Solved

Telnet App latency over GRE tunnel

Posted on 2008-10-20
4
1,220 Views
Last Modified: 2011-09-20
Hi,
I have a customer who has a telnet (unix terminal) based line of business application.

The application is hosted from a server located at a central site (app is used locally at this site) and accessed remotely over a GRE tunnel between two Cisco Routers (2811 at central site and 1801 at remote site).

At the remote site the customer is experiencing serious latency issues on the application (i.e. they type in something and it takes 30 seconds for it to appear in the terminal session on their screen).

At the central site no latency issues are seen at all.

The site to site link consists of a 2mb internet facing leased line at the central site (no internet traffic goes over this though) and an ADSL line at the remote site (again, no internet traffic goes through this router.

However, the site to site link does handle AD replication (including an Exchange org with servers at both sites).

A policy-map has been applied to the link to prioritize the telnet protocol, although this does not seem to have made any difference!

I have a feeling this might be fragmentation related, although I am at a loss as to how exactly troubleshoot the issues best.

I havent as yet ruled out any possible ISP related issues either, but would need some definitive proof before approaching them!

To assist, I have pasted in snippets of (what I think is relevant) config from both devices at either end of the link.

Any pointers would be greatly appreciated.

Thanks

Paul


Central Site Snippet of info from Central Router config
 

class-map match-any TELNET

 match access-group 199
 

access-list 199 permit tcp any any eq telnet
 

policy-map Priority_app

 class TELNET

  priority 256
 

interface Tunnel0

 description ***GRE tunnel to remote***

 ip address 10.10.101.1 255.255.255.0

 ip mtu 1400

 ip nbar protocol-discovery

 qos pre-classify

 tunnel source Serial0/0/0

 tunnel destination xxx.xxx.xxx.xxx

 tunnel path-mtu-discovery

 crypto map SDM_CMAP_1
 

interface FastEthernet0/0

 description ***LAN Connection***

 ip address 192.168.16.254 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip flow egress

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1200

 duplex auto

 speed auto

 no mop enabled
 

interface Serial0/0/0

 description $FW_OUTSIDE$

 bandwidth 2048

 ip address xxx.xxx.xxx.xxx 255.255.255.248

 ip access-group 101 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 crypto map SDM_CMAP_1

 service-policy output Priority_app
 

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Snippet of config from remote site
 

class-map match-any TELNET

 match access-group 199
 

access-list 199 permit tcp any any eq telnet
 

policy-map PRIORITY

 class TELNET

  priority 256

 class class-default

  fair-queue
 

interface Tunnel0

 ip address 10.10.101.2 255.255.255.0

 ip mtu 1400

 ip nbar protocol-discovery

 qos pre-classify

 tunnel source Dialer0

 tunnel destination xxx.xxx.xxx.xxx

 tunnel path-mtu-discovery

 crypto map SDM_CMAP_1
 

interface VLAN 1

 description **LAN Connection**

 ip address 192.168.2.254 255.255.255.0

 ip access-group 104 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1200
 

interface Dialer0

 description $FW_OUTSIDE$

 bandwidth 8032

 ip address xxx.xxx.xxx.xxx 255.255.255.248

 ip access-group 105 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 service-policy output PRIORITY

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

 ppp chap hostname xxxxxxxxxxxxxxxxxxxxx

 ppp chap password xxxxxxxxxxxxxxxxxxxxx

 crypto map SDM_CMAP_1
 

route-map clear-df permit 10

 match ip address 151

 set ip df 0
 

access-list 151 permit tcp any any

Open in new window

0
Comment
Question by:paul-adam
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22759393
Is it just the telnet application? How are ping times/delays?
How about routing loops? Dynamic routing over the tunnel interface or static routes?
have you tried a basic site-site vpn tunnel instead of encrypting through a gre tunnel interface?
0
 
LVL 1

Author Comment

by:paul-adam
ID: 22760969
The customer only notices the delay over telnet - pings seem ok as well
"round-trip min/avg/max = 76/76/80 ms"

No routing loops I can see

Routing is EIGRP - all networks are /24 so there shouldnt be any concerns there - its a pretty straight forward setup.

Havent tried a straight site to site ipsec tunnel as yet.

There are other remote sites as well....but they dont use the telnet app (citrix connections) - hence why the EIGRP - and all sites have ISDN failover as well.

One area Im not 100% on is the use of the following commands on the tunnel
tunnel path-mtu-discovery
combined with
ip mtu 1400
Do they conflict at all????

and also the
ip tcp adjust-mss 1200
on the interfaces onto the LAN at both end - again, would this cause any issues with fragmentation....

Any suggestions??
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22761400
Well, they are all different techniques to deal with mtu issues, but with the tunnel mtu hard set to 1400 it should compensate. I don't know that they would conflict at all with each other. There may be a command in the ipsec to pre-fragment before encrypting which could help.
Maybe find something useful here:
http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag.html
0
 
LVL 1

Author Closing Comment

by:paul-adam
ID: 31507875
Ended up opening a cisco TAC call for this - thanks for your help
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now