proper IKE proposals ecc ecc when interesting traffic is matched by VPN acl (presid) I see this messages in the VPN concentrator logs:
57101 02/23/2011 15:49:05.310 SEV=4 IKE/119 RPT=4033 193.P.Q.R Group [193.P.Q.R]PHASE 1 COMPLETED 57102 02/23/2011 15:49:05.310 SEV=4 AUTH/22 RPT=3935 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] connected, Session Type: IPSec/LAN-to-LAN 57104 02/23/2011 15:49:05.310 SEV=4 AUTH/84 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R connected 57110 02/23/2011 15:49:54.820 SEV=4 IKE/123 RPT=1093 193.P.Q.R Group [193.P.Q.R]IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 57112 02/23/2011 15:49:54.820 SEV=5 IKE/194 RPT=3778 193.P.Q.R Group [193.P.Q.R]Sending IKE Delete With Reason message: Connectivity to Client Lost. 57114 02/23/2011 15:49:54.820 SEV=4 AUTH/23 RPT=14 193.P.Q.R User [193.P.Q.R] Group [193.P.Q.R] disconnected: duration: 0:00:49 57115 02/23/2011 15:49:54.820 SEV=4 AUTH/85 RPT=11 LAN-to-LAN tunnel to headend device 193.P.Q.R disconnected: duration: 0:00:49
and from router side I See this with show crypto isakmp sa
131.A.B.C 193.P.Q.R CONF_XAUTH 5 0 ACTIVE
but the status got stuck in CONF_XAUTH state and then disconnects?
I'm now trying to implement a IPsec VPN network over transport mode in my simple network environment.I got two Cisco 2811 routers connected each other and each router hosts a client PC running Windows7.
I have finished the configuration on both routers and make them running over transport mode.However, as what it should be, transport mode indicates the communication between two end stations (two PCs) the client PC (install or configure something) to make the network fully works?
My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.
From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ). I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.
setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin" and the only crypto options are(config)#crypto ?
ca Certification authority key Long term key operations pki Public Key components
while on the 2811 I get:
WIN-T(config)#crypto ? ca Certification authority call Configure Crypto Call Admission Control ctcp Configure cTCP encapsulation dynamic-map Specify a dynamic crypto map template engine Enter a crypto engine configurable menu gdoi Configure GDOI policy
I have a asa and Cisco 2811, needs to build a site-to-site ip sec tunnel between them. Due to a requirement need to encrypt inside traffic, i need to apply on the inside interfaces on both devices to build the tunnel.
I don't see a problem but just want to check if it would work on terminating on Inside interfaces on both ip sec peers.
How to get any numbers regarding performance for acs v.5 ? I have looked through the documents but couldnt really get any idea. Especially in a WLAN environment - how many clients can use one appliance as primary without putting the primary under strong load ?
I have spend half day to look up this question in cisco official web site, but get nothing . Any infomation about vpn performance of 3925 router?Produce : cisco 3925 ( Cisco 3925 Security Bundle w/SEC license PAK )Question is , how much ipsec vpn tunnels can be carried as a vpn server of this bundle ? if more licenses may be bought, how much most tunnels can be held?
I would like more information of performance to 7600 router with the SP-720, how many sessions full bgp routing it supports? I have 4 links 1 GB and a throughput of 900 MB.
We have a 1841 router and would like to enable netflow. Will this degrade the router's CPU and memory performance.
1841>sh verCisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)Technical Support: [URL] Copyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Tue 25-Oct-05 17:10 by evmiller
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
1841 uptime is 1 day, 4 hours, 47 minutesSystem returned to ROM by power-onSystem restarted at 11:04:25 MYT Mon Jan 10 2011System image file is "flash:c1841-ipbase-mz.124-1c.bin"
Cisco 1841 (revision 7.0) with 114688K/16384K bytes of memory.Processor board ID FCZ113311Y62 FastEthernet interfacesDRAM configuration is 64 bits wide with parity disabled.191K bytes of NVRAM.31360K bytes of ATA CompactFlash (Read/Write)
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
or
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
I'm experiencing quite a slow vpn performance. I've tested different scenarios.
* Windows XP with built-ín pptp client and Shrew ipsec client * Linux built-in pptp * wireless and wired connections
I never managed to go above 1MBps neither with windows or linux. I managed to go up to 3MBps using the Shrew client.I've also checked mtu settings and everything seems to be fine.
I have a fairly large area to cover with wireless, and set up a second router to act as a repeater. The signal works great, other than being extremely inconsistent. Sometimes I get a speedtest of 18 ping and 7 mbps DL to a nearby server, and 10 seconds later it's 300 ping and 2 mbps. There are no problems when using the primary access point without the repeater. Where should I start in troubleshooting? I can't see why there would be such terrible consistency since much of the time the signal strength is fine. It's purely a problem of dropping the connection often.
I continue to have significant performance and random reboots with DIR-825 router (hardware: Rev A1; Firmware: 1.13NA). My ISP has checked the lines to my cable modem. If I connect any of my laptops or PCs directly to the cable modem and work off the direct connect, all works fine with no problems for many days and even mutliple weeks. So, the router seems to be the bottleneck/issue.
I've tried multiple settings changes as listed in the forum here. My setup is fairly simple and detailed below.
Setup -> Internet: -- Dynamic IP (DHCP) -- I have disabled "Enable Advanced DNS Service" -- "Use Unicasting" is enabled -- I have primary and secondary DNS servers set [Code]....
I'm new here but I'm not really new to networking. I manage small network but I just found out that I have some issues regards to speed.So what's the problemAs a main router/fw we have Fortigate 100A which then goes to a core switch SRW2016.This switch then handles two VLANS.The problem is that I have ports 5 assigned to VLAN 100 and port 6 to VLAN 101. They relate to DMZ1 (VLAN100) or internal (VLAN101).When I connect small unmanageable switch to port 5 I get very low performance (20kB/s internet, 2-3MB/s LAN) however when I plug in PC directly, I'm getting full speed.Port 6 with VLAN101 has the same unamangeable switch but no issues.Obviously you're thinking it's the switch - well I've tried replacing it allready. It's not the switch.Both ports have the same configuration (relating to their VLAN) but resolving it goes beyond my knowledge
i want to know if someone here know how to observe the network performance? and u know what kind of software that can do the observation on the network performance?
I have a Cisco 881W router. It has historically run IOS 12.4 (20.T3) without issue. I recently upgraded the IOS to version 12.4 (24.T5). Once I made that upgrade, my ability to fully throttle my downstream bandwidth became seriously limited and variable going from a steady 6Mbps to an unreliable 2-3Mbps. No other changes were made to my environment. The degredation in performance was so bad that my AppleTV would no longer stream Netflix or YouTube.I downgraded back to the original IOS 12.4 (20.T3) and the downstream bandwidth and variability issues disappeared. As well, my ability to stream movies or videos with my AppleTV on Netflix or YouTube returned without issue.I wonder if upgrading to IOS 12.4.24.T5 enabled some new commands that I'm not catching or there is something else at play that I'm totally missing.
It took me some time to get the load balancing (RV042 V3, v4.0.4.02-tm) working (my provider ist not returning any packets by the gateway ip on a ping). No I am ruinning into a performance issue. After activating PrtotectLink it takes a few hours or one or two days and the RV042 is reacting very slow. I need to reboot the RV042 and everything is ok again for some time ....Deactivating ProtectLink does not work only rebooting speeds the system up again.ProtectLink ist useless this way, anything I can do to get ProtectLink working?
am use router Cisco 7206VXR (NPE-G2) ram 1G now am enable bgp routing full route aboute 400K record , ospf routing maximum traffic throughput is 400 Mbps but the cpu utilize is 80%
