Cisco 3845 consistant packet loss on IPSec tunnels and slow internet
Hi.
We have a Cisco 3845 (c3845-advipservicesk9-mz.
The internet is a 6mb WAN circuit with MTU set at 1500. (not PPoE)
We are running 3 ipsec tunnels and all three have around 40% packet loss.
When we download from microsoft.com get around 2kbps
When I transfered a file using teamviewer I was getting 160kbp
Pings to www.google.com. and 8.8.8.8 are clean with no packet loss
Show interface (cleared the counters and left it for 10 minutes)
Internet address is ***WAN IP***
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:08:52
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 75000 kilobits/sec
5 minute input rate 7000 bits/sec, 8 packets/sec
5 minute output rate 14000 bits/sec, 15 packets/sec
3957 packets input, 468834 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
6464 packets output, 1127545 bytes, 0 underruns
0 output errors, 1 collisions, 0 interface resets
2 unknown protocol drops
15 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
All three of my site to site VPN tunnels are up and running. The sites at the other end pinging back to a internal device on the 3845 get consistent packet loss as well.
The three remote sites are in different locations around the globe.
If you guys have any recommendations I could try let me know.
We have a Cisco 3845 (c3845-advipservicesk9-mz.
The internet is a 6mb WAN circuit with MTU set at 1500. (not PPoE)
We are running 3 ipsec tunnels and all three have around 40% packet loss.
When we download from microsoft.com get around 2kbps
When I transfered a file using teamviewer I was getting 160kbp
Pings to www.google.com. and 8.8.8.8 are clean with no packet loss
Show interface (cleared the counters and left it for 10 minutes)
Internet address is ***WAN IP***
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:08:52
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 75000 kilobits/sec
5 minute input rate 7000 bits/sec, 8 packets/sec
5 minute output rate 14000 bits/sec, 15 packets/sec
3957 packets input, 468834 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
6464 packets output, 1127545 bytes, 0 underruns
0 output errors, 1 collisions, 0 interface resets
2 unknown protocol drops
15 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
All three of my site to site VPN tunnels are up and running. The sites at the other end pinging back to a internal device on the 3845 get consistent packet loss as well.
The three remote sites are in different locations around the globe.
If you guys have any recommendations I could try let me know.
ip cef
!
multilink bundle-name authenticated
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 1 ]
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 2 ]
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 3 ]
!
!
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac
crypto ipsec transform-set TransSet2 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer [ Remote Site WAN IP 1 ]
set transform-set TransSet1
match address 110
crypto map VPN 2 ipsec-isakmp
set peer [ Remote Site WAN IP 2 ]
set transform-set TransSet1
match address 111
crypto map VPN 3 ipsec-isakmp
set peer [ Remote Site WAN IP 3 ]
set transform-set TransSet2
match address 112
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class class-default
policy-map Parent_Shaper
class class-default
shape average 6000000
fair-queue
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
mtu 1500
ip address [ WAN IP ] 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
media-type rj45
crypto map VPN
service-policy output Parent_Shaper
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet2/0
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Integrated-Service-Engine4/0
no ip address
shutdown
no keepalive
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host [ Remote Site WAN IP 1 ] any
access-list 102 permit ip host [ Remote Site WAN IP 2 ] any
access-list 102 permit ip host [ Remote Site WAN IP 3 ] any
access-list 103 remark CCP_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 172.20.48.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 10.102.48.0 0.0.7.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny ip 192.168.5.0 0.0.0.255 10.102.48.0 0.0.7.255
access-list 105 deny ip 192.168.5.0 0.0.0.255 172.20.48.0 0.0.0.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 permit ip 192.168.5.0 0.0.0.255 10.102.48.0 0.0.7.255
access-list 112 permit ip 192.168.5.0 0.0.0.255 172.20.48.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.