Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member



I've trouble with slow TCP in one way between two sites with DMVPN.

Site A (hub) connected to Internet via Ethernet, Site B (Spoke) via PPPoE.

TCP speed from A to B is slow (100kbps), UDP is well (10Mbps).

TCP speed from B to A is well 2 Mbps, UDP is well (10Mbps).

Delay between sites = 100ms.

Other spokes of DMVPN work well. Only site with PPPoE. I suggest Windows or MSS is incorrect. But where?

Some configs:

Site A.

interface Tunnel0
ip address
  ip mtu 1400

tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

Site B.

interface FastEthernet0/1
description Internet
no ip address
load-interval 30
duplex auto
speed 10
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable

interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username --- pass ---

interface Tunnel10
ip address
no ip redirects
ip mtu 1400
ip nhrp authentication MyNet
ip nhrp map multicast dynamic

ip tcp adjust-mss 1352
ip ospf network broadcast
ip ospf cost 1500
ip ospf priority 0
cdp enable
tunnel source Dialer1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN

  • VPN
Everyone's tags (2)
Cisco Employee


Performance cases can be quite time consuming. Let's give it a try but if it will come down to captures I guess it will be best you open a TAC case.

Rememeber that it doesn't have to be fragmenation, but it's a good call ;-)

I'd suggest to watch "show ip traffic" and monitor fragmented packet count.

Regarding fergmentation it should be enough to set MSS on tunnel interfaces.Both endpoints will always pick lowest MSS value of the two introduced in TCP headers in SYN and SYN ACK.

What I would do first of all is check the tunnel to see what is maximum data you can send.

For example:

ping sou df-bit size 1300

Ping from both your hub and spoke and should be tunnel IP addresses.

Increase the size in incrementes of 10 to see where it will start failing.

This is how you can check the path MTU between hub and spoke (of course one of possible ways).


This widget could not be displayed.