Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Throughput issues on GRE over IPSec Tunnel

Hi There,

We have been facing a Tunnel throughput issue on our one of the GRE over IPSec tunnel. Actually the internet bandwidth at site A is 25mbps and at site B is 8mbps.. still when the user performs a throughput test it never goes beyond 1.8 - 2 mbps. When he does the same test without the VPN he gets a handsome 7-8mbps download speed. These tunnels are created with the LAN IP's as the source and destination (vice versa on both the routers).

Router-A:

!

interface Tunnel19

  bandwidth 8192

ip address 10.74.252.42 255.255.255.252

keepalive 5 3

tunnel source 10.72.16.254

tunnel destination 10.74.36.100

crypto map vpn

end

!

Router-B:

!

interface Tunnel1

description ***Tunnel to Alpharetta***

bandwidth 8192

ip address 10.74.252.41 255.255.255.252

ip route-cache flow

keepalive 10 3

tunnel source 10.74.36.100

tunnel destination 10.72.16.254

crypto map vpn

end

!

Please let me know the possible reasons and/or how to troubleshoot it further. I will provide further information as per your requests.

Thanks,

Gaurav

2 REPLIES

Throughput issues on GRE over IPSec Tunnel

hello - could be a fragmentation issue - have a look at the following doc:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

following link shows how to work out your mtu

http://wansend.wordpress.com/2007/05/17/using-ping-to-find-largest-mtu-along-a-vpn-route/

you can then use the "ip tcp adjust-mss" command on your tunnel interfaces with the correct mtu value

hth

andy

Throughput issues on GRE over IPSec Tunnel

Hi,

It's the issue of Tunnels fragmenting the packets which go above its ip mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on the encryptino you use. So the total packet size would come down roughly 1400bytes which means your actual data(payload) will be 1360bytes. As you can see thats a signifcant drop in terms of throughput

You can see the fragemenatation issue by typing the command " sh ip traffic | i frag". That should give you a good hint of how many packets are getting fragemented.

The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes. This is the recommended one if you will . you can lower if you want as well.you can combine it with the ip tcp adjust-mss"

HTH

Kishore

1609
Views
0
Helpful
2
Replies