?
Solved

Cisco 851w VPN

Posted on 2010-09-01
7
Medium Priority
?
666 Views
Last Modified: 2012-05-10
Hello!

Have got an 851w connected through PPPoE DSL.  The 851 then establishes a VPN connection to the home office.  It works but is very slow and if I do a ping -t to one of the servers on the otherside I lose about 5% of packets.

When I configure a laptop to do the PPPoE and connect with the software VPN client I have 0% packet loss.  

Running the latest version of IOS 12.4(15)T14
0
Comment
Question by:inf2300
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 2

Expert Comment

by:nblancpain
ID: 33584677
5% is a lot, might be a duplex issue, or MTU issue.
Please post a show interface and a show run interface (or ideally your config)
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 33600748
Assuming you're using an IPsec VPN on top of this PPPoE connection, your MTU is going to be down by 8 because of the PPPoE connection and by as much as 76 bytes for the IPsec header.  If there's a GRE tunnel in there, that subtracts another 24 bytes.  I would add the "ip adjust tcp-mss 1352" command to your inside interface to see if that brings your success rate up.
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33601790
I confirm, MTU or duplex issue...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:inf2300
ID: 33683216
Thanks for the replies I was away on vacation but need to start working on this issue again

For Clarity skake I've posted part of the config :

interface FastEthernet4
 description $FW_OUTSIDE$$ETH-WAN$
 no ip address
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 crypto map SDM_CMAP_1
!

interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 ip access-group sdm_dialer0_in in
 ip mtu 1452
 ip inspect firewall in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxx@yyy.com password 7 06561D24555B0A1C09
 crypto map SDM_CMAP_1
!
interface BVI1
 description $FW_INSIDE$
 ip address 10.xxx.xxx.xxx 255.255.255.248
 ip access-group 104 in
 ip access-group 102 out
 no ip proxy-arp
 ip inspect SDM_HIGH in
 ip tcp adjust-mss 1412

I'm assuming VLAN1 needs to be changed to ip adjust tcp-mss 1352?  Dialer0 stays at 1452 & DVI1 would need to be changed as well.

Thanks again in advance,
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 1000 total points
ID: 33683286
VLAN1 needs no MTU setting nor IP TCP MSS adjustment because it isn't running IP.  Dialer0 needs an MTU of 1492 (I would use "mtu 1492" rather than "ip mtu 1492" here) and BVI1 needs "ip tcp mss-adjust 1452" because the MSS needs to be 40 bytes smaller than the MTU to account for overhead.
0
 
LVL 2

Assisted Solution

by:nblancpain
nblancpain earned 1000 total points
ID: 33683287
try :

interface dialer 0
 ip tcp adjust-mss 1452
0
 

Author Closing Comment

by:inf2300
ID: 34023609
Thanks!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question