Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 671
  • Last Modified:

Cisco 851w VPN

Hello!

Have got an 851w connected through PPPoE DSL.  The 851 then establishes a VPN connection to the home office.  It works but is very slow and if I do a ping -t to one of the servers on the otherside I lose about 5% of packets.

When I configure a laptop to do the PPPoE and connect with the software VPN client I have 0% packet loss.  

Running the latest version of IOS 12.4(15)T14
0
inf2300
Asked:
inf2300
  • 3
  • 2
  • 2
2 Solutions
 
nblancpainCommented:
5% is a lot, might be a duplex issue, or MTU issue.
Please post a show interface and a show run interface (or ideally your config)
0
 
Jody LemoineNetwork ArchitectCommented:
Assuming you're using an IPsec VPN on top of this PPPoE connection, your MTU is going to be down by 8 because of the PPPoE connection and by as much as 76 bytes for the IPsec header.  If there's a GRE tunnel in there, that subtracts another 24 bytes.  I would add the "ip adjust tcp-mss 1352" command to your inside interface to see if that brings your success rate up.
0
 
nblancpainCommented:
I confirm, MTU or duplex issue...
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
inf2300Author Commented:
Thanks for the replies I was away on vacation but need to start working on this issue again

For Clarity skake I've posted part of the config :

interface FastEthernet4
 description $FW_OUTSIDE$$ETH-WAN$
 no ip address
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 crypto map SDM_CMAP_1
!

interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 ip access-group sdm_dialer0_in in
 ip mtu 1452
 ip inspect firewall in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxx@yyy.com password 7 06561D24555B0A1C09
 crypto map SDM_CMAP_1
!
interface BVI1
 description $FW_INSIDE$
 ip address 10.xxx.xxx.xxx 255.255.255.248
 ip access-group 104 in
 ip access-group 102 out
 no ip proxy-arp
 ip inspect SDM_HIGH in
 ip tcp adjust-mss 1412

I'm assuming VLAN1 needs to be changed to ip adjust tcp-mss 1352?  Dialer0 stays at 1452 & DVI1 would need to be changed as well.

Thanks again in advance,
0
 
Jody LemoineNetwork ArchitectCommented:
VLAN1 needs no MTU setting nor IP TCP MSS adjustment because it isn't running IP.  Dialer0 needs an MTU of 1492 (I would use "mtu 1492" rather than "ip mtu 1492" here) and BVI1 needs "ip tcp mss-adjust 1452" because the MSS needs to be 40 bytes smaller than the MTU to account for overhead.
0
 
nblancpainCommented:
try :

interface dialer 0
 ip tcp adjust-mss 1452
0
 
inf2300Author Commented:
Thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now