Hi,

There is no 2 NIC or 2 equal cost routes.

I think the problem is in ip route-cache cef.

When I disabled the with "no ip route-cache cef" in LAN side interface only, the ping to B.O from H.O and vice-versa is 100% OK. There is no loss of packets at all.

But I am not sure the problem was in IPSec/CEF.

What can be the problem, is there any bug is the latest IOS 12.4(5) ADVSEC-K9 image for IPSec/CEF?

I agree with your comments, in that case it does sound like a bug. Have you looked on the Bug watcher on cisco.com?

I wounder if the CEF forwarding table shows 2 paths to that destination, and only one gets encrypted? Its a guess, try having a look at the output from `sh ip cef'. What hardware is this running on?

Hi,

My router is ISR 2821 with IOS 12.4(5) ADVSEC-K9.

Below is the sh ip route and sh ip cef details:

VPNHUB-M1#show ip route

Gateway of last resort is X.Y.Z.1 to network 0.0.0.0

172.29.0.0/24 is subnetted, 2 subnets

S 172.29.171.0 is directly connected, GigabitEthernet0/1 >>>=====peer lan seg=======>>route2

C 192.168.124.0/24 is directly connected, GigabitEthernet0/0

X.Y.Z.0/26 is subnetted, 1 subnets

C X.Y.Z.0 is directly connected, GigabitEthernet0/1

S 10.0.0.0/8 [1/0] via 192.168.124.5

P.Q.0.0/16 is variably subnetted, 2 subnets, 2 masks

S P.Q.54.10/32 [1/0] via X.Y.Z.1

S P.Q.0.0/16 [1/0] via 192.168.124.5

S* 0.0.0.0/0 [1/0] via X.Y.Z.1

S 172.16.0.0/12 [1/0] via 192.168.124.5 >>>======private seg===========>>route1

S 192.168.0.0/16 [1/0] via 192.168.124.5

VPNHUB-M1#

VPNHUB-M1#show ip cef

Prefix Next Hop Interface

0.0.0.0/0 X.Y.Z.1 GigabitEthernet0/1

0.0.0.0/32 receive

10.0.0.0/8 192.168.124.5 GigabitEthernet0/0

P.Q.0.0/16 192.168.124.5 GigabitEthernet0/0

P.Q.54.10/32 X.Y.Z.1 GigabitEthernet0/1

172.16.0.0/12 192.168.124.5 GigabitEthernet0/0 >>>======private seg======>>route1

172.29.171.0/24 attached GigabitEthernet0/1 >>>=====peer lan seg=======>>route2

192.168.0.0/16 192.168.124.5 GigabitEthernet0/0

192.168.124.0/24 attached GigabitEthernet0/0

192.168.124.0/32 receive

192.168.124.1/32 192.168.124.1 GigabitEthernet0/0

192.168.124.10/32 receive

192.168.124.11/32 receive

192.168.124.12/32 192.168.124.12 GigabitEthernet0/0

192.168.124.255/32 receive

X.Y.Z.0/26 attached GigabitEthernet0/1

X.Y.Z.0/32 receive

X.Y.Z.1/32 X.Y.Z.1 GigabitEthernet0/1

X.Y.Z.10/32 receive

X.Y.Z.11/32 receive

X.Y.Z.12/32 X.Y.Z.12 GigabitEthernet0/1

X.Y.Z.14/32 X.Y.Z.14 GigabitEthernet0/1

X.Y.Z.63/32 receive

224.0.0.0/4 drop

224.0.0.0/24 receive

255.255.255.255/32 receive

VPNHUB-M1#

With same IOS 12.4(5) ADVSEC-K9, I tested the VPN with CEF enabled in LAN inferface with a different ISR2821 router.

It worked perfectlly and there was no loss of packets at all.

So what can be the problem in another router, which drops 50% of IPSec traffic with same setup, that is when CEF enabled in LAN interface?

Is it a hardware problem or some other?

Hi,

Please check if you have both ip cef enabled and a default route (0.0.0.0 0.0.0.0) configured. If so, this is most likely the cause of your problem. ip cef and 0.0.0.0/0 route result in 50% packet loss, especially on vpn routers (I had a similar case with a GRE/IPSec tunnel config).

HTH,

Leo

Hi All,

I just wanted to thank you (Leo) for helping me solve my problem with a GRE/IPSec tunnel. I did a search on the Cisco site and found this post. I was having the same problem where I would have about 50% packet loss through my VPN. It turned out that I had CEF enabled on both ends. As soon as I disabled CEF all packets were recieved with 0% loss.

Thanks a bunch,

Joe

Hi Joe,

Glad I could help, that?s what this forum is all about ;-)

Leo

Hi,

Thank you very much for the support.