01-23-2006 09:08 PM - edited 02-21-2020 02:13 PM
Hi All,
I setup VPN between Cisco ISR 2821 and 1841. In all router the IOS is 12.4(5) ADVSEC-K9. In H.O, HSRP is running between two 2821. The VPN is up between H.O and B.O and ping from routers ate 100% OK.
But when I ping from client pc to server or vice-versa, there is almost or more that 50% of packet loss.
I have attached the config and crypto and all ACL details.
For test I send 27 ping packets and got the reply for 14 packets. When I checked the ACL, IPSec and NAT counters, the values are different.
what can be the problem, has I missed some config? or is there any problem in route-map and VPN?
VPNHUB-M1#show route-map all
STATIC routemaps
route-map SDM_RMAP_1, permit, sequence 1
Match clauses:
ip address (access-lists): 104
Set clauses:
Policy routing matches: 0 packets, 0 bytes
DYNAMIC routemaps
Current active dynamic routemaps = 0
VPNHUB-M1#
01-24-2006 10:46 AM
When reading this my first thought is that the server probably has 2 equal cost routes to your client pool range. Or 2 default routes, or even 2 NIC's.
Reason I say this is that the ICMP trace shows clearly that you see every other packet, as identified by the sequence number.
Usually this is down to equal cost routing somewhere sharing the packets equally out across each route.
Andy
01-24-2006 03:12 PM
Hi,
There is no 2 NIC or 2 equal cost routes.
I think the problem is in ip route-cache cef.
When I disabled the with "no ip route-cache cef" in LAN side interface only, the ping to B.O from H.O and vice-versa is 100% OK. There is no loss of packets at all.
But I am not sure the problem was in IPSec/CEF.
What can be the problem, is there any bug is the latest IOS 12.4(5) ADVSEC-K9 image for IPSec/CEF?
01-26-2006 01:00 AM
I agree with your comments, in that case it does sound like a bug. Have you looked on the Bug watcher on cisco.com?
I wounder if the CEF forwarding table shows 2 paths to that destination, and only one gets encrypted? Its a guess, try having a look at the output from `sh ip cef'. What hardware is this running on?
01-26-2006 02:37 AM
Hi,
My router is ISR 2821 with IOS 12.4(5) ADVSEC-K9.
Below is the sh ip route and sh ip cef details:
VPNHUB-M1#show ip route
Gateway of last resort is X.Y.Z.1 to network 0.0.0.0
172.29.0.0/24 is subnetted, 2 subnets
S 172.29.171.0 is directly connected, GigabitEthernet0/1 >>>=====peer lan seg=======>>route2
C 192.168.124.0/24 is directly connected, GigabitEthernet0/0
X.Y.Z.0/26 is subnetted, 1 subnets
C X.Y.Z.0 is directly connected, GigabitEthernet0/1
S 10.0.0.0/8 [1/0] via 192.168.124.5
P.Q.0.0/16 is variably subnetted, 2 subnets, 2 masks
S P.Q.54.10/32 [1/0] via X.Y.Z.1
S P.Q.0.0/16 [1/0] via 192.168.124.5
S* 0.0.0.0/0 [1/0] via X.Y.Z.1
S 172.16.0.0/12 [1/0] via 192.168.124.5 >>>======private seg===========>>route1
S 192.168.0.0/16 [1/0] via 192.168.124.5
VPNHUB-M1#
VPNHUB-M1#show ip cef
Prefix Next Hop Interface
0.0.0.0/0 X.Y.Z.1 GigabitEthernet0/1
0.0.0.0/32 receive
10.0.0.0/8 192.168.124.5 GigabitEthernet0/0
P.Q.0.0/16 192.168.124.5 GigabitEthernet0/0
P.Q.54.10/32 X.Y.Z.1 GigabitEthernet0/1
172.16.0.0/12 192.168.124.5 GigabitEthernet0/0 >>>======private seg======>>route1
172.29.171.0/24 attached GigabitEthernet0/1 >>>=====peer lan seg=======>>route2
192.168.0.0/16 192.168.124.5 GigabitEthernet0/0
192.168.124.0/24 attached GigabitEthernet0/0
192.168.124.0/32 receive
192.168.124.1/32 192.168.124.1 GigabitEthernet0/0
192.168.124.10/32 receive
192.168.124.11/32 receive
192.168.124.12/32 192.168.124.12 GigabitEthernet0/0
192.168.124.255/32 receive
X.Y.Z.0/26 attached GigabitEthernet0/1
X.Y.Z.0/32 receive
X.Y.Z.1/32 X.Y.Z.1 GigabitEthernet0/1
X.Y.Z.10/32 receive
X.Y.Z.11/32 receive
X.Y.Z.12/32 X.Y.Z.12 GigabitEthernet0/1
X.Y.Z.14/32 X.Y.Z.14 GigabitEthernet0/1
X.Y.Z.63/32 receive
224.0.0.0/4 drop
224.0.0.0/24 receive
255.255.255.255/32 receive
VPNHUB-M1#
02-01-2006 01:48 AM
With same IOS 12.4(5) ADVSEC-K9, I tested the VPN with CEF enabled in LAN inferface with a different ISR2821 router.
It worked perfectlly and there was no loss of packets at all.
So what can be the problem in another router, which drops 50% of IPSec traffic with same setup, that is when CEF enabled in LAN interface?
Is it a hardware problem or some other?
01-10-2007 01:06 AM
Hi,
Please check if you have both ip cef enabled and a default route (0.0.0.0 0.0.0.0) configured. If so, this is most likely the cause of your problem. ip cef and 0.0.0.0/0 route result in 50% packet loss, especially on vpn routers (I had a similar case with a GRE/IPSec tunnel config).
HTH,
Leo
03-14-2007 10:54 AM
Hi All,
I just wanted to thank you (Leo) for helping me solve my problem with a GRE/IPSec tunnel. I did a search on the Cisco site and found this post. I was having the same problem where I would have about 50% packet loss through my VPN. It turned out that I had CEF enabled on both ends. As soon as I disabled CEF all packets were recieved with 0% loss.
Thanks a bunch,
Joe
03-15-2007 01:20 PM
Hi Joe,
Glad I could help, that?s what this forum is all about ;-)
Leo
02-28-2006 04:01 PM
Hi,
Thank you very much for the support.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: