Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1425
Views
0
Helpful
2
Replies

GRE Over IPSEC Packet Drops

parthiban chinnaya
Level 1
Level 1

‎03-06-2010 07:46 AM - edited ‎03-04-2019 07:43 AM

Router2 gig 0/1 --------ISP 1,100 MBPS------------gig0/1Router2

          gig0/2 --------ISP 2, 100 MBPS-----------gig0/2

Convertor is used to connect to 100 MBPS ISP Link.

Currently  running EIGRP between the routers and  using equal cost load balancing.[All applications works fine].

Now I have  configured GRE over Ipsec between two sites.

When traffic is passed via the GRE Tunnels packets are dropped .

Mtu size is redued to 1400 and tried the below changes by reading cisco docs.

ip mtu 1418

ip tcp adjust-mss 1300

Tunnel bandwidth transmit/receive is set to 100 MBPS.

Around 80 MBPS traffic is passing between the sites.

Need to know whether GRE over Ipsec will support 80 MBPS traffic or not.

Two routers have VAM 2+ modules [7200].

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-06-2010 09:46 AM

Hello Parthiban,

what really counts is the packet rate not the aggregate rate in Mbps.

There are results in point-to-point GRE+IPSEC solution reference design that would say yes but to be noted they are using many small BW tunnels

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/4_p2pGRE_Phase2_external_docbase_0900e4b180a3eff0_4container_external_docbase_0900e4b180ad8740.html

but if I've understood you correctly you have two GRE tunnels per direction one over ISP1 link and one over ISP2 link.

What happens if you use GRE tunnels without IPSec do you still see drops or not?

Data sheet of VAM2+ says:

Data Encryption Standard (DES) standard mode with 56-bit key: Cipher Block Chaining (CBC)
• >>>> 3-Key Triple DES (168-bit) algorithms at speeds up to 292 Mbps
• 128/192/256-bit Advanced Encryption Standard (AES) in hardware
>>>>>• Performance to OC3 full duplex with 300 byte packets
• Up to 5000 tunnels for DES/3DES/AES
• Provides compression with IPSec at no extra overhead (LZS)
• Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms
• Rivest, Shamir, Adelman (RSA) public-key algorithm
• Diffie-Hellman Groups 1, 2 and 5
• Online Insertion and Removal (OIR)

Performance to OC3 full duplex with 300 byte packets this means 149 Mbps of packets of 300 byte

it gives 62,083 pps per direction 124,166 pps aggregate

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps7332/data_sheet_c78_48012.html

see troubleshooting tips on configuration guide to check if there are errors in show commands related to VAM2+

http://www.cisco.com/en/US/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_cf.html#wp68671

Hope to help

Giuseppe

0 Helpful

parthiban chinnaya
Level 1
Level 1
In response to Giuseppe Larosa

‎03-06-2010 04:26 PM

I have managed to resolve the issue by upgrading IOS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card