GRE Over IPSEC Packet Drops

Unanswered Question
Mar 6th, 2010
User Badges:

Router2 gig 0/1 --------ISP 1,100 MBPS------------gig0/1Router2

          gig0/2 --------ISP 2, 100 MBPS-----------gig0/2


Convertor is used to connect to 100 MBPS ISP Link.


Currently  running EIGRP between the routers and  using equal cost load balancing.[All applications works fine].


Now I have  configured GRE over Ipsec between two sites.


When traffic is passed via the GRE Tunnels packets are dropped .


Mtu size is redued to 1400 and tried the below changes by reading cisco docs.


ip mtu 1418

ip tcp adjust-mss 1300

Tunnel bandwidth transmit/receive is set to 100 MBPS.


Around 80 MBPS traffic is passing between the sites.


Need to know whether GRE over Ipsec will support 80 MBPS traffic or not.

Two routers have VAM 2+ modules [7200].

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 03/06/2010 - 09:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Parthiban,

what really counts is the packet rate not the aggregate rate in Mbps.


There are results in point-to-point GRE+IPSEC solution reference design that would say yes but to be noted they are using many small BW tunnels


http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/4_p2pGRE_Phase2_external_docbase_0900e4b180a3eff0_4container_external_docbase_0900e4b180ad8740.html


but if I've understood you correctly you have two GRE tunnels per direction one over ISP1 link and one over ISP2 link.


What happens if you use GRE tunnels without IPSec do you still see drops or not?


Data sheet of VAM2+ says:


Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC)
• >>>> 3-Key Triple DES (168-bit) algorithms at speeds up to 292 Mbps
• 128/192/256-bit Advanced Encryption Standard (AES) in hardware
>>>>>• Performance to OC3 full duplex with 300 byte packets
• Up to 5000 tunnels for DES/3DES/AES
• Provides compression with IPSec at no extra overhead (LZS)
• Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms
• Rivest, Shamir, Adelman (RSA) public-key algorithm
• Diffie-Hellman Groups 1, 2 and 5
• Online Insertion and Removal (OIR)


Performance to OC3 full duplex with 300 byte packets this means 149 Mbps of packets of 300 byte

it gives 62,083 pps per direction 124,166 pps aggregate



http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps7332/data_sheet_c78_48012.html


see troubleshooting tips on configuration guide to check if there are errors in show commands related to VAM2+



http://www.cisco.com/en/US/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_cf.html#wp68671


Hope to help

Giuseppe

Actions

This Discussion