I've been noticing problems with dropped packets in secure protocols through our site-to-site vpns since migrating the central site over from a pix to an isr. It looks as though packets for protocols such as ssh / https could not be fragmented before transmission down the tunnel and were already too big to accomodate the tunnel overheads within the router interface mtu of 1500.
Could this be the case?
Dropping the mtu to 1400 for the machine initiating the ssh connection at the remote site seems to have solved the problem, but I am wondering why this has only started with the ISR?
I am also seeing very slow throughput in one vpn link from the ISR to an 831 router at a remote site where both routers have an mtu of 1500. Again this is just since the pix was swapped with the ISR. I've dropped encryption down to basic des / md5 and I've cleared a lot of old unused lines out of the acls which has doubled the throughput to ~ 500Kbps, but this is still not the performance we were seeing previously. The processor on the 831 is also getting hammered and is generally ~ 72% when the throughput is 500Kbps (onboard hardware encryption enabled). There also may be a bug in the IOS version on the 831 as the ip mtu nnnn & ip tcp adjust-mss nnnn can be entered but don't stick for eth0.
Sorry about the length of this post and the number of questions, but would appreciate any comments.
It looks like you've answered most of your own questions and a review of your code versions and the capability of the devices onsite may need to be reviewed in terms of requirements and throughput. You identify that the key difference is the ISR and the fix was to set the mtu on the host machine. In an effort to understand what your seeing sent and what's received then I'd recommend that you look to implementing a wire trace if viable at each end. Smells of tcp auto-tuning but that would be shooting from the hip.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...