Cisco 3845 consistant packet loss on IPSec tunnels and slow internet

Posted on 2010-11-13
Last Modified: 2012-06-27

We have a Cisco 3845 (c3845-advipservicesk9-mz.124-15.T8)which we have just setup. We seems to be having very slow internet performance and consistant packet loss on our VPN tunnels.

The internet is a 6mb WAN circuit with MTU set at 1500. (not PPoE)
We are running 3 ipsec tunnels and all three have around 40% packet loss.
When we download from get around 2kbps
When I transfered a file using teamviewer I was getting 160kbp
Pings to and are clean with no packet loss

Show interface (cleared the counters and left it for 10 minutes)
  Internet address is ***WAN IP***
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s, media type is RJ45
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:08:52
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: Class-based queueing
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/2/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 75000 kilobits/sec
  5 minute input rate 7000 bits/sec, 8 packets/sec
  5 minute output rate 14000 bits/sec, 15 packets/sec
     3957 packets input, 468834 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     6464 packets output, 1127545 bytes, 0 underruns
     0 output errors, 1 collisions, 0 interface resets
     2 unknown protocol drops
     15 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

All three of my site to site VPN tunnels are up and running. The sites at the other end pinging back to a internal device on the 3845 get consistent packet loss as well.
The three remote sites are in different locations around the globe.

If you guys have any recommendations I could try let me know.

ip cef
multilink bundle-name authenticated
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 1 ]
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 2 ]
crypto isakmp key [ p/w ] address [ Remote Site WAN IP 3 ]
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map VPN 1 ipsec-isakmp 
 set peer [ Remote Site WAN IP 1 ]
 set transform-set TransSet1 
 match address 110
crypto map VPN 2 ipsec-isakmp 
 set peer [ Remote Site WAN IP 2 ]
 set transform-set TransSet1 
 match address 111
crypto map VPN 3 ipsec-isakmp 
 set peer [ Remote Site WAN IP 3 ]
 set transform-set TransSet2 
 match address 112
 log config
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
 class class-default
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
 class type inspect sdm-protocol-http
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_VPN_PT
 class class-default
policy-map Parent_Shaper
 class class-default
  shape average 6000000
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 mtu 1500
 ip address [ WAN IP ]
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 media-type rj45
 crypto map VPN
 service-policy output Parent_Shaper
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
interface GigabitEthernet2/0
 description $FW_INSIDE$
 ip address
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
interface Integrated-Service-Engine4/0
 no ip address
 no keepalive
ip forward-protocol nd
ip route GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host [ Remote Site WAN IP 1 ] any
access-list 102 permit ip host [ Remote Site WAN IP 2 ] any
access-list 102 permit ip host [ Remote Site WAN IP 3 ] any
access-list 103 remark CCP_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip
access-list 103 permit ip
access-list 103 permit ip
access-list 103 permit ip
access-list 105 remark CCP_ACL Category=2
access-list 105 deny   ip
access-list 105 remark IPSec Rule
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 permit ip any
access-list 110 permit ip
access-list 111 permit ip
access-list 112 permit ip
route-map SDM_RMAP_1 permit 1
 match ip address 105

Open in new window

Question by:Eirejp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment

Accepted Solution

Eirejp earned 0 total points
ID: 34129812
Just found the problem. I changed the default route from gigabitether0/0 to the isp ip for gateway and cleared up the whole problem.


Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup small office network 1 58
Exchange 2010 Edge subscription question 1 27
ASA NAT rule change 3 27
Multicast IGMP Join Group 8 18
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question