[Help] 2811 ISR + SSL VPN

Hi all,

First of all i'm not quite sure where this thread belongs, since its for my home lab (remote access) thought id put it here.

So i've got a 2811ISR and a aim-vpn/ssl-2 installed. That being said i was testing out the configs out when i noticed i cant seem to get more then 1 meg of throughput. Checked the router, CPU load is 100%, while processes only account for 40-50% (max), assuming inturpts are responsible for the missing 50%... Anythoughts on the cause?

Thanks a bunch
~Kyle 

Additional info:

AIM module is active and is being used
CEF is enabled

Configs (i simply used CCP to test it out as i'm not very familar with IOS security features):

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1094883733

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1094883733

 revocation-check none

 rsakeypair TP-self-signed-1094883733!

!

crypto pki certificate chain TP-self-signed-1094883733

 certificate self-signed 01

!removed to save space

        quit

dot11 syslog

ip source-route

ip cef

no ipv6 cef!

multilink bundle-name authenticated

license udi pid CISCO2811 sn FTX0922A2TW

username Test privilege 15 password test1

!

redundancy

!

interface Loopback0

 ip address 10.100.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 10.100.0.10 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.200.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface Virtual-Template1

 ip unnumbered Loopback0

!

ip local pool VPN-TEST 10.100.1.200 10.100.1.250

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.100.0.1

!

nls resp-timeout 1

cpd cr-id 1

!

control-plane

!

mgcp profile default!        

!

line con 0

line aux 0

line vty 0 4

 transport input all

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

 ip address 10.100.0.10 port 443 

 http-redirect port 80

 ssl trustpoint TP-self-signed-1094883733

 inservice

 !

webvpn install svc flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1

 !

webvpn context VPN-TEST

 secondary-color white

 title-color #CCCC66

 text-color black

 ssl authenticate verify all

 !

 !

 policy group policy_1

   functions svc-enabled

   svc address-pool "VPN-TEST"
netmask 255.255.255.255

   svc keep-client-installed

 default-group-policy policy_1

 aaa authentication list default

 gateway gateway_1

 inservice

!

end

Comments

  • I think i've pin pointed the issue to packets being processed switched instead on CEF switched (coming for the PC, FA0/1)...

    Router#show int stat

    FastEthernet0/0

              Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                   Processor        348      43824        592      66588

                 Route cache    1420813 1997947011     732879   40336083

                       Total    1421161 1997990835     733471   40402671

    FastEthernet0/1

              Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                   Processor    1289249  123783873    1561399 1754274141

                 Route cache       1014     191244     245931  363605404

                       Total    1290263  123975117    1807330 2117879545

     

     

    Router#show webvpn sta

    User session statistics:

        Active user sessions     : 1          AAA pending reqs         : 0        

        Peak user sessions       : 1          Peak time                : 00:39:18

        Active user TCP conns    : 2          Terminated user sessions : 1        

        Session alloc failures   : 0          Authentication failures  : 2        

        VPN session timeout      : 0          VPN idle timeout         : 0        

        User cleared VPN sessions: 0          Exceeded ctx user limit  : 0        

        Exceeded total user limit: 0        

        Client process rcvd pkts : 725745     Server process rcvd pkts : 0        

        Client process sent pkts : 1799210    Server process sent pkts : 0        

        Client CEF received pkts : 1021       Server CEF received pkts : 0        

        Client CEF rcv punt pkts : 24         Server CEF rcv punt pkts : 0        

        Client CEF sent pkts     : 245635     Server CEF sent pkts     : 0        

        Client CEF sent punt pkts: 590659     Server CEF sent punt pkts: 0        

     

     

        SSLVPN appl bufs inuse   : 0          SSLVPN eng  bufs inuse   : 0        

        Active server TCP conns  : 0     

     

     

     

    Router#show crypto engine accelerator stat

     

     

    Device:   AIM-VPN/SSL-2

    Location: AIM Slot: 0

    Virtual Private Network (VPN) Module in slot : 0

            Statistics for Hardware VPN Module since the last clear

             of counters 2804 seconds ago

            2140351 packets in                     2140351 packets out          

         2057210127 bytes in                    2046218719 bytes out            

                763 paks/sec in                        763 paks/sec out         

               5868 Kbits/sec in                      5837 Kbits/sec out        

             726694 packets decrypted              1413657 packets encrypted    

           50924229 bytes before decrypt        1995294490 bytes encrypted      

           39297125 bytes decrypted             2017913002 bytes after encrypt  

                  0 packets decompressed                 0 packets compressed   

                  0 bytes before decomp                  0 bytes before comp    

                  0 bytes after decomp                   0 bytes after comp     

                  0 packets bypass decompr               0 packets bypass compres

                  0 bytes bypass decompres               0 bytes bypass compressi

                  0 packets not decompress               0 packets not compressed

                  0 bytes not decompressed               0 bytes not compressed 

              1.0:1 compression ratio                1.0:1 overall

                580 commands out                       580 commands acknowledged

            Last 5 minutes:

              19127 packets in                       19127 packets out          

                 63 paks/sec in                         63 paks/sec out         

             491128 bits/sec in                     488590 bits/sec out         

             363661 bytes decrypted               17608129 bytes encrypted      

               9828 Kbits/sec decrypted             475895 Kbits/sec encrypted  

              1.0:1 compression ratio                1.0:1 overall

      

Sign In or Register to comment.