poor vpn performance

tonyg
New here

poor vpn performance

all, I am posting this as information so it might help others, i have already worked with tech support for this fix.

In my environment, I have an mx65 on a 100mb/sec internet link. Our home office is a Cisco ASA-5516 on 100mb/sec Internet link. I set up a non-meraki site to site with the asa and immediately noticed poor vpn performance. When I talked to Meraki tech support, initially, they said they did not support my vpn config. I was using AES256/sha1 for both phase 1 and 2. They insisted i need to use 3des/sha1 for both. They also suggested I use Iperf to test the speed.

I set up iperf to test connection speed site to site both inside the vpn tunnel and outside (unencrypted). Iperf showed that I was getting about 20mb/sec throughput when encrypted but 90mb/sec unencrypted. So this shows that the problem here is encryption, and not the internet links at either end.

I went through several engineers at Meraki who were not able to help me, they even rma’d my mx65 thinking it was a hardware issue. Finally, a new engineer (Christopher) picked up my case. He was was willing go set up a test in his lab. He did reproduced my poor vpn performance and then tested different settings. He found that AES128 for both phase 1 and 2 provided better throughput. I made these changes and ran Iperf again. With AES128 instead of 3DES, Iperf was testing at about 80mb/sec, a 4x increase from 3DES.

I can only speculate that Meraki is doing AES128 decryption in hardware and rest in software and maybe that accounts for the performance difference, however one thing is clear, DO NOT USE THE MERAKI RECOMMENDED VPN SETTINGS,

ALWAYS USE AES128 FOR VPN’S

 

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

What an excellent post.  Thanks for sharing your experience.

 

No one should be using 3DES for any new VPN.  3DES is a protocol becoming deprecated.

 

I can potentially see AES being faster.  Some CPUs actually do AES in hardware.  For example, Intel CPUs have the AES-NI instructions - allowing AES to be done onboard by the CPU hardware.

https://www.intel.com/content/www/us/en/architecture-and-technology/advanced-encryption-standard--ae...

Hi. Can you please tell me where to chenge the settings?

PhilipDAth
Kind of a big deal
Kind of a big deal

Security Appliance/Site-to-site VPN

The predefined "AWS" option uses AES128+SHA1+Group2 for phase 1 and 2.

 

Screenshot from 2018-01-26 00-20-48.png

Thanks so much

kevUK
Here to help

Hi. Can you please tell me where I change the settings?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels