VPN over different WAN links

I have setup site to site VPNs over DSL, ISDN and T1 lines. I have noticed the traffic is intermittently hanging (like the network is being overloaded) for about 3-5 seconds and then resuming normal performance. This happens on a hourly basis on the DSL and ISDN lines and a few times on the T1 lines. The routers are 1721 with the VPN bundles so I do not believe the routers are the bottleneck doing encryption. The WAN lines should have enough speed to accomodate the users at the remote facilities. Could it be a fragmentation issue with the MTU not being set correct? Has someone else seen this issue before?

2nd question - If I am running a GRE tunnel with IPSEC, what should I set the MTU on my ethernet devices? Does every layer 3 device between the two tunnels need the same MTU?



Re: VPN over different WAN links

If you think you might be having a fragmentation issue, you could turn on: debug ip icmp

which will tell you directly when traffic is flowing if its having a frag issue. On your second question, if you have a firewall or your blocking icmp messages, then possible yes. ICMP is used for mtu discovery, so if your blocking it anywhere then the messages do not get returned and devices dont adjust there packet sizes. Do you have the mtu set on your gre tunnel to 1400 as well? Lots of IOS issues with fragmentation and mtu that can affect your traffic. Lots of could be's. Every layer 3 device doesn't need to have the same mtu setting, as that would be impossible with todays internet.

