Solved

DMVPN grinds to a hault compared to L2L VPN

Posted on 2010-11-18
2
913 Views
Last Modified: 2012-05-10
Hi Experts,
I have a problem with a DPMVPN installation. We have a 4Mb portion of a Leased Line that 50 users share to run Citrix over. We currently have a L2L VPN configured on an ASA5510 connecting to a PIX 515 at the Datacentre. This works fine. However, to give us failover on to an ADSL connection if the Leased Line goes does down, I would like to implement a DMVPN.

We have therefore installed a 2812 router at the Datacentre and bought an 1800 router for the branch. I configured the DMVPN and it seemed to work fine  but when more than 20 users started using Citrix it ground to a halt. We flipped back to the L2L VPN and it started working fine again. Ping speeds to the Datacentre over the L2L VPN are 9-11ms but Ping speeds over the DMVPN are 18-20ms.

What can I check to identify what the problem is?

The config for the DMVPN is below:

Datacentre (2812) Router:

syn-stv-2812#sh run
Building configuration...


Current configuration : 3128 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname syn-stv-2812
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret
enable password
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip cef
!        
!
ip domain name synarbor.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
voice-card 0
 no dspfarm
!
!
crypto pki trustpoint TP-self-signed-2608257972
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2608257972
 revocation-check none
 rsakeypair TP-self-signed-2608257972
!
!
!
!
username
archive
 log config
  hidekeys
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key *removed* address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TFS4 esp-3des esp-md5-hmac
!
crypto dynamic-map DMVPN-Dynamic 10
 set transform-set TFS4
 match address 115
!
!
crypto map DMVPN 10 ipsec-isakmp dynamic DMVPN-Dynamic
!
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.155.254 255.255.255.255
!
interface Tunnel0
 bandwidth 2048
 ip address 172.16.150.254 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication synarbor
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip mroute-cache
 ip ospf network broadcast
 delay 1000
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 100000
!
interface FastEthernet0/0
 ip address 192.168.123.245 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address *.*.*.85 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DMVPN
!
router ospf 1
 log-adjacency-changes
 network 172.16.150.0 0.0.0.255 area 0
 network 192.168.123.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *.*.*.254
ip route 192.168.11.0 255.255.255.0 192.168.123.250 240
ip http server
no ip http secure-server
!
!
ip nat inside source list 120 interface FastEthernet0/1 overload
!
access-list 115 remark VPN Traffic
access-list 115 permit ip host 172.16.155.254 host 172.16.155.1
access-list 115 permit ip host 172.16.155.254 host 172.16.155.2
access-list 115 permit ip host 172.16.155.254 host 172.16.155.3
access-list 115 permit ip host 172.16.155.254 host 172.16.155.4
access-list 115 permit ip host 172.16.155.254 host 172.16.155.5
access-list 115 permit ip host 172.16.155.254 host 172.16.155.6
access-list 115 deny   ip 192.168.123.0 0.0.0.255 any
access-list 115 deny   ip 192.168.11.0 0.0.0.255 any
access-list 120 remark NAT
access-list 120 permit ip 192.168.11.0 0.0.0.255 any
access-list 120 permit ip 192.168.123.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
line aux 0
line vty 0 4
 session-timeout 120
 privilege level 15
 password **************
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

-----------------------------------------------------------------------------------

Branch (1800) router:

1801-SheffTest#sh run
Building configuration...

Current configuration : 4350 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1801-SheffTest
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.234.1 172.16.234.128
ip dhcp excluded-address 172.16.234.135 172.16.234.254
!
ip dhcp pool local-pool
   import all
   network 172.16.234.0 255.255.255.0
   default-router 172.16.234.254
   dns-server 192.168.123.31 172.16.234.254
   lease 0 2
!
!
ip domain name synarbor.com
!
multilink bundle-name authenticated
!
!
!
!
username
!
!
track 1 rtr 1 reachability
!
track 5 list boolean or
 object 1
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key *removed* address *.*.*.85 no-xauth
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TFS4 esp-3des esp-md5-hmac
!
crypto map mGRE-Map 10 ipsec-isakmp
 set peer *.*.*.85
 set security-association level per-host
 set transform-set TFS4
 match address 115
!
!
!
!
interface Loopback0
 ip address 172.16.155.4 255.255.255.255
!
interface Tunnel0
 bandwidth 2048
 ip address 172.16.150.4 255.255.255.0
 ip mtu 1440
 ip nhrp authentication synarbor
 ip nhrp map 172.16.150.254 *.*.*.85
 ip nhrp map multicast 80.2.100.85
 ip nhrp network-id 99
 ip nhrp nhs 172.16.150.254
 ip nhrp registration no-unique
 ip nhrp cache non-authoritative
 no ip mroute-cache
 ip ospf network broadcast
 delay 1000
 tunnel source Loopback0
 tunnel destination 172.16.155.254
 tunnel key 100000
!
interface FastEthernet0
 ip address *.*.*.187 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mGRE-Map
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Vlan1
 description Router-Router-LAN
 ip address 172.16.234.254 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname ****************
 ppp chap password *******************
 ppp ipcp dns request
 crypto map mGRE-Map
!        
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.150.0 0.0.0.255 area 0
 network 172.16.232.0 0.0.0.255 area 0
 network 172.16.233.0 0.0.0.255 area 0
 network 172.16.234.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 *.*.*.161 track 5
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 81.23.53.29 255.255.255.255 *.*.*.161
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map backup-internet-NAT interface Dialer1 overload
ip nat inside source route-map primary-internet-NAT interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 81.23.53.29
 timeout 1000
 threshold 5
 frequency 10
ip sla schedule 1 life forever start-time now
access-list 115 remark VPN-Traffic
access-list 115 permit ip host 172.16.155.4 host 172.16.155.254
access-list 115 deny   ip 172.16.232.0 0.0.0.255 any
access-list 115 deny   ip 172.16.233.0 0.0.0.255 any
access-list 115 deny   ip 172.16.234.0 0.0.0.255 any
access-list 120 remark NAT
access-list 120 permit ip 172.16.232.0 0.0.0.255 any
access-list 120 permit ip 172.16.233.0 0.0.0.255 any
access-list 120 permit ip 172.16.234.0 0.0.0.255 any
!
!
!
route-map primary-internet-NAT permit 10
 match ip address 120
 match interface FastEthernet0
!        
route-map backup-internet-NAT permit 10
 match ip address 120
 match interface Dialer1
!
!
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 session-timeout 120
 access-class 23 in
 privilege level 15
 login local
 transport input all
!
end

Thanks,
Jaime
0
Comment
Question by:jamwalk123
2 Comments
 

Author Comment

by:jamwalk123
ID: 34164979
A bit of further information:
I currently have 2 x 5 user branches connection to core router via DMVPN and they are working fine. They have ADSL connections. I have noticed that the CPU usage on the core router is as follows:
CPU utilization for five seconds: 11%/3%; one minute: 32%; five minutes: 38%
....and this is with only 2 x small branches connecting.
the core router also has CEF disabled.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 34173219


Turn on CEF, you are process switching all your traffic

harbor235 ;}
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now