I'm having some problem with a Cisco 1801, this router is at the edge of a small network, this network has only about 16 users, and the router makes only some basic ip filtering, NAT, and terminates PPTP tunnels for when workers are at home and need to access internal ressources.This router seemed to be working just fine, I say seemed because I never used the VPN feature on this network a lot after it was first configured, however, now users are complaining that they can't work over the VPN.
What happens is that I first connect to the VPN from my place all seems to be working, but after 30 seconds depending on the load I put in the connection, packets start to get droped and eventually all traffic starts to fail.
I did some debugging I and found that after connecting the VPN this starts to show up a lot in the routers logs:
MPPE: missed 1 key changes, recomputing
This message shows a lot sometimes saying 1 key change, sometimes 2, 3 key changes.
When I saw this I disabled MPPE leaving the VPN with no encryption just to see how it worked, there where improvement's but I have to admit I am quite disappointed with them.
Without the encryption that messages stopped appearing but performance and dropped packets are still there, for example:
- - I connected my laptop to the internet with an external connection;
- - I started in my laptop the following actions:
- ping 220.127.116.11 (one of Google public DNS servers always a good network connectivity test)
- ping 10.10.1.20 (an server in my internal network, needs to go through the VPN to get to it)
- ping -f 18.104.22.168 (the public IP address of the router where I am experiencing problems)
As soon as I start this, ping 22.214.171.124 works like a charm, my Internet connection does not drop a single packet for Google, ping 10.10.1.20 fails because VPN is still not launched and ping -f 126.96.36.199 also works great, I'm flooding hundreds of packets to my routers public address and I register practically no packet loss.
then..... I launch VPN (PPTP w/MSCHAP), it authenticates ok, and the ping 10.10.1.20 starts working, everything seems ok, then I:
- ping -f 10.10.1.254 (internal address of my router, now accessible through the VPN tunnel)
and I start getting lots of packet loss in this ping, 30% sometimes a lot more.
- I checked CPU utilization with show processes CPU and it never gets higher than 6%;
- Checked all network interfaces and none registers errors, or dropped packets, my FastEthernet 0 only registers some unknown protocols drops;
I think that the problems is either in my configuration or in the router itself. Before we had this VPN using PPTP we were using OpenVPN terminating in a server inside the network, even though we don't use it anymore I still haven't disabled it, sooo... I disconnect from the new VPN, and connect through the OpenVPN and repeat the same tests and everything works great.... I flood the network with pings and practically no drops are registered.... sometimes 1% of packet drops, very acceptable.
Is this an expected behavior from such a router? Now I have left it with no encryption, it is not the solution I want of course, but with no encryption it drops some packets but I is usable, with the encryption working over the VPN is practically impossible.
I attached the output from show running and show version, In the show running there are some additional sections for one other ipsec tunnel this router should manage, but for simplicity I have disabled it because it was not being used. Even though the ipsec keys exist they are not applied to any interface.
Appreciate all the help!