Routing

Hello, 

I  have a bunch of branch SRXes, one central SRX650 and an MX5 router with MS-MIC that I set up the tunnel from to the central SRX. The SRX bunch is performing well via st tunnels, but I'm struggling with the ipsec performance on the SRX-MX ipsec link. MX runs the latest recommended 21.2R3-S5.4, SRX650 runs not so modern Junos (but it will be evident from the main part below that this probably has nothing to do with the issue I'm facing).

I've tried various approaches:

• the recommended GRE  over IPSec approach (as per [MX] How to configure GRE over IPsec with the MS-MIC/MS-MPC or MS-DPC article)
• not so much known, but more decent approach when MX terminates the SRX secure tunnel (st0.X) via its MS-MIC controller

While nominally working, both approaches demonstrate poor ipsec performance: about 1.3-1.7 Mbit/sec. In the same time non-encrypted bandwidth is about 100 Mbit/sec between the same endpoints (there a LAN behind both SRX650 and MX5, I test the performance using VMs that can exchange data via their public IPs or via private IPs over the tunnel). In the same time I can say that SRX650 to branch SRX exchanges data using ipsec tunnels almost at their line rate (100-150 Mbit/sec, depending on the site). So the issue is definitely in the MX setup or in it's hardware.

I've searched for various patterns like "ipsec hardware acceleration", "MS-MIC MX ipsec performance" and not so, but did not find anything.

Is there some MX tweak that I'm unaware of ?