Re: GRE Tunnel transmit bandwidth

imran.moulvi · ‎05-20-2011

Hi Experts,

We have a major poblem going on with our VPN router.

We have a 7206vxr router which has an mGRE tunnel forming EIGRP neighbourship with about 800 remote locations using GRE over IPsec.

We have a problem where the EIGRP neighbourship keeps flapping intermittently and this happens to 30-40 locations at one time and very frequently.

What I noticed was that the GRE tunnel transmit bandwidth was showing as 8 Mbps. I guess there is an option to change it.

Will this 8 Mbps limit cause any issues of EIGRP neighbourship flaps and will increasing the bandwidth help us.

We are also seeing output drops on the tunnel interface.

pcvpnstore#sh int tu0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.254.254.254/16
MTU 17912 bytes, BW 30000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 244/255, rxload 110/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source x.x.x.x (GigabitEthernet0/2)
Tunnel protocol/transport multi-GRE/IP
    Key 0x328CDF, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "dmvpn")
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 00:17:06
Input queue: 0/800/0/0 (size/max/drops/flushes); Total output drops: 732

Any advise would be greatly appreciated.

Thank You,

Imran.

skarthic · ‎05-20-2011

https://supportforums.cisco.com/message/3159337 - is a similar discussion.

Two things that I understand from the post.

1) Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)

doesnot come to play unless satellite applications are used.

2) The bandwidth of the tunnel inteface must closely reflect the WAN interface's BW.

Joseph W. Doherty · ‎05-20-2011

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I believe 8 Kbps is often the default tunnel bandwidth setting. It can be usually be adjusted using an interface's bandwidth command.

I think I recall EIGRP has some sort of built in rate limiter, based on what it believes an interface's bandwidth to be, so that EIGRP updates will not use all of a link's bandwidth. If my recollection is correct, if your EIGRP believes it only has an 8 Kbps of bandwidth, when more is available, this might adversely be impacting distribution of EIGRP updates. So, setting the interface's bandwidth to reflect actual available bandwidth might help.

I think I also recall there are EIGRP techniques that will minimize/optimize how it works in certain instances. If your 800 remote sites are mostly stubs, such techniques might improve stability.

Unfortunately, I don't have much experience with EIGRP, but other notable posters on this web site do. Perhaps they might yet comment.

Leo Laohoo · ‎05-20-2011

Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)

If you want to change the settings of these two values, you need to use "Advanced IP Services" feature set.

Kishore Chennupati · ‎05-21-2011

Hi,

In your case, the tunnerl bandwidth is 30mbps and eigrp uses only 50% of it which is 15mbps. So , eigrp uses 15mbps between the 800 sites for routing protocol traffic. so literally you are using 18.75kbps per site .I would recommend to increase BW on the Tunnel , normally the physicla interface bandwidth.

Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.254.254.254/16
MTU 17912 bytes, BW 30000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 244/255, rxload 110/255
Encapsulation TUNNEL, loopback not set
Keepalive not set

Also, other issues that could affect eigrp peering is the mismatched MTU , congestion , physical errors., unidirectional links. you could see some output errors which indicates some issues. what other incidents happen in the network at the time the neighbors flap?

HTH,

Regards,

Kishore

Please rate if helpful

Kishore Chennupati · ‎05-21-2011

Also, in your logs do you see heaps of " holding timer expired" or "retry-limit exceeded" because holding timer expired logs show that the issue is with the hellos(mulitcast) and retry limit exceeded is related to updates,queries,replied(unicast.)

HTH,

Regards,

Kishore

Please rate if helpful.

gerald.suiza · ‎05-22-2011

i would suggest you also look at router CPU utilization..800 tunnels is a lot and i donot think the bandwidth statement on the GRE is culprit

Kishore Chennupati · ‎05-22-2011

Hi Gerald,

I am sure GRE tunnels on a 7200 can be >800. please see below. However, checking the CPU util is also a good idea.

http://www.cisco.com/en/US/products/sw/wirelssw/ps873/products_data_sheet09186a00801c33a8.html

Regards

Kishore

Leo Laohoo · ‎05-22-2011

MTU 17912 bytes, BW 30000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 244/255, rxload 110/255

What the ... ? 244 out of 255 means 95.686%

Is that MTU value even correct???

Your "output drops" could be that the router is shoving as big as they go to a very, very small pipe.

imran.moulvi · ‎05-23-2011

Thank you all for the responses.

I am unsure what satellite applications mean.

I noticed the tunnel MTU as well and I am not sure why that is so, however the tunnel transport MTU shows 1472.

EIGRP bandwidth is set to 100% by using "ip bandwidth-percent eigrp 100 100".

One more thing to notice are the putput drops. The output Q is currently set to 800 by using hold-queue 800 out.

pcvpnstore#sh int tu0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.254.254.254/16
MTU 17912 bytes, BW 30000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 139/255, rxload 86/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 206.70.250.234 (GigabitEthernet0/2)
Tunnel protocol/transport multi-GRE/IP
    Key 0x328CDF, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "dmvpn")
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 01:30:35
Input queue: 0/800/0/0 (size/max/drops/flushes); Total output drops: 4156
Queueing strategy: fifo
Output queue: 0/800 (size/max)
5 minute input rate 10149000 bits/sec, 4776 packets/sec
5 minute output rate 16393000 bits/sec, 4570 packets/sec
     25228894 packets input, 3157900066 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     23773773 packets output, 2514637283 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
pcvpnstore#