I setup VPN between Cisco ISR 2821 and 1841. In all router the IOS is 12.4(5) ADVSEC-K9. In H.O, HSRP is running between two 2821. The VPN is up between H.O and B.O and ping from routers ate 100% OK.
But when I ping from client pc to server or vice-versa, there is almost or more that 50% of packet loss.
I have attached the config and crypto and all ACL details.
For test I send 27 ping packets and got the reply for 14 packets. When I checked the ACL, IPSec and NAT counters, the values are different.
what can be the problem, has I missed some config? or is there any problem in route-map and VPN?
VPNHUB-M1#show route-map all
route-map SDM_RMAP_1, permit, sequence 1
ip address (access-lists): 104
Policy routing matches: 0 packets, 0 bytes
Current active dynamic routemaps = 0
When reading this my first thought is that the server probably has 2 equal cost routes to your client pool range. Or 2 default routes, or even 2 NIC's.
Reason I say this is that the ICMP trace shows clearly that you see every other packet, as identified by the sequence number.
Usually this is down to equal cost routing somewhere sharing the packets equally out across each route.
There is no 2 NIC or 2 equal cost routes.
I think the problem is in ip route-cache cef.
When I disabled the with "no ip route-cache cef" in LAN side interface only, the ping to B.O from H.O and vice-versa is 100% OK. There is no loss of packets at all.
But I am not sure the problem was in IPSec/CEF.
What can be the problem, is there any bug is the latest IOS 12.4(5) ADVSEC-K9 image for IPSec/CEF?
I agree with your comments, in that case it does sound like a bug. Have you looked on the Bug watcher on cisco.com?
I wounder if the CEF forwarding table shows 2 paths to that destination, and only one gets encrypted? Its a guess, try having a look at the output from `sh ip cef'. What hardware is this running on?
My router is ISR 2821 with IOS 12.4(5) ADVSEC-K9.
Below is the sh ip route and sh ip cef details:
VPNHUB-M1#show ip route
Gateway of last resort is X.Y.Z.1 to network 0.0.0.0
172.29.0.0/24 is subnetted, 2 subnets
S 172.29.171.0 is directly connected, GigabitEthernet0/1 >>>=====peer lan seg=======>>route2
C 192.168.124.0/24 is directly connected, GigabitEthernet0/0
X.Y.Z.0/26 is subnetted, 1 subnets
C X.Y.Z.0 is directly connected, GigabitEthernet0/1
S 10.0.0.0/8 [1/0] via 192.168.124.5
P.Q.0.0/16 is variably subnetted, 2 subnets, 2 masks
S P.Q.54.10/32 [1/0] via X.Y.Z.1
S P.Q.0.0/16 [1/0] via 192.168.124.5
S* 0.0.0.0/0 [1/0] via X.Y.Z.1
S 172.16.0.0/12 [1/0] via 192.168.124.5 >>>======private seg===========>>route1
S 192.168.0.0/16 [1/0] via 192.168.124.5
VPNHUB-M1#show ip cef
Prefix Next Hop Interface
0.0.0.0/0 X.Y.Z.1 GigabitEthernet0/1
10.0.0.0/8 192.168.124.5 GigabitEthernet0/0
P.Q.0.0/16 192.168.124.5 GigabitEthernet0/0
P.Q.54.10/32 X.Y.Z.1 GigabitEthernet0/1
172.16.0.0/12 192.168.124.5 GigabitEthernet0/0 >>>======private seg======>>route1
172.29.171.0/24 attached GigabitEthernet0/1 >>>=====peer lan seg=======>>route2
192.168.0.0/16 192.168.124.5 GigabitEthernet0/0
192.168.124.0/24 attached GigabitEthernet0/0
192.168.124.1/32 192.168.124.1 GigabitEthernet0/0
192.168.124.12/32 192.168.124.12 GigabitEthernet0/0
X.Y.Z.0/26 attached GigabitEthernet0/1
X.Y.Z.1/32 X.Y.Z.1 GigabitEthernet0/1
X.Y.Z.12/32 X.Y.Z.12 GigabitEthernet0/1
X.Y.Z.14/32 X.Y.Z.14 GigabitEthernet0/1
With same IOS 12.4(5) ADVSEC-K9, I tested the VPN with CEF enabled in LAN inferface with a different ISR2821 router.
It worked perfectlly and there was no loss of packets at all.
So what can be the problem in another router, which drops 50% of IPSec traffic with same setup, that is when CEF enabled in LAN interface?
Is it a hardware problem or some other?
Please check if you have both ip cef enabled and a default route (0.0.0.0 0.0.0.0) configured. If so, this is most likely the cause of your problem. ip cef and 0.0.0.0/0 route result in 50% packet loss, especially on vpn routers (I had a similar case with a GRE/IPSec tunnel config).
I just wanted to thank you (Leo) for helping me solve my problem with a GRE/IPSec tunnel. I did a search on the Cisco site and found this post. I was having the same problem where I would have about 50% packet loss through my VPN. It turned out that I had CEF enabled on both ends. As soon as I disabled CEF all packets were recieved with 0% loss.
Thanks a bunch,