cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
797
Views
0
Helpful
8
Replies

DMVPN and FTP issue

tmesbah
Level 1
Level 1

Hi,

Using DMVPN phase 3, using one Cisco 3845 as a hub and one Cisco 2851 as Spoke, connected to MPLS cloud CE routers that belong to provider and we have no access to them-

For testing the line, we use the ping and works with no problem with no drops and with latency of 8 ms from the Ottawa Hub to Montreal spoke.

But when we start FTP session with size of the file equal to 16 meg, the FTP paused for at least 4 seconds and we notice that the ping "from Ottawa to Montreal using the same laptop as FTP" latency was going from 80 ms to 145 ms with TTL=126.

To troubleshoot we :

1) Checked the speed and duplex with the provider "CE routers", all are OK "no errors and collisions on their interfaces and the same on our C routers".

2) Connected our laptop directly to CEs in Ottawa and Montreal and did FTP worked with no pause and no lost of the connection where doing the ping and the latency was the same going from 80 ms to 145 ms. We know now that the problem is in our side in the "Hub and Spoke" routers.

3) Remove these commands in the tunnel0 in our Hub and spoke with no success "Still losing connection when doing FTP"

no ip tcp adjust-mss 1360

no ip mtu 1400

I attached the configs of the Hub and spoke.

Thanks

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Tayeb,

you are facing an MTU problem and packets are fragmented

with your transformation-set overhead is bigger then 100 byte

try to use

ip mtu 1380

ip tcp adjust-mss 1340

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

it states overhead is 120 bytes with your transformation set

Hope to help

Giuseppe

Thanks Giuseppe. Did I need to do this change inside the Tunnel o interface

Thanks

Hello Tayeb,

do the change inside the tunnel interface on both ends (hubs and spokes)

Hope to help

Giuseppe

Thanks Guiseppe. I will try it tomorow, we have a power shutdown on the complex today.

Is this tunning -MTU and MSS- will be done regardeless of the interface bandwidth. We have 3 Meg in spoke and 30 Meg on the Hub.

Thanks

Hi,

Below is an excellent document on Resolving IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

And to answer your specific question, yes MTU and MSS works regardless of the interface bandwidth.

Regards,

Arul

*Pls rate if it helps*

Did change the MTU to 1380 and MSS to 1340 and did not fix our problem !!!!! still losing ping while doing ftp.

Any other suggestions

Hello Tayeb,

I've given you the right link but a little wrong info

120 bytes should be the overhead in transport mode

It is 140 bytes in tunnel mode (the default mode)

to configure transport mode:

crypto ipsec transform-set XXXX_transform_set esp-aes 256 esp-sha-hmac

mode transport

take care that you have AES 256 so probably you need to reduce more

256 bits are 32 byte

the calculations in the SRND were done for 3DES.

3DES = 56*3 = 168 bits

AES 256 uses 11 bytes more

Use

int tunnel 10

ip mtu 1340

ip tcp mss-adjust 1300

Hope to help

Giuseppe

Did change the MTU to 1380 and MSS to 1340 and did not fix our problem !!!!! still losing ping while doing ftp.

Any other suggestions

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco