I have setup a VPN network using 1700 series routers with VPN accel cards for remote branches and a PIX515e (also with VPN accel) at corporate. The network at this moment consists of two remotes each using a full T1 and corporate has 3 full, BGP load balanced T1s. We wish to route the branch office Internet traffic thru corporate so that we can control user Web access. Due to security limitations of the PIX we have implemented GRE tunnels that originate at the branch router and terminate on a 1700 located behind the PIX. The GRE traffic/tunnel is originated and IPSec encryted at the outside interface of the branch router, is unencrypted at the outside interface of the PIX and terminates at the 1700 inside router. From there it is routed to other subnets or sent back out the PIX if it is Internet bound.
We will add more remote branches soon but it seems like performance problems are popping up already. This setup is an upgrade from a DSL/Red Creek VPN network. To our surprise, performance of the new T1/Cisco sites is at best, equal to the old setup. Sometimes it even seems slower!!
What can I do to begin to troubleshoot this? Any and all suggestions would be greatly appreciated.
I am not sure how you are testing this setup with the old setup. Did your old setup had GRE/IPSec tunnels as well getting terminated in the same manner?
Using the GRE/IPSec in your topology, you will be sending the traffic over the internet twive, once it was encrypted from the remote router to the hub router, and then back out to the Internet through the pix firewall in cleartext ( if you are doing internet browsing ).
Plus if your old setup didn't have ipsec over gre configured, then using ipsec/gre in this current topology will add more packet overhead on the packets, ( and you might be running into some fragmentation issues as well ).
Check and see if you are running into any sort of high CPU utilization. I think a better option to do these testing is to just do GRE tunnel first and get the base number, and then add ipsec on top, and then compare the performance
I can certainly test without IPSec. That is easy to do. As far as fragmentation, how can I check for that? There are a lot of nodes involved here. You have the branch router, the corporate Internet router, the PIX and then the corporate internal router. Where would fragmentation be most likely?
Also, the ISP made us configure the serial interfaces on the branch routers for PPP. How much difference is there between that and HDLC or frame-relay encapsulation?
you are likely to run into fragmentation issues on the remote side ( termination of gre/ipsec ) and on the pix side ( termination of the ipsec tunnel). You might see fragmentation on the hub router 9 termination of the other GRE end).
Fragmenation issues are hard to troubleshoot.. But one of the symptoms is, getting slow access to the web-sites, incomplete web-pages, not being able to download mails with attachments etc
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :