Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
2
Replies

50% Packet loss with IOS 12.3

Christian.Schaeffler
Level 1
Level 1

‎11-12-2004 01:01 AM - edited ‎03-09-2019 09:25 AM

Hi folks,

since upgrading our Cisco 2621 from IOS V11.x to 12.3 we are facing serious trouble on establishing VPN tunnels.

As clients we use SafeNet SoftRemote software and Netgear FVS328 DSL routers. Both used to work with the old IOS version.

Since upgrading the IOS, many applications don't work with the VPN tunnel or are inacceptabely slow.

When pinging through the tunnel we encounter a packet loss of around 50%.

Taking a look into the cisco routers logs, everything seems to be working perfect(?).

Anyone of you faced ewver those problems?

PS. For establshing the tunnel a pre-shared key with esp-des esp-md5-hmac is used.

Please apalogize my bad English.

Sincerely yours

Christian Schaeffler

Labels:
0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎11-12-2004 12:15 PM

How do you run your pings? Do you run them with the DF bit set with a large payload (ie., ping -l 1400 -f 1.2.3.4)?

Are you running routing protocols such as RIP or OSPF and tunneling them via GRE over an IPSec tunnel? If your VPN is not an IPSec type, let me know what type it is.

I am thinking that you may have a path MTU discovery issue - I don't know for certain if ios 12.3 disables the sending of unreachable pakcets by default, but I do know that IOS 12.0 and higher do disable some things that v11 enabled by default in order to implement better security.

IOS 12.3 will allow you to set the mtu of an IPSec or GRE tunnel independant of what the phy interface mtu is.

Let me know if any of this helps. If you still have problems, please post the configs from all relevnat devices.

Note that DSL may use an max mtu of 1492 and not 1500, as 8 bytes are needed for PPPoE/PPPoA and many times, PPPoE is used in DSL or Cable Modem connections.

0 Helpful

Christian.Schaeffler
Level 1
Level 1
In response to ehirsel

‎11-30-2004 01:13 AM

Hi,

I solved my problem (well parts of it).

We could not find out why the SafeNet software didn't work correctely. Maybe it will never work with IOS 12.3? Who knows...

Finally we scraped the old configuration and now we work with EzVPN and Cisco Client V4.0.5B. I stil got some issues with that so be ready for my next threads.

Regards

Chris

0 Helpful
Customers Also Viewed These Support Documents