Community discussions

MikroTik App
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

1100AH and IPsec performance

Mon Dec 05, 2011 7:33 pm

Hi!

I've a setup where two 1100AH are connected via 100Mbit and I'm using IPsec with

/ip ipsec proposal add auth-algorithms=null disabled=no enc-algorithms=aes-128 lifetime=30m name=IPSec pfs-group=modp1024

And I'm getting 10mbyte/sec through the tunnel, but I don't understand following (during coping via ftp) on the Mikrotiks:

[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 87% 82% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 90% 90% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 95% 92% 0%
[admin@xxxx] /system resource cpu> /system resource cpu print
CPU LOAD IRQ DISK
0 91% 90% 0%

...........

As IPsec AES128 should be done in hardware, and the load is always near the IRQ value, i believe it is responsible for the high load. Why is that so? Do I use the wrong interface (for testing I'm using Eth1 and Eth13). Should I user others? Some other wrong setting? Or just normal?

Thx.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: 1100AH and IPsec performance

Wed Dec 07, 2011 8:23 am

New RB1100AH doesn't have hardware acceleration, only new RB1100AHx2 have it
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: 1100AH and IPsec performance

Wed Dec 07, 2011 8:30 am

oh, thats not good ... as its the main feature for us
 
User avatar
otgooneo
Trainer
Trainer
Posts: 573
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: 1100AH and IPsec performance

Wed Dec 07, 2011 5:56 pm

oh, thats not good ... as its the main feature for us
Yes. Our main usage is for IPSec too. But I don`t think CPU usage is over 80% when traffic is only 10Mbps, even new RB1100AH does`n have hardware acceleration. Please post us more detail what kind of configuration do you have? Firewall, queue etc. Also if you copied files to router`s own memory, it will be high CPU usage on "flash". We have RB1200, RB1000U, RB750G, RB433UAH routers for IPSec traffic. RB750G has very low CPU and it doesn`t have hardware acceleration, but it can easily handle 15Mbps traffic on 3DES.
----------------------------
Want to learn more and more...
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: 1100AH and IPsec performance

Wed Dec 07, 2011 7:11 pm

We've 100Mbit-200Mbit Traffic so it is a problem for us. We are at 90% CPU with 10Mbyte/sec (100Mbit) (ftp server and ftp client, not to the mikrotik) but we need more and the data sheets said AES chip, but I guess that where the old sheets .... Really bad to name a device as a old one but to have only 10% of the flash and no AES chip.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 573
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: 1100AH and IPsec performance

Wed Dec 07, 2011 9:05 pm

:lol: Sorry for my mistake. If 10MByte/s, I think this is true that RB1100AH (hardware V2) can`t handle that. I have tested RB1000 at 3DES. CPU usage was 50-60%, when transfer 200Mbps TCP traffic. But now I use this one using DES, 20 firewall rules, 8 mangle rules, heavy QoS configuration, some content filtering and layer7 filtering. When my traffic over 100Mbps, CPU usage is 90%. About RB1200, it has hardware acceleration, but it has also serious issue with IPSec. MT support still doesn`t solve it.
At last, I hope hardware acceleration of new RB1100AHx2 is powerful and without any issue like or more than RB1000. Price is still amazing cheap. Only 495$. http://routerboard.com/RB1100AHx2
----------------------------
Want to learn more and more...
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1734
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: 1100AH and IPsec performance

Thu Dec 08, 2011 8:26 am

...About RB1200, it has hardware acceleration, but it has also serious issue with IPSec...
If I'm not mistaken v5.10 have fixed both IPsec and Watchdog crashes, ask support for test version.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 573
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: 1100AH and IPsec performance

Thu Dec 08, 2011 3:32 pm

Thanks macgaiver. I will ask.
----------------------------
Want to learn more and more...
 
User avatar
otgooneo
Trainer
Trainer
Posts: 573
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: 1100AH and IPsec performance

Thu Dec 08, 2011 5:32 pm

No. Did not solve RB1200 IPSec issues.
1. When total traffic is 100kbps and cpu usage is 1%, ICMP latency still 17-18ms.
2. If I create IPSec tunnel for dst-address=0.0.0.0/0 src-address=192.168.100.0/24, after tunnel establishes can`t access from 192.168.100.0/24 network to 192.168.100.1, which is address of RB1200. Also routerboard can`t access to 192.168.100.0/24 network. But if I try to access to remote network from 192.168.100.0/24, it is okay. No problem. Also from my remote network can access to 192.168.100.0/24 network.
----------------------------
Want to learn more and more...

Who is online

Users browsing this forum: mbovenka and 32 guests