?
Solved

Cisco 2800 IOS 12.4 VTI Hub to Cisco 871 IOS 12.4 VTI Spoke VERY SLOW FILE TRANSFERS and TS Connection over the VPN

Posted on 2011-10-13
9
Medium Priority
?
912 Views
Last Modified: 2012-05-12
I have a Cisco 2800 IOS 12.4 router as the hub with a Cisco 871 IOS 12.4 router at a remote location. I have VTI's on each side and 3DES encryption, the tunnels work and I can ping between each network but transferring a 10MB file takes about 10 minutes. There is a 10MB Down and 2 MB WAN connection on each side. Any help is much appreciated. Thanks in advance. Russ
0
Comment
Question by:techsrx
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:greg ward
ID: 36969558
whats the max mtu over the tunnel
do you adjust the packets to match
can you do a show run without password

Greg
0
 

Author Comment

by:techsrx
ID: 36987124
We tried a ping from workstation to server over the tunnel and found that it fragments on anything over 1399. I have tried these settings on both ends

 ip mtu 1399
 ip tcp adjust-mss 1378
0
 

Author Comment

by:techsrx
ID: 36987197
running config on the 2800
Current configuration : 6832 bytes
!
! Last configuration change at 12:34:49 MST Tue Oct 11 2011 by Admin
! NVRAM config last updated at 12:34:51 MST Tue Oct 11 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO2800
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $X$XXXX$XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication ppp default group radius local
aaa authorization network default group radius if-authenticated
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool ccp-pool1
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 75.75.75.75 8.8.8.8
   domain-name domain.local
!
!
no ip bootp server
no ip domain lookup
ip name-server 75.75.75.75
ip name-server 8.8.8.8
login block-for 30 attempts 5 within 1
login delay 5
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group VPN
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel receive-window 256
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXX
 certificate self-signed 01
  XXXXXXXX 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 XXXXXXXX
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363435 XXXXXXXX 3834301E 170D3131 30383139 31363532
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343535
  39333338 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A0AA 32E23283 42BC7DEA D19AA042 F971B386 5BA042F7 A887EBCF DE117D09
  F8194638 819F2B88 6660C078 XXXXXXXX 5B88B1B0 DD8347EC 188727D3 F373111A
  9ED6EF6B 0FEADEC3 B70A00CF E54B42DD C77AD8FD E2FBC380 21521CF1 790306CE
  XXXXXXXX 2A63DC32 D099D6B7 9D085470 89A49A18 CFD5B49E 4B1FEDE1 99CD5587
  71AB0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A424552 4E414C49 4C4C4F30 1F060355 1D230418 30168014
  B2E14414 0412C688 3A83E24F 4B6EE2B7 1637D486 301D0603 551D0E04 XXXXXXXX
  E1441404 12C6883A 83E24F4B 6EE2B716 37D48630 0D06092A 864886F7 0D010104
  05000381 81001B1E 24BA533F 8013CA13 EB90F2C4 125C9220 97AE9CB2 03236D28
  5223AD01 E85B2136 EBFA9F94 1CB404EE 0368A01E 6573FAFF 151F11D8 ADDCF88B
  66CE8A67 BCA2C9EE 8CAB4D02 9DFEA879 3A29E4A9 C7680158 4F0C37FC 02392A49
  XXXXXXXX F22EB56C 44F1D317 07F76F13 EE0D8F5C 5CD537AE 833EB4C7 XXXXXXXX
  9E3B5A33 C4C0
        quit
!
!
username XXXXXXXX privilege 15 secret 5 $XXXXXXXX$KHXXXXXXXXmrFXXXXXXXXqyMJD/
archive
 log config
  hidekeys
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MYVERYSECRETKEY address 173.000.000.85
crypto isakmp key MYVERYSECRETKEY address 173.000.000.165
crypto isakmp key MYVERYSECRETKEY address 0.0.0.0 0.0.0.0
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile PROF
 set transform-set tset
!
crypto ipsec profile SAVCPU
 set transform-set ccsp
!
crypto dynamic-map cc 10
 set nat demux
 set transform-set ccsp
!
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
!
!
ip ssh authentication-retries 5
ip ssh port 5555 rotary 1
ip ssh version 2
!
policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Belen VPN
 ip address 10.20.30.1 255.255.255.252
 ip mtu 1399
 ip tcp adjust-mss 1378
 tunnel source FastEthernet0/0
 tunnel destination 173.163.240.85
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SAVCPU
 service-policy output FOO
!
interface Tunnel1
 description Los Lunas VPN
 ip address 10.20.30.5 255.255.255.252
 ip mtu 1399
 ip tcp adjust-mss 1378
 tunnel source FastEthernet0/0
 tunnel destination 173.000.000.165
 tunnel mode ipsec ipv4
tunnel protection ipsec profile SAVCPU
 service-policy output FOO
!
interface FastEthernet0/0
 description $ES_WAN$
 ip address 75.000.000.169 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map cisco
!
interface FastEthernet0/1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/1
 peer default ip address pool vpn_pool
 ppp mtu adaptive
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.3.0
 network 192.168.10.0
 network 192.168.11.0
 network 192.168.12.0
!
ip local pool vpn_pool 192.168.12.175 192.168.12.199
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.000.000.174
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 3700
ip nat inside source route-map NONAT_NAT interface FastEthernet0/0 overload
!
ip access-list extended nonat_nat
 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!
no logging trap
access-list 152 remark deny_ssh_default_port_and_telnet
access-list 152 deny   tcp any any eq 22
access-list 152 deny   tcp any any eq telnet
access-list 152 permit tcp any gt 1024 any gt 1024
no cdp run
!
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
!
radius-server host 192.168.3.11 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
|=================================================================|
Cisco 2800 Router - Authorized Personel Only
Internal IP: 192.168.3.1
External IP: 75.000.000.169 - Comcast
Hostname $(hostname)
Domain $(domain)
Line $(line)
|=================================================================|
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 152 in
 privilege level 15
 rotary 1
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17180248
ntp server 192.5.41.40
!
end

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:greg ward
ID: 36988763
I would read that and try using the cisco extended ping command to make sure you have no packet loss.
Then check with iperf the amount of data you can transmit.

http://en.wikipedia.org/wiki/TCP_tuning
https://supportforums.cisco.com/thread/185210

Greg
0
 
LVL 15

Expert Comment

by:greg ward
ID: 36990745
Also read this. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html
The ip tcp adjust-mss command is effective only for TCP connections passing through the router.

In most cases, the optimum value for the max-segment-size argument is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link.

So for PPPoe
ip tcp adjust-mss =x
ip mtu =x + 48

Greg
0
 

Author Comment

by:techsrx
ID: 37006912
Thank you for your response and sorry for the delayed reply. We have just moved offices and I am finally settled in.

iperf shows the bandwidth over the tunnels at 116kbits per sec, iperf to the outside address is 5Mbits per sec.

I read the articles but I am not sure what to do. Thanks Russ
0
 

Author Comment

by:techsrx
ID: 37006948
C:\>iperf.exe -c 192.168.3.12
------------------------------------------------------------
Client connecting to 192.168.3.12, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 192.168.0.121 port 1536 connected with 192.168.3.12 port 5001
[ ID] Interval       Transfer     Bandwidth
[1912]  0.0-11.3 sec   168 KBytes   122 Kbits/sec


C:\>iperf.exe -c 75.000.000.169
------------------------------------------------------------
Client connecting to 75.000.000.169, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[1912] local 192.168.0.121 port 1537 connected with 75.000.000.169 port 5001
[ ID] Interval       Transfer     Bandwidth
[1912]  0.0-10.0 sec  3.78 MBytes  3.16 Mbits/sec

0
 
LVL 15

Accepted Solution

by:
greg ward earned 2000 total points
ID: 37008191
ip mtu 1399
 ip tcp adjust-mss 1359

i would try that and see how you go.

also do a ping from the pc to make sure it does not fragment.

policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Belen VPN
 ip address 10.20.30.1 255.255.255.252
 ip mtu 1399
 ip tcp adjust-mss 1378
 tunnel source FastEthernet0/0
 tunnel destination 173.163.240.85
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SAVCPU
 service-policy output FOO   < can you remove this and test.


Greg
0
 

Author Closing Comment

by:techsrx
ID: 37096424
Did this

ip mtu 1399
 ip tcp adjust-mss 1359

and removed
service-policy output FOO

Works great now. Not sure which one did the trick though. Thanks for your help Greg and sorry it took so long to get back. Russ
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question