Solved

Telnet App latency over GRE tunnel

Posted on 2008-10-20
4
1,238 Views
Last Modified: 2011-09-20
Hi,
I have a customer who has a telnet (unix terminal) based line of business application.

The application is hosted from a server located at a central site (app is used locally at this site) and accessed remotely over a GRE tunnel between two Cisco Routers (2811 at central site and 1801 at remote site).

At the remote site the customer is experiencing serious latency issues on the application (i.e. they type in something and it takes 30 seconds for it to appear in the terminal session on their screen).

At the central site no latency issues are seen at all.

The site to site link consists of a 2mb internet facing leased line at the central site (no internet traffic goes over this though) and an ADSL line at the remote site (again, no internet traffic goes through this router.

However, the site to site link does handle AD replication (including an Exchange org with servers at both sites).

A policy-map has been applied to the link to prioritize the telnet protocol, although this does not seem to have made any difference!

I have a feeling this might be fragmentation related, although I am at a loss as to how exactly troubleshoot the issues best.

I havent as yet ruled out any possible ISP related issues either, but would need some definitive proof before approaching them!

To assist, I have pasted in snippets of (what I think is relevant) config from both devices at either end of the link.

Any pointers would be greatly appreciated.

Thanks

Paul


Central Site Snippet of info from Central Router config
 
class-map match-any TELNET
 match access-group 199
 
access-list 199 permit tcp any any eq telnet
 
policy-map Priority_app
 class TELNET
  priority 256
 
interface Tunnel0
 description ***GRE tunnel to remote***
 ip address 10.10.101.1 255.255.255.0
 ip mtu 1400
 ip nbar protocol-discovery
 qos pre-classify
 tunnel source Serial0/0/0
 tunnel destination xxx.xxx.xxx.xxx
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
 
interface FastEthernet0/0
 description ***LAN Connection***
 ip address 192.168.16.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
 duplex auto
 speed auto
 no mop enabled
 
interface Serial0/0/0
 description $FW_OUTSIDE$
 bandwidth 2048
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
 service-policy output Priority_app
 
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
Snippet of config from remote site
 
class-map match-any TELNET
 match access-group 199
 
access-list 199 permit tcp any any eq telnet
 
policy-map PRIORITY
 class TELNET
  priority 256
 class class-default
  fair-queue
 
interface Tunnel0
 ip address 10.10.101.2 255.255.255.0
 ip mtu 1400
 ip nbar protocol-discovery
 qos pre-classify
 tunnel source Dialer0
 tunnel destination xxx.xxx.xxx.xxx
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
 
interface VLAN 1
 description **LAN Connection**
 ip address 192.168.2.254 255.255.255.0
 ip access-group 104 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
 
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 8032
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 service-policy output PRIORITY
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxx
 ppp chap password xxxxxxxxxxxxxxxxxxxxx
 crypto map SDM_CMAP_1
 
route-map clear-df permit 10
 match ip address 151
 set ip df 0
 
access-list 151 permit tcp any any

Open in new window

0
Comment
Question by:paul-adam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22759393
Is it just the telnet application? How are ping times/delays?
How about routing loops? Dynamic routing over the tunnel interface or static routes?
have you tried a basic site-site vpn tunnel instead of encrypting through a gre tunnel interface?
0
 
LVL 1

Author Comment

by:paul-adam
ID: 22760969
The customer only notices the delay over telnet - pings seem ok as well
"round-trip min/avg/max = 76/76/80 ms"

No routing loops I can see

Routing is EIGRP - all networks are /24 so there shouldnt be any concerns there - its a pretty straight forward setup.

Havent tried a straight site to site ipsec tunnel as yet.

There are other remote sites as well....but they dont use the telnet app (citrix connections) - hence why the EIGRP - and all sites have ISDN failover as well.

One area Im not 100% on is the use of the following commands on the tunnel
tunnel path-mtu-discovery
combined with
ip mtu 1400
Do they conflict at all????

and also the
ip tcp adjust-mss 1200
on the interfaces onto the LAN at both end - again, would this cause any issues with fragmentation....

Any suggestions??
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22761400
Well, they are all different techniques to deal with mtu issues, but with the tunnel mtu hard set to 1400 it should compensate. I don't know that they would conflict at all with each other. There may be a command in the ipsec to pre-fragment before encrypting which could help.
Maybe find something useful here:
http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag.html
0
 
LVL 1

Author Closing Comment

by:paul-adam
ID: 31507875
Ended up opening a cisco TAC call for this - thanks for your help
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question