inf2300
asked on
Cisco 851w VPN
Hello!
Have got an 851w connected through PPPoE DSL. The 851 then establishes a VPN connection to the home office. It works but is very slow and if I do a ping -t to one of the servers on the otherside I lose about 5% of packets.
When I configure a laptop to do the PPPoE and connect with the software VPN client I have 0% packet loss.
Running the latest version of IOS 12.4(15)T14
Have got an 851w connected through PPPoE DSL. The 851 then establishes a VPN connection to the home office. It works but is very slow and if I do a ping -t to one of the servers on the otherside I lose about 5% of packets.
When I configure a laptop to do the PPPoE and connect with the software VPN client I have 0% packet loss.
Running the latest version of IOS 12.4(15)T14
Assuming you're using an IPsec VPN on top of this PPPoE connection, your MTU is going to be down by 8 because of the PPPoE connection and by as much as 76 bytes for the IPsec header. If there's a GRE tunnel in there, that subtracts another 24 bytes. I would add the "ip adjust tcp-mss 1352" command to your inside interface to see if that brings your success rate up.
I confirm, MTU or duplex issue...
ASKER
Thanks for the replies I was away on vacation but need to start working on this issue again
For Clarity skake I've posted part of the config :
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
no ip address
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip address negotiated
ip access-group sdm_dialer0_in in
ip mtu 1452
ip inspect firewall in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxx@yyy.com password 7 06561D24555B0A1C09
crypto map SDM_CMAP_1
!
interface BVI1
description $FW_INSIDE$
ip address 10.xxx.xxx.xxx 255.255.255.248
ip access-group 104 in
ip access-group 102 out
no ip proxy-arp
ip inspect SDM_HIGH in
ip tcp adjust-mss 1412
I'm assuming VLAN1 needs to be changed to ip adjust tcp-mss 1352? Dialer0 stays at 1452 & DVI1 would need to be changed as well.
Thanks again in advance,
For Clarity skake I've posted part of the config :
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
no ip address
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip address negotiated
ip access-group sdm_dialer0_in in
ip mtu 1452
ip inspect firewall in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxx@yyy.com password 7 06561D24555B0A1C09
crypto map SDM_CMAP_1
!
interface BVI1
description $FW_INSIDE$
ip address 10.xxx.xxx.xxx 255.255.255.248
ip access-group 104 in
ip access-group 102 out
no ip proxy-arp
ip inspect SDM_HIGH in
ip tcp adjust-mss 1412
I'm assuming VLAN1 needs to be changed to ip adjust tcp-mss 1352? Dialer0 stays at 1452 & DVI1 would need to be changed as well.
Thanks again in advance,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
Please post a show interface and a show run interface (or ideally your config)