cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2775
Views
0
Helpful
7
Replies

Router problem with L2TPv3 over IPSec over internet: 100% CPU utilization cause reassembly of packets.

ROBERTO TACCON
Level 4
Level 4

*** Here's the enviroment:

2 routers (Catalyst 2801 and 2821) each connected on "big internet".

Between the routers there are:

- VPN IPSec VPN

- inside the IPSec VPN a L2TPv3 tunnel.

*** Here's the problem:

When i test the connection I get the result i expect as long as the packet size is smaller then 1400.

Once the packet size is 1500 the cpu of one of the two routers gets to 100% and the throughput lowers to +/-1Mb/s.

Is there any option to avoid the problem with IPv4 traffic (TCP and UDP) ?

Can you check the configuration (in particular for mtu and mss options) ?

Is there any configuration option/feaure to avoid 100% CPU utilization ?

Following the configuration:

Router 1:

---------

version 12.4

service timestamps debug datetime msec

service timestamps log datetime localtime show-timezone

no service password-encryption

!

hostname router-1

!

boot-start-marker

boot system flash:c2801-adventerprisek9-mz.124-25c.bin

boot-end-marker

!

logging buffered 64000 debugging

no logging console

!

no aaa new-model

ip cef

!

!

!

!

ip domain name cisco.com

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

voice-card 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username xxxxxxxxxxxxxx privilege 15 xxxxxxxxxxxx

!        

!

ip ssh version 1

pseudowire-class vlan-xconnect

encapsulation l2tpv3

protocol none

ip local interface Loopback1

ip tos reflect

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco address 1.20.1.157

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description *** Tunnel to 1.20.1.157

set peer 1.20.1.157

set transform-set ESP-AES256-SHA

match address 100

!

!

!

!

interface Loopback1

description *** L2TPv3 Tunnel Source

ip address 172.20.20.251 255.255.255.255

ip mtu 1420

ip tcp adjust-mss 1300

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description *** LAN INTERNAL

no ip address

ip tcp adjust-mss 1300

duplex auto

speed auto

no cdp enable

xconnect 172.20.20.250 1 encapsulation l2tpv3 manual pw-class vlan-xconnect

  l2tp id 1002 2001

  l2tp cookie local 4 102

  l2tp cookie remote 4 201

!

interface FastEthernet0/1

description *** INTERNET

ip address 2.1.4.7 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 2.1.4.6

!

!

no ip http server

no ip http secure-server

!

access-list 100 remark IPSec phase 2 Rule

access-list 100 permit ip host 172.20.20.251 host 172.20.20.250

access-list 100 deny   ip any any log

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

login local

line aux 0

line vty 0 5

exec-timeout 5 0

login local

!

scheduler allocate 20000 1000

Router 2:

---------

version 12.4

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname router-2

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9-mz.124-25c.bin

boot-end-marker

!

logging buffered 64000 debugging

no logging console

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login clientauth local

aaa authorization exec default local

!

aaa session-id common

clock timezone Rome 1

clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00

no ip source-route

!

!

ip cef

!

!

ip domain name cisco.com

ip multicast-routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

login block-for 60 attempts 3 within 20

login on-failure log

login on-success log

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

username xxxxxxxxxxx privilege 15 password xxxxxxxxxxxxxxxxxxxxxxxx

archive

log config

  hidekeys

!

!

pseudowire-class vlan-xconnect

encapsulation l2tpv3

protocol none

ip local interface Loopback1

ip tos reflect

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 5

crypto isakmp key cisco address 2.1.4.7

crypto isakmp keepalive 120 5

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description *** Tunnel to 2.1.4.7

set peer 2.1.4.7

set transform-set ESP-AES256-SHA

match address 100

!

!

!

!

interface Loopback0

no ip address

load-interval 30

!

interface Loopback1

description *** L2TPv3 Tunnel Source

ip address 172.20.20.250 255.255.255.255

ip mtu 1420

ip tcp adjust-mss 1300

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description ** To Internet **

ip address 1.20.1.157 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip virtual-reassembly

load-interval 30

!

interface GigabitEthernet0/1

description ** To internal networks **

no ip address

ip tcp adjust-mss 1300

load-interval 30

duplex auto

speed auto

no cdp enable

xconnect 172.20.20.251 1 encapsulation l2tpv3 manual pw-class vlan-xconnect

  l2tp id 2001 1002

  l2tp cookie local 4 201

  l2tp cookie remote 4 102

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.20.1.156 name default

!

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 1000

!

no ip http server

no ip http secure-server

!

!

access-list 100 remark IPSec phase 2 Rule

access-list 100 permit ip host 172.20.20.250 host 172.20.20.251

access-list 100 deny   ip any any log

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 5 0

transport input telnet ssh

escape-character 3

!

scheduler allocate 20000 1000

7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

Can't you configure your systems so to avoid bridging in first place?

Edison Ortiz
Hall of Fame
Hall of Fame

Fragmentation is to be avoided in PW topologies. What you are seeing is quite normal.

Please refer to this article http://tools.ietf.org/html/draft-ietf-pwe3-fragmentation-10

1) As my transport is the "big internet" the MTU path between the 2 routers can be controlled

2) As the traffic inside the tunnel (the private traffic) is IP over ethernet (1500 byte) and the header of IPSEC and L2TPv3 add header need to fragment as the traffic between servers is UDP and TCP with or without DF ...

are there any L2TPv3 and IPSec Header compression method ?

which L2TPv3 configuration use the minimum header ?

which IPSec encryption protocol configuration use the minimum header ?

ROBERTO TACCON
Level 4
Level 4

The customer have 2 small DataCenter connected by different ISP: on the 1st old DC  there're 50 server with private IP 10.0.0.0/24 and public IP x.x.x.x/24 (the public ip address are PA assigned), on the 2nd new DC there're nothing (now).

The customer need to connect the 2 DC in the fastest way and "bring" the servers on the old and on the new DC.

As the only connection between the 2 DC are internet I try to use a L2L VPN bridging traffic...

Are there any other fast solution using internet: (L2TPv3 over IPsec) (using a simple VPN IPSEC need to do NAT) ?

Thanks for all !

Roberto Taccon

You have of of the few cases in which bridging would be really needed. Unfortunately, it never works well over the internet.

Try bridging over GRE (unsupported, may work)

Thanks for the solution with GRE ...

Please can you check the following sample configuration with internet IP as GRE tunnel source and destination:

it's possible to use "no ip address" on the gre tunnel ?

how i can resolve the extra GRE header encapsulation with the MTU ?

#router-1

!

bridge irb

bridge 1 protocol ieee

!

!

!

!

interface Tunnel1

description GRE tunnel to router-2

no ip address

tunnel source FastEthernet0/1

tunnel destination 8.8.8.9

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0/0

description Link to lan 10.0.0.0/24

no ip address

duplex auto

speed auto

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0/1

description *** Link to internet

ip address 1.2.3.5 255.255.255.252

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 1.2.3.6

!

#router-2

!

!

bridge irb

bridge 1 protocol ieee

!

!

!

!

interface Tunnel1

description GRE tunnel to router-1

no ip address

tunnel source FastEthernet0/1

tunnel destination 1.2.3.5

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0/0

description Link to lan 10.0.0.0/24

no ip address

duplex auto

speed auto

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0/1

description *** Link to internet

ip address 8.8.8.9 255.255.255.252

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 8.8.8.10

!

I think you need an additionar pair of routers, with ip routing disabled, for bridging over GRE.

You cannot do anything about MTU. just hope applications will still work. They may not.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: