How can I make IPSec consume MORE cpu cycles? Not joking, I want more throughput. RRS feed

  • Question

  • Using IPSec reduces throughput on my test machines in comparison to the same underlying traffic not using IPSec.  That's fine, it's expected.  But when using IPSec and watching all my CPU cores, I see that none of my cores are being hit by the IPSec usage.

    Is there an internal throttle or limit on CPU consumption for the IPSec driver? When using IPSec, why do I *not* see high CPU utilization?  Assuming that CPU time is the limiting factor for IPSec, I *want* one or more cores to max out when using IPSec because I want to maximize network throughput.  If CPU time is not the limiting factor, what is?  Where can I tune these settings?

    I know about IPSec offload NICs, that's not the issue, in this test I don't want to use offload NICs.

    Thank you for any information!

    Sunday, June 10, 2012 3:27 AM

All replies

  • Unfortunately, IPSec capability builtin network cards are the only real solution in production environment. In lab, it might be possible to reconfigure DirectAccess generated GPO for the KeyLifetime parameter. Using lower cryptographic is also possible and easier to do because it's available in the configuration Wizard.

    BenoitS - Simple by Design

    Sunday, June 10, 2012 4:07 PM
  • Thank you for your answer, BenoitS, but that's not the question.  The question is whether there is a built-in throttle to prevent the IPSec driver from consuming more than X% of CPU time, and, if so, is there a way to change the throttle limit. 

    I have machines which lots and lots of spare CPU cycles whose network throughput with IPSec is being artificially and pointlessly limited.  It appears to be a design flaw in Windows added by Microsoft with good intentions, but a flaw nonetheless.


    Monday, June 11, 2012 8:47 PM