VPN - Lost Packets

Unanswered Question
Nov 3rd, 2008
User Badges:

Hi,


I have a Cisco 2621XM router setup running IOS 12.4(21a), which provides internet connectivity via an ADSL line. The router also has several site to site VPN's and GRE/IPSec tunnels. Connectivity to the sites via the GRE/IPSEC tunnels work without a problem as does internet connectivity.


The site to site IPsec tunnels (non-GRE) to other client sites currently display th following: the VPN tunnels come up and pass traffic, however, there seems to be pqacket loss. If I open a ping to a remote host I get reply, request timed out, reply etc. Also, RDP failes to work altogether and SSH is extremely slow.


A constant ping to http://www.google.com or to a host over the GRE/IPsec tunnel is constant and works fine. I have tried a different router in it's place and get the same issue.


Any help with this would be greatly appreciated.



Below is the config:



version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 10

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!


ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected


!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key sitea address x.x.x.x

crypto isakmp key siteb address x.x.x.x

crypto isakmp key sitec address x.x.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

mode transport

!

crypto map crypto_map 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

set pfs group2

match address acl_gre_traffic_n1

crypto map crypto_map 20 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

set pfs group2

match address acl_gre_traffic_n2

crypto map crypto_map 30 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address acl_crypto_map30

crypto map crypto_map 40 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address acl_crypto_map40

crypto map crypto_map 50 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-MD5

match address acl_crypto_map50

!



interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination x.x.x.x

crypto map crypto_map

!

interface Tunnel1

ip address 192.168.200.1 255.255.255.252

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination x.x.x.x

crypto map crypto_map

!

interface FastEthernet0/0

description Outside Interface

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed 100

crypto map crypto_map

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface FastEthernet0/1

description Inside Interface

ip address x.x.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip nat pool crypto_map30_pool x.x.x.x x.x.x.x netmask 255.255.255.0

ip nat pool crypto_map40_pool x.x.x.x x.x.x.x netmask 255.255.255.192

ip nat inside source route-map route_map_nat interface FastEthernet0/0 overload

ip nat inside source route-map route_map_crypto_map30 pool crypto_map30_pool

ip nat inside source route-map route_map_crypto_map40 pool crypto_map40_pool

ip dns server

!

route-map route_map_nat permit 1

match ip address acl_nat

!

route-map route_map_crypto_map40 permit 1

match ip address acl_crypto_map40_nat

!

route-map route_map_crypto_map30 permit 1

match ip address acl_crypto_map30_nat

!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alraycisco Tue, 11/04/2008 - 06:44
User Badges:

Hi,


Thanks for the reply. Strangely the VPN tunnels that terminate off the Tunnel interfaces don't have a problem, it's just the non-GRE IPSEC tunnels. I've tried adjusting the mtu sizes on the physical outside interface using the above commands, however, I still have the same problem.


I've also tried using the 'mtu 1400' command on the physical interface, however I get:


% Interface FastEthernet0/0 does not support user settable mtu.


Thanks

alraycisco Tue, 11/04/2008 - 07:28
User Badges:

Hi,


Once again thanks for the response. I have tried the above, however, I am still experiencing the same problem, having brought the VPN tunnels down.


According to the site pre-fragmentation should be on by default.


Thanks

alraycisco Mon, 11/10/2008 - 05:44
User Badges:

Hi,


Just an update on this, as a test I've setup an additional IPsec tunnel to an ASA5505 (my home ASA). Connectivity over this VPN works without any problems.


I find it quite strange that 3 customer VPN's should display the same problems (dropped packets), yet an IPSec VPN to my home firewall works without any problems. Is there anything I can get the customer to do at their end? Is the problem that their MTU values are considerably lower than my outside interface's MTU?


Thanks

Actions

This Discussion