A systematic 10 second latency on a WAN link with nat

ashley_dew · ‎06-23-2011

Hi,

I am having a problem while connecting servers on a remote site with an exact 10 second latency(ping is normal also smtp has the 10 sec latency). On the local LAN, the response is immediate. Furthermore, on the remote site, the servers are natted on the Internet.

Here is the topology.

Site A RouterA 3845 <-Gi0/1 ---------------------------------Gi0/1-> Site B RouterB 3845---->Internet FA0/0/0(vlan 1)

fa0/0/0 vlan1 LAN A -10.100.10.0/24 Gi0/0 LAN B 10.100.1.0/24

--->Internet vlan 2 fa0/0/1

The WAN link is a 100 Mbps wireless link and the connection on a IPSEC over GRE link.

Router A

interface Vlan1

description LAN EMMAUS

ip address 10.100.10.1 255.255.255.0

ip nat inside

!

interface Vlan2

description Connexion Internet

bandwidth 512

ip address xxxx 255.255.255.0

ip access-group RESTRICTION-ENTREE-INTERNET in

ip nat outside

!

interface GigabitEthernet0/1

description ***Connection to Site B

bandwidth 100000

ip address 10.100.13.130 255.255.255.128

duplex auto

speed auto

media-type rj45

no mop enabled

crypto map vpn-port

interface Tunnel21

description *** Tunnel A to B

bandwidth 100000

ip address 172.16.2.1 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 10.100.13.129

ip mtu 1356

router ospf 1

router-id 10.100.10.1

log-adjacency-changes

redistribute static

network 10.100.10.0 0.0.0.255 area 10

network 172.16.1.0 0.0.0.3 area 0

network 172.16.1.4 0.0.0.3 area 0

network 172.16.1.8 0.0.0.3 area 0

network 172.16.2.0 0.0.0.3 area 0

ip nat inside source list ACCESS-INTERNET interface Vlan2 overload

ip route 0.0.0.0 0.0.0.0 196.2.10.10

!

ip access-list extended ACCESS-INTERNET

permit ip host 10.100.10.42 any

permit ip host 10.100.10.50 any

permit ip host 10.100.10.51 any

permit ip host 10.100.10.52 any

Router B

interface GigabitEthernet0/0

description ***LAN B ***

ip address 10.100.1.252 255.255.255.0

ip accounting output-packets

ip nat inside

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1

description *** Connection to EMMAUS link ***

bandwidth 100000

ip address 10.100.13.129 255.255.255.128

duplex auto

speed auto

media-type rj45

no mop enabled

crypto map vpn-port

!

interface Vlan1

description *** Connection to VSAT ***

bandwidth 512

ip address xxxxx 255.255.255.248

ip access-group CONNEXION-ENTRANTE-VSAT in

ip nat outside

crypto map vpnmap -- > For external VPNs remote access

interface Tunnel21

description *** Tunnel B - A ***

bandwidth 100000

ip address 172.16.2.2 255.255.255.252

tunnel source GigabitEthernet0/1

tunnel destination 10.100.13.130

ip mtu 1356

router ospf 1

router-id 10.100.1.252

log-adjacency-changes

redistribute static subnets

network 10.100.1.0 0.0.0.255 area 1

network 172.16.2.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 172.16.3.4 0.0.0.3 area 0

network 172.16.3.8 0.0.0.3 area 0

ip nat pool prxy-pool xxxxx36 xxxxxx36 netmask 255.255.255.248

ip nat inside source static tcp 10.100.1.5 8181 interface Vlan1 8181

ip nat inside source static tcp 10.100.1.46 80 interface Vlan1 80

ip nat inside source route-map PROXY-MAP pool prxy-pool overload

ip nat inside source static 10.100.1.25 xxxxx.37

ip route 0.0.0.0 0.0.0.0 xxxxx.33

The 10.100.1.25 is a mail server.

When I try from LAN A to telnet 10.100.1.25 25, the response is 10 second for 220 reply. However, ssh, ping are immediate. The ip mtu has been reduced to 1356 byte to compensate for IPSEC over GRE mode.

On LAN B, the response to port 25 on the same server is immediate.

I am suspecting a NAT configuration on Router B.

Could you please help.

Thanks,

Ashley

paolo bevilacqua · ‎06-23-2011

That may be very well a problem with the server, however on the LAN interface facing the mail server, try

ip tcp adjust-mss 1316