Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN packet loss 50%!!!

Hi All,

I setup VPN between Cisco ISR 2821 and 1841. In all router the IOS is 12.4(5) ADVSEC-K9. In H.O, HSRP is running between two 2821. The VPN is up between H.O and B.O and ping from routers ate 100% OK.

But when I ping from client pc to server or vice-versa, there is almost or more that 50% of packet loss.

I have attached the config and crypto and all ACL details.

For test I send 27 ping packets and got the reply for 14 packets. When I checked the ACL, IPSec and NAT counters, the values are different.

what can be the problem, has I missed some config? or is there any problem in route-map and VPN?

VPNHUB-M1#show route-map all

STATIC routemaps

route-map SDM_RMAP_1, permit, sequence 1

Match clauses:

ip address (access-lists): 104

Set clauses:

Policy routing matches: 0 packets, 0 bytes

DYNAMIC routemaps

Current active dynamic routemaps = 0

VPNHUB-M1#

9 REPLIES
Silver

Re: VPN packet loss 50%!!!

When reading this my first thought is that the server probably has 2 equal cost routes to your client pool range. Or 2 default routes, or even 2 NIC's.

Reason I say this is that the ICMP trace shows clearly that you see every other packet, as identified by the sequence number.

Usually this is down to equal cost routing somewhere sharing the packets equally out across each route.

Andy

New Member

Re: VPN packet loss 50%!!!

Hi,

There is no 2 NIC or 2 equal cost routes.

I think the problem is in ip route-cache cef.

When I disabled the with "no ip route-cache cef" in LAN side interface only, the ping to B.O from H.O and vice-versa is 100% OK. There is no loss of packets at all.

But I am not sure the problem was in IPSec/CEF.

What can be the problem, is there any bug is the latest IOS 12.4(5) ADVSEC-K9 image for IPSec/CEF?

Silver

Re: VPN packet loss 50%!!!

I agree with your comments, in that case it does sound like a bug. Have you looked on the Bug watcher on cisco.com?

I wounder if the CEF forwarding table shows 2 paths to that destination, and only one gets encrypted? Its a guess, try having a look at the output from `sh ip cef'. What hardware is this running on?

New Member

Re: VPN packet loss 50%!!!

Hi,

My router is ISR 2821 with IOS 12.4(5) ADVSEC-K9.

Below is the sh ip route and sh ip cef details:

VPNHUB-M1#show ip route

Gateway of last resort is X.Y.Z.1 to network 0.0.0.0

172.29.0.0/24 is subnetted, 2 subnets

S 172.29.171.0 is directly connected, GigabitEthernet0/1 >>>=====peer lan seg=======>>route2

C 192.168.124.0/24 is directly connected, GigabitEthernet0/0

X.Y.Z.0/26 is subnetted, 1 subnets

C X.Y.Z.0 is directly connected, GigabitEthernet0/1

S 10.0.0.0/8 [1/0] via 192.168.124.5

P.Q.0.0/16 is variably subnetted, 2 subnets, 2 masks

S P.Q.54.10/32 [1/0] via X.Y.Z.1

S P.Q.0.0/16 [1/0] via 192.168.124.5

S* 0.0.0.0/0 [1/0] via X.Y.Z.1

S 172.16.0.0/12 [1/0] via 192.168.124.5 >>>======private seg===========>>route1

S 192.168.0.0/16 [1/0] via 192.168.124.5

VPNHUB-M1#

VPNHUB-M1#show ip cef

Prefix Next Hop Interface

0.0.0.0/0 X.Y.Z.1 GigabitEthernet0/1

0.0.0.0/32 receive

10.0.0.0/8 192.168.124.5 GigabitEthernet0/0

P.Q.0.0/16 192.168.124.5 GigabitEthernet0/0

P.Q.54.10/32 X.Y.Z.1 GigabitEthernet0/1

172.16.0.0/12 192.168.124.5 GigabitEthernet0/0 >>>======private seg======>>route1

172.29.171.0/24 attached GigabitEthernet0/1 >>>=====peer lan seg=======>>route2

192.168.0.0/16 192.168.124.5 GigabitEthernet0/0

192.168.124.0/24 attached GigabitEthernet0/0

192.168.124.0/32 receive

192.168.124.1/32 192.168.124.1 GigabitEthernet0/0

192.168.124.10/32 receive

192.168.124.11/32 receive

192.168.124.12/32 192.168.124.12 GigabitEthernet0/0

192.168.124.255/32 receive

X.Y.Z.0/26 attached GigabitEthernet0/1

X.Y.Z.0/32 receive

X.Y.Z.1/32 X.Y.Z.1 GigabitEthernet0/1

X.Y.Z.10/32 receive

X.Y.Z.11/32 receive

X.Y.Z.12/32 X.Y.Z.12 GigabitEthernet0/1

X.Y.Z.14/32 X.Y.Z.14 GigabitEthernet0/1

X.Y.Z.63/32 receive

224.0.0.0/4 drop

224.0.0.0/24 receive

255.255.255.255/32 receive

VPNHUB-M1#

New Member

Re: VPN packet loss 50%!!!

With same IOS 12.4(5) ADVSEC-K9, I tested the VPN with CEF enabled in LAN inferface with a different ISR2821 router.

It worked perfectlly and there was no loss of packets at all.

So what can be the problem in another router, which drops 50% of IPSec traffic with same setup, that is when CEF enabled in LAN interface?

Is it a hardware problem or some other?

Silver

Re: VPN packet loss 50%!!!

Hi,

Please check if you have both ip cef enabled and a default route (0.0.0.0 0.0.0.0) configured. If so, this is most likely the cause of your problem. ip cef and 0.0.0.0/0 route result in 50% packet loss, especially on vpn routers (I had a similar case with a GRE/IPSec tunnel config).

HTH,

Leo

New Member

Re: VPN packet loss 50%!!!

Hi All,

I just wanted to thank you (Leo) for helping me solve my problem with a GRE/IPSec tunnel. I did a search on the Cisco site and found this post. I was having the same problem where I would have about 50% packet loss through my VPN. It turned out that I had CEF enabled on both ends. As soon as I disabled CEF all packets were recieved with 0% loss.

Thanks a bunch,

Joe

Silver

Re: VPN packet loss 50%!!!

Hi Joe,

Glad I could help, that?s what this forum is all about ;-)

Leo

New Member

Re: VPN packet loss 50%!!!

Hi,

Thank you very much for the support.

1038
Views
18
Helpful
9
Replies