Wireless Access

Reply
Occasional Contributor II
Posts: 11
Registered: ‎04-11-2013

Performance issues with master-local IPsec tunnel

Hi.

 

 

I'm experiencing performance issues when pushing traffic between master-local controllers using ipsecmap, it seems to be capped at about ~14mbit/s according to iperf. I’ve used several protocols, all with the same result. I’ve tested the connection outside the tunnel and it peaks at 75mbit/s, which reflects the capacity. Generating traffic that is routed directly through the controller to internet gives the expected and correct results.
The master controller is a 620 and the local controller is a 7010. As the IPsecmap is generated automatically (in a master-local environment) it doesn’t really allow me to adjust any values.

 

Is there somewhere I could try tuning the values?

 

Best regards,

 

Daniel

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Performance issues with master-local IPsec tunnel

Client traffic is not sent down that tunnel, only management traffic. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎04-11-2013

Re: Performance issues with master-local IPsec tunnel

Thank you for replying.

 

Well, I have added routes to go through that particular IPsec map that gets created automatically, so I'm pretty confident traffic gets passed through that tunnel. Unless it's something I'm clearly missing here?

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Performance issues with master-local IPsec tunnel

You should not use that for client traffic. You should create a separate ipsec tunnel if you need to transport user traffic. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎04-11-2013

Re: Performance issues with master-local IPsec tunnel

Thanks. I wasn't aware of the need to create two tunnels if you need user traffic as well. I'll try that.

 

Best regards,

 

Daniel

Contributor I
Posts: 26
Registered: ‎04-13-2009

Re: Performance issues with master-local IPsec tunnel

GRE tunnel will also work.
Occasional Contributor II
Posts: 11
Registered: ‎04-11-2013

Re: Performance issues with master-local IPsec tunnel

Hi,

 

I'm having some issues creating multiple ipsec tunnel to the same endpoint. Every time I try to build the connection it stops the one already running. Any ideas as to mark or tag them as other vendors do?

 

I'm not sure building a GRE tunnel would (traversing through the same bandwidth capped ipsec tunnel) do the trick?

 

Best regards,

 

Daniel

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: Performance issues with master-local IPsec tunnel

I know I'm not answering your question but best practice is to use a multi-master topology if controllers are not located on the same "campus". 

Master-local is designed for controllers in the same location / LAN. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 26
Registered: ‎04-13-2009

Re: Performance issues with master-local IPsec tunnel

Hi Daniel,

Not sure why the tunnel is going down. I have implement a lot of customers with both GRE and IPSec. Are you sure that you are not creating any loops by creating multiple tunnels.

Layer2 GRE tunnel is most easiest config and I have not seen any BW limitation and usually used to redirect all the user traffic to a different controller.


Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Performance issues with master-local IPsec tunnel

[ Edited ]

itwt wrote:

Hi.

 

 

I'm experiencing performance issues when pushing traffic between master-local controllers using ipsecmap, it seems to be capped at about ~14mbit/s according to iperf. I’ve used several protocols, all with the same result. I’ve tested the connection outside the tunnel and it peaks at 75mbit/s, which reflects the capacity. Generating traffic that is routed directly through the controller to internet gives the expected and correct results.
The master controller is a 620 and the local controller is a 7010. As the IPsecmap is generated automatically (in a master-local environment) it doesn’t really allow me to adjust any values.

 

Is there somewhere I could try tuning the values?

 

Best regards,

 

Daniel


Daniel,

 

Let's first get an idea of our topology.  Does it look like this?

 

620--------ISPA------------Internet--------------ISPB-------7010

 

What is the CIR or up/down for ISPA and ISPB?

What  command(s) and switches are you using to test with iperf and what is the output ?

What are you using to test the internet speed and which ISP?

Are you doing a bidirectional test?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: