Solved

Cisco 3845 consistant packet loss on IPSec tunnels and slow internet

Posted on 2010-11-13
1
1,480 Views
Last Modified: 2012-06-27
Hi.

We have a Cisco 3845 (c3845-advipservicesk9-mz.124-15.T8)which we have just setup. We seems to be having very slow internet performance and consistant packet loss on our VPN tunnels.

The internet is a 6mb WAN circuit with MTU set at 1500. (not PPoE)
We are running 3 ipsec tunnels and all three have around 40% packet loss.
When we download from microsoft.com get around 2kbps
When I transfered a file using teamviewer I was getting 160kbp
Pings to www.google.com. and 8.8.8.8 are clean with no packet loss

Show interface (cleared the counters and left it for 10 minutes)
  Internet address is ***WAN IP***
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s, media type is RJ45
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:08:52
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: Class-based queueing
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/2/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 75000 kilobits/sec
  5 minute input rate 7000 bits/sec, 8 packets/sec
  5 minute output rate 14000 bits/sec, 15 packets/sec
     3957 packets input, 468834 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     6464 packets output, 1127545 bytes, 0 underruns
     0 output errors, 1 collisions, 0 interface resets
     2 unknown protocol drops
     15 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

All three of my site to site VPN tunnels are up and running. The sites at the other end pinging back to a internal device on the 3845 get consistent packet loss as well.
The three remote sites are in different locations around the globe.

If you guys have any recommendations I could try let me know.


ip cef

!

multilink bundle-name authenticated

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2

!

crypto isakmp policy 3

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key [ p/w ] address [ Remote Site WAN IP 1 ]

crypto isakmp key [ p/w ] address [ Remote Site WAN IP 2 ]

crypto isakmp key [ p/w ] address [ Remote Site WAN IP 3 ]

!

!

crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 

crypto ipsec transform-set TransSet2 esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto map VPN 1 ipsec-isakmp 

 set peer [ Remote Site WAN IP 1 ]

 set transform-set TransSet1 

 match address 110

crypto map VPN 2 ipsec-isakmp 

 set peer [ Remote Site WAN IP 2 ]

 set transform-set TransSet1 

 match address 111

crypto map VPN 3 ipsec-isakmp 

 set peer [ Remote Site WAN IP 3 ]

 set transform-set TransSet2 

 match address 112

!

archive

 log config

  hidekeys

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

 match access-group 103

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

 match access-group 102

 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-invalid-src

 match access-group 100

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

 class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

 class class-default

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  drop log

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class class-default

policy-map type inspect sdm-permit

 class type inspect SDM_VPN_PT

  pass

 class class-default

policy-map Parent_Shaper

 class class-default

  shape average 6000000

  fair-queue

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

!

!

!

interface GigabitEthernet0/0

 description $FW_OUTSIDE$$ETH-WAN$

 mtu 1500

 ip address [ WAN IP ] 255.255.255.252

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 duplex auto

 speed auto

 media-type rj45

 crypto map VPN

 service-policy output Parent_Shaper

!

interface GigabitEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

 media-type rj45

!

interface GigabitEthernet2/0

 description $FW_INSIDE$

 ip address 192.168.5.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

!

interface Integrated-Service-Engine4/0

 no ip address

 shutdown

 no keepalive

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

!

ip access-list extended SDM_AH

 remark CCP_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark CCP_ACL Category=1

 permit esp any any

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host [ Remote Site WAN IP 1 ] any

access-list 102 permit ip host [ Remote Site WAN IP 2 ] any

access-list 102 permit ip host [ Remote Site WAN IP 3 ] any

access-list 103 remark CCP_ACL Category=0

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 103 permit ip 172.20.48.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 103 permit ip 10.102.48.0 0.0.7.255 192.168.5.0 0.0.0.255

access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 10.102.48.0 0.0.7.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 172.20.48.0 0.0.0.255

access-list 105 permit ip 192.168.5.0 0.0.0.255 any

access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.5.0 0.0.0.255 10.102.48.0 0.0.7.255

access-list 112 permit ip 192.168.5.0 0.0.0.255 172.20.48.0 0.0.0.255

!

!

!

route-map SDM_RMAP_1 permit 1

 match ip address 105

Open in new window

0
Comment
Question by:Eirejp
1 Comment
 
LVL 1

Accepted Solution

by:
Eirejp earned 0 total points
Comment Utility
Just found the problem. I changed the default route from gigabitether0/0 to the isp ip for gateway and cleared up the whole problem.

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now