Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- Cisco r2821 VPN Latency
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
436
Views
0
Helpful
11
Replies
Cisco r2821 VPN Latency
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 06:18 AM - edited 03-05-2019 01:11 AM
I have a VPN network of Cisco r2821's that we just started managing and they are all linked up with site-to-site IPSEC VPN tunnels. The latency across the circuits is pretty bad averaging about 200-300ms latency between private networks. I noticed when I reboot the routers, they latency goes back down to normal levels around 20-30ms and connections are great interoffice. After a few hours, it will go back to very poor latency on the circuits. Any ideas as to why this would be happening? It's now reoccurring and after I reboot them its fine, but only for a few hours before returning to the high latency.
Labels:
- Labels:
-
Other Routing
11 Replies 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 07:02 AM
Hi,
How much traffic is currently going via the tunnels? There might be a saturation issue.
Do you see any packet drops?
Can you post the below:
sh cry ipsec sa
Make sure to remove your public peers :)
HTH.
Please rate helpful post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 07:17 AM
Sure, here is the output. I didn't think it was saturation, but it's possible. Only one of the sites is really a heavy user, and they are really the only one to complain because of it.
VPNHeadEnd#sh cry ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: partner-map, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 41870356, #pkts encrypt: 41870356, #pkts digest: 41870356
#pkts decaps: 80509860, #pkts decrypt: 80509860, #pkts verify: 80509860
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 57681
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x67602E8C(1734356620)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x594641F(93611039)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2559, flow_id: NETGX:559, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (1199014/22898)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x67602E8C(1734356620)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2560, flow_id: NETGX:560, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4268438/22898)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 807247, #pkts encrypt: 807247, #pkts digest: 807247
#pkts decaps: 744412, #pkts decrypt: 744412, #pkts verify: 744412
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 876
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x91B00007(2444230663)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x161C66B3(370960051)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2509, flow_id: NETGX:509, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4447145/6815)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x91B00007(2444230663)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2510, flow_id: NETGX:510, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4445992/6815)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 108059322, #pkts encrypt: 108059322, #pkts digest: 108059322
#pkts decaps: 214789956, #pkts decrypt: 214789956, #pkts verify: 214789956
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 145228
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xC06E7810(3228465168)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x41E17A6F(1105295983)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2567, flow_id: NETGX:567, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (3459218/28127)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC06E7810(3228465168)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2568, flow_id: NETGX:568, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4383140/28127)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.6.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33356557, #pkts encrypt: 33356557, #pkts digest: 33356557
#pkts decaps: 63846912, #pkts decrypt: 63846912, #pkts verify: 63846912
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 45878
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x8499E1C2(2224677314)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD0AB2E73(3500879475)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2543, flow_id: NETGX:543, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (485144/19003)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8499E1C2(2224677314)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2544, flow_id: NETGX:544, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4252451/19003)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.7.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 467085, #pkts encrypt: 467085, #pkts digest: 467085
#pkts decaps: 306013, #pkts decrypt: 306013, #pkts verify: 306013
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 381
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xE1D756EB(3788986091)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x39EB69C6(971729350)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2511, flow_id: NETGX:511, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4500639/7329)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE1D756EB(3788986091)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2512, flow_id: NETGX:512, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4499238/7329)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 222908, #pkts encrypt: 222908, #pkts digest: 222908
#pkts decaps: 47686, #pkts decrypt: 47686, #pkts verify: 47686
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 441
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xDA64EC7E(3664047230)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x58525CB5(1481792693)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2523, flow_id: NETGX:523, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4571945/8390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDA64EC7E(3664047230)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2524, flow_id: NETGX:524, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4570440/8390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.9.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 470467, #pkts encrypt: 470467, #pkts digest: 470467
#pkts decaps: 270630, #pkts decrypt: 270630, #pkts verify: 270630
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 451
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3DBE34C8(1035875528)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF2C32EB4(4072877748)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2507, flow_id: NETGX:507, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4467590/6390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3DBE34C8(1035875528)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2508, flow_id: NETGX:508, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4465644/6390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 177256, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 72772, #pkts encrypt: 72772, #pkts digest: 72772
#pkts decaps: 23471, #pkts decrypt: 23471, #pkts verify: 23471
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 155496, #recv errors 3151
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.11.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 72772, #pkts encrypt: 72772, #pkts digest: 72772
#pkts decaps: 23471, #pkts decrypt: 23471, #pkts verify: 23471
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 155489, #recv errors 3151
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.12.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 840256, #pkts encrypt: 840256, #pkts digest: 840256
#pkts decaps: 598087, #pkts decrypt: 598087, #pkts verify: 598087
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 11321
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xB19798D2(2979502290)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7C9F49DC(2090813916)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2513, flow_id: NETGX:513, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4505152/7469)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB19798D2(2979502290)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2514, flow_id: NETGX:514, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4492269/7469)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.13.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.14.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 113097140, #pkts encrypt: 113097140, #pkts digest: 113097140
#pkts decaps: 216098775, #pkts decrypt: 216098775, #pkts verify: 216098775
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 166159
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x2163A00F(560177167)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB6C3FF5B(3066298203)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2565, flow_id: NETGX:565, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (2732956/27639)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2163A00F(560177167)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2566, flow_id: NETGX:566, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4340587/27639)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.15.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34516028, #pkts encrypt: 34516028, #pkts digest: 34516028
#pkts decaps: 66247849, #pkts decrypt: 66247849, #pkts verify: 66247849
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 54715
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x214CF9F5(558692853)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4FB33883(1337145475)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2549, flow_id: NETGX:549, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (940237/20909)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x214CF9F5(558692853)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2550, flow_id: NETGX:550, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4279417/20909)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.19.0/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1881150, #pkts encrypt: 1881150, #pkts digest: 1881150
#pkts decaps: 1376268, #pkts decrypt: 1376268, #pkts verify: 1376268
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 4765
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xB9BD5D6C(3116195180)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDAE46D36(3672403254)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2515, flow_id: NETGX:515, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4381143/7744)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB9BD5D6C(3116195180)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2516, flow_id: NETGX:516, sibling_flags 80000046, crypto map: partner-map
sa timing: remaining key lifetime (k/sec): (4321979/7744)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 07:37 AM
Hi,
They look ok to me.
You might have an issue with fragmentation as well.
As a last resort, you can clear the DF bit on packets before they are sent over the IPSec tunnel.
But clearing the DF bit allows ipsec packets to be fragmented and can therefore cause high cpu overhead on the remote ipsec peer as packets are reassembled.
If that solves your issue then you need to play around with old school windows ping with -f parameter in order for you know the right MTU size.
You can clear the DF bit by typing crypto ipsec df-bit clear
HTH
Please rate helpful post
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 11:25 AM
The command you mention does not work, it detects invalid input at df-bit
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 11:59 AM
It should work as am running the same device with same ios on one of my deployment.
I've tested the command and it worked.
Where are you issuing this command?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 12:00 PM
Via SSH in enable mode.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 09:12 PM
It should be done in configuration mode.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2015 05:19 AM
I ran it in config mode and it took thanks. It doesn't look like it made any change to the ping latency across the tunnels.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 07:25 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Like Terence, I would first wonder about path saturation although it's curious you only see the latency issue hours after rebooting a VPN router. That type of behavior could indicate something "filling up" RAM within a router. What IOS are you using?
Besides latency between private networks, what else have you monitored? E.g. CPU utilization, tunnel utilization, RAM utilization, latency between external VPN IPs, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2015 11:24 AM
It looks like its running 12.4
VPNHeadEnd#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2015 06:30 AM
This is seems to be getting really sporadic now where all locations are having the problem and then all of a sudden it stops while another location is still over 300ms latency. Any ideas?
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
