Re: VPN - Lost Packets

alraycisco · ‎11-03-2008

Hi,

I have a Cisco 2621XM router setup running IOS 12.4(21a), which provides internet connectivity via an ADSL line. The router also has several site to site VPN's and GRE/IPSec tunnels. Connectivity to the sites via the GRE/IPSEC tunnels work without a problem as does internet connectivity.

The site to site IPsec tunnels (non-GRE) to other client sites currently display th following: the VPN tunnels come up and pass traffic, however, there seems to be pqacket loss. If I open a ping to a remote host I get reply, request timed out, reply etc. Also, RDP failes to work altogether and SSH is extremely slow.

A constant ping to http://www.google.com or to a host over the GRE/IPsec tunnel is constant and works fine. I have tried a different router in it's place and get the same issue.

Any help with this would be greatly appreciated.

Below is the config:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 10

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key sitea address x.x.x.x

crypto isakmp key siteb address x.x.x.x

crypto isakmp key sitec address x.x.x.x

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

mode transport

!

crypto map crypto_map 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

set pfs group2

match address acl_gre_traffic_n1

crypto map crypto_map 20 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

set pfs group2

match address acl_gre_traffic_n2

crypto map crypto_map 30 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address acl_crypto_map30

crypto map crypto_map 40 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address acl_crypto_map40

crypto map crypto_map 50 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-MD5

match address acl_crypto_map50

!

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination x.x.x.x

crypto map crypto_map

!

interface Tunnel1

ip address 192.168.200.1 255.255.255.252

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination x.x.x.x

crypto map crypto_map

!

interface FastEthernet0/0

description Outside Interface

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed 100

crypto map crypto_map

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface FastEthernet0/1

description Inside Interface

ip address x.x.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip nat pool crypto_map30_pool x.x.x.x x.x.x.x netmask 255.255.255.0

ip nat pool crypto_map40_pool x.x.x.x x.x.x.x netmask 255.255.255.192

ip nat inside source route-map route_map_nat interface FastEthernet0/0 overload

ip nat inside source route-map route_map_crypto_map30 pool crypto_map30_pool

ip nat inside source route-map route_map_crypto_map40 pool crypto_map40_pool

ip dns server

!

route-map route_map_nat permit 1

match ip address acl_nat

!

route-map route_map_crypto_map40 permit 1

match ip address acl_crypto_map40_nat

!

route-map route_map_crypto_map30 permit 1

match ip address acl_crypto_map30_nat

!

Farrukh Haroon · ‎11-04-2008

This is most probably an MTU issue, set the TCP MSS and MTU on your tunnel interface to something much lower than the default. E.g:

ip mtu 1400

ip tcp adjust-mss 1360

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Regards

Farrukh

alraycisco · ‎11-04-2008

Hi,

Thanks for the reply. Strangely the VPN tunnels that terminate off the Tunnel interfaces don't have a problem, it's just the non-GRE IPSEC tunnels. I've tried adjusting the mtu sizes on the physical outside interface using the above commands, however, I still have the same problem.

I've also tried using the 'mtu 1400' command on the physical interface, however I get:

% Interface FastEthernet0/0 does not support user settable mtu.

Thanks

Farrukh Haroon · ‎11-04-2008

Then please try adding the following command:

crypto ipsec fragmentation before-encryption

Just make sure you reset the phase1/phase2 VPN connection after making the change.

http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag.html

Regards

Farrukh

alraycisco · ‎11-04-2008

Hi,

Once again thanks for the response. I have tried the above, however, I am still experiencing the same problem, having brought the VPN tunnels down.

According to the site pre-fragmentation should be on by default.

Thanks

alraycisco · ‎11-10-2008

Hi,

Just an update on this, as a test I've setup an additional IPsec tunnel to an ASA5505 (my home ASA). Connectivity over this VPN works without any problems.

I find it quite strange that 3 customer VPN's should display the same problems (dropped packets), yet an IPSec VPN to my home firewall works without any problems. Is there anything I can get the customer to do at their end? Is the problem that their MTU values are considerably lower than my outside interface's MTU?

Thanks