Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11769
Views
19
Helpful
9
Replies

packet loss on ipsec tunnel

Go to solution
noran01
Level 3
Level 3

‎01-09-2007 09:44 AM - edited ‎02-21-2020 02:48 PM

I currently have 2 routers (one at each site). Both are running 12.3(9e). One router is a 2621 and the other is a 2611XM.

This is the relevant config:

Router A

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key ***** address x.x.x.98 no-xauth

!

!

crypto ipsec transform-set farm-jc-ts esp-3des esp-md5-hmac

!

crypto map farm-jc 10 ipsec-isakmp

set peer x.x.x.98

set transform-set farm-jc-ts

match address acl_farm-jc-tunnel

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

duplex auto

speed auto

crypto map farm-jc

!

interface FastEthernet0/1

ip address 192.168.4.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat Stateful id 11

ip nat inside source list acl_nat interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 10.1.1.0 255.255.255.0 FastEthernet0/0

ip access-list extended acl_farm-jc-tunnel

permit icmp 192.168.4.0 0.0.0.255 10.1.0.0 0.0.255.255

permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq www

permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 443

permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 22

ip access-list extended acl_nat

deny ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 192.168.4.0 0.0.0.255 any

Router B:

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key ***** address x.x.x.199 no-xauth

!

!

crypto ipsec transform-set jc-farm-ts esp-3des esp-md5-hmac

!

crypto map jc-farm 10 ipsec-isakmp

set peer x.x.x.199

set transform-set jc-farm-ts

match address acl_jc-farm-tunnel

!

!

!

!

interface FastEthernet0/0

ip address 10.1.1.5 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address x.x.x.98 255.255.255.224

ip nat outside

speed auto

full-duplex

crypto map jc-farm

!

ip nat inside source list acl_nat interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 <gw_ip>

ip route 10.1.0.0 255.255.0.0 FastEthernet0/0

ip route 192.168.4.0 255.255.255.0 FastEthernet0/1

!

ip access-list extended acl_jc-farm-tunnel

permit icmp 10.1.0.0 0.0.255.255 192.168.4.0 0.0.0.255

permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq www

permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443

permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 22

ip access-list extended acl_nat

deny ip 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 any

permit ip 10.1.2.0 0.0.0.255 any

permit ip 10.1.3.0 0.0.0.255 any

permit ip 10.1.4.0 0.0.0.255 any

permit ip 10.1.5.0 0.0.0.255 any

I can ping across from each private lan to other, but its about 50% packet loss.

output of sh cry is sa shows QM_IDLE on both sides.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
5220
Level 4
Level 4

‎01-09-2007 10:18 AM

Hi,

Try the following commands on the interfaces:

no ip route-cache

no ip mroute-cache

no ip route-cache cef

no ip route-cache flow

And global:

no ip cef

Please rate if this helped.

Regards,

Daniel

View solution in original post

9 Replies 9

Go to solution
5220
Level 4
Level 4

‎01-09-2007 10:18 AM

Hi,

Try the following commands on the interfaces:

no ip route-cache

no ip mroute-cache

no ip route-cache cef

no ip route-cache flow

And global:

no ip cef

Please rate if this helped.

Regards,

Daniel

Go to solution
noran01
Level 3
Level 3
In response to 5220

‎01-09-2007 10:57 AM

I was just about to reply that disabling 'ip cef' fixed my problem. Thanks for your reply.

The only problem i have no is that for some reason the ACL's aren't all working. I can ping from one host to another on the remote lan, but thats it. Even though i have entries for 22, 80, and 443 they won't work. any ideas?

0 Helpful

Go to solution
noran01
Level 3
Level 3
In response to noran01

‎01-09-2007 11:16 AM

nevermind...i forgot to do an 'established' acl for my tcp connections!

0 Helpful

Go to solution
kamal-learn
Level 4
Level 4
In response to 5220

‎01-09-2007 10:48 PM

hi

i m unclear about disabling cef!! would uexplain why ??

even though disabling cef it has resolved the issue but why cef must be disabled?? and why cef is programmed by cisco?? what about if you are trying to use MPLS where cef is a mandatory?? what about if you have to use NBAR where cef is also a must???

thankx

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to kamal-learn

‎01-10-2007 12:29 AM

Hi Kamal,

Check the Caveats section on this:

http://cisco.com/en/US/customer/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml

I belive is just an IOS problem.

But really, ip cef is not that important on a 2-3 interface router. Anyway IPSEC traffic cannot be processed by CEF.

Please rate if this helped.

Regards,

Daniel

Go to solution
5220
Level 4
Level 4
In response to 5220

‎01-10-2007 08:10 AM

Hi,

I think only "no ip route-cache cef " is needed.

This way the impact on the router will be minimal and still the VPN will work fine.

Reqards,

Daniel

0 Helpful

Go to solution
h-mulchandani
Level 1
Level 1
In response to 5220

‎01-10-2007 08:22 AM

What IOS version are you using. I beleive this is an IOS issue.

There is a work around available from cisco on this.

0 Helpful

Go to solution
noran01
Level 3
Level 3
In response to h-mulchandani

‎02-15-2007 12:09 PM

I am using Version 12.3(9e) on both endpoints.

0 Helpful

Go to solution
kamal-learn
Level 4
Level 4
In response to 5220

‎01-10-2007 08:38 PM

hi

thankx Daniel you ve refreshed my memory for the IPSEC traffic and the CEF.

0 Helpful
Customers Also Viewed These Support Documents