Solved

DMVPN grinds to a hault compared to L2L VPN

Posted on 2010-11-18
2
901 Views
Last Modified: 2012-05-10
Hi Experts,
I have a problem with a DPMVPN installation. We have a 4Mb portion of a Leased Line that 50 users share to run Citrix over. We currently have a L2L VPN configured on an ASA5510 connecting to a PIX 515 at the Datacentre. This works fine. However, to give us failover on to an ADSL connection if the Leased Line goes does down, I would like to implement a DMVPN.

We have therefore installed a 2812 router at the Datacentre and bought an 1800 router for the branch. I configured the DMVPN and it seemed to work fine  but when more than 20 users started using Citrix it ground to a halt. We flipped back to the L2L VPN and it started working fine again. Ping speeds to the Datacentre over the L2L VPN are 9-11ms but Ping speeds over the DMVPN are 18-20ms.

What can I check to identify what the problem is?

The config for the DMVPN is below:

Datacentre (2812) Router:

syn-stv-2812#sh run
Building configuration...


Current configuration : 3128 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname syn-stv-2812
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret
enable password
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip cef
!        
!
ip domain name synarbor.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
voice-card 0
 no dspfarm
!
!
crypto pki trustpoint TP-self-signed-2608257972
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2608257972
 revocation-check none
 rsakeypair TP-self-signed-2608257972
!
!
!
!
username
archive
 log config
  hidekeys
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key *removed* address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TFS4 esp-3des esp-md5-hmac
!
crypto dynamic-map DMVPN-Dynamic 10
 set transform-set TFS4
 match address 115
!
!
crypto map DMVPN 10 ipsec-isakmp dynamic DMVPN-Dynamic
!
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.155.254 255.255.255.255
!
interface Tunnel0
 bandwidth 2048
 ip address 172.16.150.254 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication synarbor
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip mroute-cache
 ip ospf network broadcast
 delay 1000
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100000
!
interface FastEthernet0/0
 ip address 192.168.123.245 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address *.*.*.85 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DMVPN
!
router ospf 1
 log-adjacency-changes
 network 172.16.150.0 0.0.0.255 area 0
 network 192.168.123.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *.*.*.254
ip route 192.168.11.0 255.255.255.0 192.168.123.250 240
ip http server
no ip http secure-server
!
!
ip nat inside source list 120 interface FastEthernet0/1 overload
!
access-list 115 remark VPN Traffic
access-list 115 permit ip host 172.16.155.254 host 172.16.155.1
access-list 115 permit ip host 172.16.155.254 host 172.16.155.2
access-list 115 permit ip host 172.16.155.254 host 172.16.155.3
access-list 115 permit ip host 172.16.155.254 host 172.16.155.4
access-list 115 permit ip host 172.16.155.254 host 172.16.155.5
access-list 115 permit ip host 172.16.155.254 host 172.16.155.6
access-list 115 deny   ip 192.168.123.0 0.0.0.255 any
access-list 115 deny   ip 192.168.11.0 0.0.0.255 any
access-list 120 remark NAT
access-list 120 permit ip 192.168.11.0 0.0.0.255 any
access-list 120 permit ip 192.168.123.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
line aux 0
line vty 0 4
 session-timeout 120
 privilege level 15
 password **************
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

-----------------------------------------------------------------------------------

Branch (1800) router:

1801-SheffTest#sh run
Building configuration...

Current configuration : 4350 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1801-SheffTest
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.234.1 172.16.234.128
ip dhcp excluded-address 172.16.234.135 172.16.234.254
!
ip dhcp pool local-pool
   import all
   network 172.16.234.0 255.255.255.0
   default-router 172.16.234.254
   dns-server 192.168.123.31 172.16.234.254
   lease 0 2
!
!
ip domain name synarbor.com
!
multilink bundle-name authenticated
!
!
!
!
username
!
!
track 1 rtr 1 reachability
!
track 5 list boolean or
 object 1
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key *removed* address *.*.*.85 no-xauth
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TFS4 esp-3des esp-md5-hmac
!
crypto map mGRE-Map 10 ipsec-isakmp
 set peer *.*.*.85
 set security-association level per-host
 set transform-set TFS4
 match address 115
!
!
!
!
interface Loopback0
 ip address 172.16.155.4 255.255.255.255
!
interface Tunnel0
 bandwidth 2048
 ip address 172.16.150.4 255.255.255.0
 ip mtu 1440
 ip nhrp authentication synarbor
 ip nhrp map 172.16.150.254 *.*.*.85
 ip nhrp map multicast 80.2.100.85
 ip nhrp network-id 99
 ip nhrp nhs 172.16.150.254
 ip nhrp registration no-unique
 ip nhrp cache non-authoritative
 no ip mroute-cache
 ip ospf network broadcast
 delay 1000
 tunnel source Loopback0
 tunnel destination 172.16.155.254
 tunnel key 100000
!
interface FastEthernet0
 ip address *.*.*.187 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mGRE-Map
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Vlan1
 description Router-Router-LAN
 ip address 172.16.234.254 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname ****************
 ppp chap password *******************
 ppp ipcp dns request
 crypto map mGRE-Map
!        
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.150.0 0.0.0.255 area 0
 network 172.16.232.0 0.0.0.255 area 0
 network 172.16.233.0 0.0.0.255 area 0
 network 172.16.234.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 *.*.*.161 track 5
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 81.23.53.29 255.255.255.255 *.*.*.161
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map backup-internet-NAT interface Dialer1 overload
ip nat inside source route-map primary-internet-NAT interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 81.23.53.29
 timeout 1000
 threshold 5
 frequency 10
ip sla schedule 1 life forever start-time now
access-list 115 remark VPN-Traffic
access-list 115 permit ip host 172.16.155.4 host 172.16.155.254
access-list 115 deny   ip 172.16.232.0 0.0.0.255 any
access-list 115 deny   ip 172.16.233.0 0.0.0.255 any
access-list 115 deny   ip 172.16.234.0 0.0.0.255 any
access-list 120 remark NAT
access-list 120 permit ip 172.16.232.0 0.0.0.255 any
access-list 120 permit ip 172.16.233.0 0.0.0.255 any
access-list 120 permit ip 172.16.234.0 0.0.0.255 any
!
!
!
route-map primary-internet-NAT permit 10
 match ip address 120
 match interface FastEthernet0
!        
route-map backup-internet-NAT permit 10
 match ip address 120
 match interface Dialer1
!
!
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 session-timeout 120
 access-class 23 in
 privilege level 15
 login local
 transport input all
!
end

Thanks,
Jaime
0
Comment
Question by:jamwalk123
2 Comments
 

Author Comment

by:jamwalk123
Comment Utility
A bit of further information:
I currently have 2 x 5 user branches connection to core router via DMVPN and they are working fine. They have ADSL connections. I have noticed that the CPU usage on the core router is as follows:
CPU utilization for five seconds: 11%/3%; one minute: 32%; five minutes: 38%
....and this is with only 2 x small branches connecting.
the core router also has CEF disabled.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
Comment Utility


Turn on CEF, you are process switching all your traffic

harbor235 ;}
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now