04-08-2015 06:18 AM - edited 03-05-2019 01:11 AM
I have a VPN network of Cisco r2821's that we just started managing and they are all linked up with site-to-site IPSEC VPN tunnels. The latency across the circuits is pretty bad averaging about 200-300ms latency between private networks. I noticed when I reboot the routers, they latency goes back down to normal levels around 20-30ms and connections are great interoffice. After a few hours, it will go back to very poor latency on the circuits. Any ideas as to why this would be happening? It's now reoccurring and after I reboot them its fine, but only for a few hours before returning to the high latency.
04-08-2015 07:02 AM
Hi,
How much traffic is currently going via the tunnels? There might be a saturation issue.
Do you see any packet drops?
Can you post the below:
sh cry ipsec sa
Make sure to remove your public peers :)
HTH.
Please rate helpful post.
04-08-2015 07:17 AM
Sure, here is the output. I didn't think it was saturation, but it's possible. Only one of the sites is really a heavy user, and they are really the only one to complain because of it.
VPNHeadEnd#sh cry ipsec sa interface: GigabitEthernet0/1 Crypto map tag: partner-map, local addr X.X.X.X protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 41870356, #pkts encrypt: 41870356, #pkts digest: 41870356 #pkts decaps: 80509860, #pkts decrypt: 80509860, #pkts verify: 80509860 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 57681 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x67602E8C(1734356620) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x594641F(93611039) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2559, flow_id: NETGX:559, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (1199014/22898) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x67602E8C(1734356620) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2560, flow_id: NETGX:560, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4268438/22898) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 807247, #pkts encrypt: 807247, #pkts digest: 807247 #pkts decaps: 744412, #pkts decrypt: 744412, #pkts verify: 744412 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 876 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x91B00007(2444230663) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x161C66B3(370960051) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2509, flow_id: NETGX:509, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4447145/6815) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x91B00007(2444230663) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2510, flow_id: NETGX:510, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4445992/6815) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 108059322, #pkts encrypt: 108059322, #pkts digest: 108059322 #pkts decaps: 214789956, #pkts decrypt: 214789956, #pkts verify: 214789956 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 2, #recv errors 145228 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xC06E7810(3228465168) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x41E17A6F(1105295983) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2567, flow_id: NETGX:567, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (3459218/28127) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC06E7810(3228465168) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2568, flow_id: NETGX:568, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4383140/28127) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.6.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 33356557, #pkts encrypt: 33356557, #pkts digest: 33356557 #pkts decaps: 63846912, #pkts decrypt: 63846912, #pkts verify: 63846912 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 2, #recv errors 45878 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x8499E1C2(2224677314) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xD0AB2E73(3500879475) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2543, flow_id: NETGX:543, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (485144/19003) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8499E1C2(2224677314) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2544, flow_id: NETGX:544, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4252451/19003) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.7.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 467085, #pkts encrypt: 467085, #pkts digest: 467085 #pkts decaps: 306013, #pkts decrypt: 306013, #pkts verify: 306013 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 381 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xE1D756EB(3788986091) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x39EB69C6(971729350) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2511, flow_id: NETGX:511, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4500639/7329) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE1D756EB(3788986091) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2512, flow_id: NETGX:512, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4499238/7329) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 222908, #pkts encrypt: 222908, #pkts digest: 222908 #pkts decaps: 47686, #pkts decrypt: 47686, #pkts verify: 47686 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 441 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xDA64EC7E(3664047230) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x58525CB5(1481792693) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2523, flow_id: NETGX:523, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4571945/8390) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xDA64EC7E(3664047230) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2524, flow_id: NETGX:524, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4570440/8390) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.9.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 470467, #pkts encrypt: 470467, #pkts digest: 470467 #pkts decaps: 270630, #pkts decrypt: 270630, #pkts verify: 270630 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 451 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x3DBE34C8(1035875528) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xF2C32EB4(4072877748) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2507, flow_id: NETGX:507, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4467590/6390) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3DBE34C8(1035875528) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2508, flow_id: NETGX:508, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4465644/6390) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 177256, #recv errors 0 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 72772, #pkts encrypt: 72772, #pkts digest: 72772 #pkts decaps: 23471, #pkts decrypt: 23471, #pkts verify: 23471 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 155496, #recv errors 3151 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 72772, #pkts encrypt: 72772, #pkts digest: 72772 #pkts decaps: 23471, #pkts decrypt: 23471, #pkts verify: 23471 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 155489, #recv errors 3151 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.12.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 840256, #pkts encrypt: 840256, #pkts digest: 840256 #pkts decaps: 598087, #pkts decrypt: 598087, #pkts verify: 598087 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 11321 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xB19798D2(2979502290) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x7C9F49DC(2090813916) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2513, flow_id: NETGX:513, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4505152/7469) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB19798D2(2979502290) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2514, flow_id: NETGX:514, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4492269/7469) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.13.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.14.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 113097140, #pkts encrypt: 113097140, #pkts digest: 113097140 #pkts decaps: 216098775, #pkts decrypt: 216098775, #pkts verify: 216098775 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 166159 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x2163A00F(560177167) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xB6C3FF5B(3066298203) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2565, flow_id: NETGX:565, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (2732956/27639) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2163A00F(560177167) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2566, flow_id: NETGX:566, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4340587/27639) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.15.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 34516028, #pkts encrypt: 34516028, #pkts digest: 34516028 #pkts decaps: 66247849, #pkts decrypt: 66247849, #pkts verify: 66247849 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 54715 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x214CF9F5(558692853) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x4FB33883(1337145475) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2549, flow_id: NETGX:549, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (940237/20909) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x214CF9F5(558692853) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2550, flow_id: NETGX:550, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4279417/20909) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.19.0/255.255.255.0/0/0) current_peer X.X.X.X port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1881150, #pkts encrypt: 1881150, #pkts digest: 1881150 #pkts decaps: 1376268, #pkts decrypt: 1376268, #pkts verify: 1376268 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 4765 local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xB9BD5D6C(3116195180) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xDAE46D36(3672403254) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2515, flow_id: NETGX:515, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4381143/7744) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB9BD5D6C(3116195180) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2516, flow_id: NETGX:516, sibling_flags 80000046, crypto map: partner-map sa timing: remaining key lifetime (k/sec): (4321979/7744) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
04-08-2015 07:37 AM
Hi,
They look ok to me.
You might have an issue with fragmentation as well.
As a last resort, you can clear the DF bit on packets before they are sent over the IPSec tunnel.
But clearing the DF bit allows ipsec packets to be fragmented and can therefore cause high cpu overhead on the remote ipsec peer as packets are reassembled.
If that solves your issue then you need to play around with old school windows ping with -f parameter in order for you know the right MTU size.
You can clear the DF bit by typing crypto ipsec df-bit clear
HTH
Please rate helpful post
04-08-2015 11:25 AM
The command you mention does not work, it detects invalid input at df-bit
04-08-2015 11:59 AM
It should work as am running the same device with same ios on one of my deployment.
I've tested the command and it worked.
Where are you issuing this command?
04-08-2015 12:00 PM
Via SSH in enable mode.
04-08-2015 09:12 PM
It should be done in configuration mode.
04-09-2015 05:19 AM
I ran it in config mode and it took thanks. It doesn't look like it made any change to the ping latency across the tunnels.
04-08-2015 07:25 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Like Terence, I would first wonder about path saturation although it's curious you only see the latency issue hours after rebooting a VPN router. That type of behavior could indicate something "filling up" RAM within a router. What IOS are you using?
Besides latency between private networks, what else have you monitored? E.g. CPU utilization, tunnel utilization, RAM utilization, latency between external VPN IPs, etc.
04-08-2015 11:24 AM
It looks like its running 12.4
VPNHeadEnd#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
04-10-2015 06:30 AM
This is seems to be getting really sporadic now where all locations are having the problem and then all of a sudden it stops while another location is still over 300ms latency. Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide