10-25-2008 07:29 AM - edited 03-04-2019 12:04 AM
Hi,
Using DMVPN phase 3, using one Cisco 3845 as a hub and one Cisco 2851 as Spoke, connected to MPLS cloud CE routers that belong to provider and we have no access to them-
For testing the line, we use the ping and works with no problem with no drops and with latency of 8 ms from the Ottawa Hub to Montreal spoke.
But when we start FTP session with size of the file equal to 16 meg, the FTP paused for at least 4 seconds and we notice that the ping "from Ottawa to Montreal using the same laptop as FTP" latency was going from 80 ms to 145 ms with TTL=126.
To troubleshoot we :
1) Checked the speed and duplex with the provider "CE routers", all are OK "no errors and collisions on their interfaces and the same on our C routers".
2) Connected our laptop directly to CEs in Ottawa and Montreal and did FTP worked with no pause and no lost of the connection where doing the ping and the latency was the same going from 80 ms to 145 ms. We know now that the problem is in our side in the "Hub and Spoke" routers.
3) Remove these commands in the tunnel0 in our Hub and spoke with no success "Still losing connection when doing FTP"
no ip tcp adjust-mss 1360
no ip mtu 1400
I attached the configs of the Hub and spoke.
Thanks
10-25-2008 08:11 AM
Hello Tayeb,
you are facing an MTU problem and packets are fragmented
with your transformation-set overhead is bigger then 100 byte
try to use
ip mtu 1380
ip tcp adjust-mss 1340
see
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035
it states overhead is 120 bytes with your transformation set
Hope to help
Giuseppe
10-25-2008 09:25 AM
Thanks Giuseppe. Did I need to do this change inside the Tunnel o interface
Thanks
10-25-2008 10:07 AM
Hello Tayeb,
do the change inside the tunnel interface on both ends (hubs and spokes)
Hope to help
Giuseppe
10-25-2008 05:05 PM
Thanks Guiseppe. I will try it tomorow, we have a power shutdown on the complex today.
Is this tunning -MTU and MSS- will be done regardeless of the interface bandwidth. We have 3 Meg in spoke and 30 Meg on the Hub.
Thanks
10-25-2008 08:49 PM
Hi,
Below is an excellent document on Resolving IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
And to answer your specific question, yes MTU and MSS works regardless of the interface bandwidth.
Regards,
Arul
*Pls rate if it helps*
10-26-2008 08:24 AM
Did change the MTU to 1380 and MSS to 1340 and did not fix our problem !!!!! still losing ping while doing ftp.
Any other suggestions
10-26-2008 01:20 PM
Hello Tayeb,
I've given you the right link but a little wrong info
120 bytes should be the overhead in transport mode
It is 140 bytes in tunnel mode (the default mode)
to configure transport mode:
crypto ipsec transform-set XXXX_transform_set esp-aes 256 esp-sha-hmac
mode transport
take care that you have AES 256 so probably you need to reduce more
256 bits are 32 byte
the calculations in the SRND were done for 3DES.
3DES = 56*3 = 168 bits
AES 256 uses 11 bytes more
Use
int tunnel 10
ip mtu 1340
ip tcp mss-adjust 1300
Hope to help
Giuseppe
10-26-2008 09:12 AM
Did change the MTU to 1380 and MSS to 1340 and did not fix our problem !!!!! still losing ping while doing ftp.
Any other suggestions
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: