Hi!
I’ve a setup where two 1100AH are connected via 100Mbit and I’m using IPsec with
/ip ipsec proposal add auth-algorithms=null disabled=no enc-algorithms=aes-128 lifetime=30m name=IPSec pfs-group=modp1024
And I’m getting 10mbyte/sec through the tunnel, but I don’t understand following (during coping via ftp) on the Mikrotiks:
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 87% 82% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 90% 90% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 95% 92% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 91% 90% 0%
…
As IPsec AES128 should be done in hardware, and the load is always near the IRQ value, i believe it is responsible for the high load. Why is that so? Do I use the wrong interface (for testing I’m using Eth1 and Eth13). Should I user others? Some other wrong setting? Or just normal?
Thx.
New RB1100AH doesn’t have hardware acceleration, only new RB1100AHx2 have it
oh, thats not good … as its the main feature for us
Yes. Our main usage is for IPSec too. But I dont think CPU usage is over 80% when traffic is only 10Mbps, even new RB1100AH doesn have hardware acceleration. Please post us more detail what kind of configuration do you have? Firewall, queue etc. Also if you copied files to routers own memory, it will be high CPU usage on "flash". We have RB1200, RB1000U, RB750G, RB433UAH routers for IPSec traffic. RB750G has very low CPU and it doesnt have hardware acceleration, but it can easily handle 15Mbps traffic on 3DES.
We’ve 100Mbit-200Mbit Traffic so it is a problem for us. We are at 90% CPU with 10Mbyte/sec (100Mbit) (ftp server and ftp client, not to the mikrotik) but we need more and the data sheets said AES chip, but I guess that where the old sheets … Really bad to name a device as a old one but to have only 10% of the flash and no AES chip.
Sorry for my mistake. If 10MByte/s, I think this is true that RB1100AH (hardware V2) cant handle that. I have tested RB1000 at 3DES. CPU usage was 50-60%, when transfer 200Mbps TCP traffic. But now I use this one using DES, 20 firewall rules, 8 mangle rules, heavy QoS configuration, some content filtering and layer7 filtering. When my traffic over 100Mbps, CPU usage is 90%. About RB1200, it has hardware acceleration, but it has also serious issue with IPSec. MT support still doesnt solve it.
At last, I hope hardware acceleration of new RB1100AHx2 is powerful and without any issue like or more than RB1000. Price is still amazing cheap. Only 495$. http://routerboard.com/RB1100AHx2
If I’m not mistaken v5.10 have fixed both IPsec and Watchdog crashes, ask support for test version.
Thanks macgaiver. I will ask.
No. Did not solve RB1200 IPSec issues.
- When total traffic is 100kbps and cpu usage is 1%, ICMP latency still 17-18ms.
- If I create IPSec tunnel for dst-address=0.0.0.0/0 src-address=192.168.100.0/24, after tunnel establishes can
t access from 192.168.100.0/24 network to 192.168.100.1, which is address of RB1200. Also routerboard cant access to 192.168.100.0/24 network. But if I try to access to remote network from 192.168.100.0/24, it is okay. No problem. Also from my remote network can access to 192.168.100.0/24 network.