High Latency from LAN

eash · ‎11-20-2016

Dear All,

I have one customer there are experiencing high latency from their LAN. When I tried extended ping from the router the latency was 124ms to 144ms. When the customer is pinging from the LAN the latency is 260ms. We the customer disconnected the LAN and connected his laptop directly to the router and checked the response is same about 260ms.

Any suggestion on the cause.

The ping responses are as below,

Router#ping
Protocol [ip]:
Target IP address: 172.17.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 124/125/136 ms

Success rate is 100 percent (5/5), round-trip min/avg/max = 128/130/132 ms
Router#ping
Protocol [ip]:
Target IP address: 172.17.240.130
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.240.130, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!.!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (97/100), round-trip min/avg/max = 136/141/152 ms
Router#ping
Protocol [ip]:
Target IP address: 172.17.244.72
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.244.72, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 144/148/164 ms

C:\Users\DKSPL003>ping 172.17.10.1

Pinging 172.17.10.1 with 32 bytes of data:

Reply from 172.17.10.1: bytes=32 time=260ms TTL=248

Reply from 172.17.10.1: bytes=32 time=259ms TTL=248

Ping statistics for 172.17.10.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 259ms, Maximum = 260ms, Average = 259ms

C:\Users\DKSPL003>tracert 172.17.10.1

Tracing route to ns.sys.mmc.co.jp [172.17.10.1]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 172.20.235.240

2 260 ms 260 ms 259 ms 172.17.28.25

3 260 ms 260 ms 260 ms 172.17.1.250

4 260 ms 260 ms 260 ms 172.17.27.241

5 259 ms 259 ms 259 ms ns.sys.mmc.co.jp [172.17.10.1]

6 260 ms 259 ms 259 ms ns.sys.mmc.co.jp [172.17.10.1]

7 260 ms 260 ms 261 ms 172.17.27.162

8 261 ms 260 ms 261 ms ns.sys.mmc.co.jp [172.17.10.1]

Trace complete.

C:\Users\DKSPL003>tracert 172.17.244.72

Tracing route to 172.17.244.72 over a maximum of 30 hops

1 1 ms 1 ms <1 ms 172.20.235.240

2 261 ms 260 ms 260 ms 172.17.28.25

3 260 ms 259 ms 268 ms 172.17.2.240

4 1468 ms 264 ms 264 ms 172.16.1.6

5 * 272 ms 270 ms 172.16.2.2

6 275 ms 275 ms 274 ms 172.16.2.1

7 275 ms 275 ms 275 ms 172.17.240.241

8 275 ms 275 ms 275 ms 172.17.243.241

9 285 ms 283 ms 282 ms 192.168.244.1

10 283 ms 283 ms 283 ms 172.17.244.72

Trace complete.

C:\Users\DKSPL003>ping 172.17.244.72

Pinging 172.17.244.72 with 32 bytes of data:

Reply from 172.17.244.72: bytes=32 time=282ms TTL=119

Reply from 172.17.244.72: bytes=32 time=283ms TTL=119

Reply from 172.17.244.72: bytes=32 time=285ms TTL=119

Reply from 172.17.244.72: bytes=32 time=294ms TTL=119

Ping statistics for 172.17.244.72:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 282ms, Maximum = 294ms, Average = 286ms

C:\Users\DKSPL003>

Regards,

Eash

eash · ‎11-21-2016

Dear All,

Any feedback on the above problem.

Eash

Joseph W. Doherty · ‎11-21-2016

I also see a few drop in the ping test.

Look for a point of congestion.

eash · ‎11-23-2016

Hi Joseph,

The checked the config in the router the customer has configured IPSec and GRE tunnels.

Request you to kindly check the config and let me know if the MTU setting are correct.

Current configuration : 5259 bytes
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 informational
logging monitor informational
enable secret 5
!
no aaa new-model
!
!
dot11 syslog
no ip icmp rate-limit unreachable DF
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MMCG-VPN_Etype address X.X.X.X no-xauth
crypto isakmp key MMCG-VPN_Etype address Y.Y.Y.Y no-xauth
crypto isakmp keepalive 10 6 periodic
!
!
crypto ipsec transform-set DEFAULT esp-3des esp-md5-hmac
!
crypto map VPN_M 1 ipsec-isakmp
set peer X.X.X.X
set transform-set DEFAULT
match address VPN_List(NC#4-1)
crypto map VPN_M 11 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set DEFAULT
match address VPN_List(B_NC#1)
!
archive
log config
hidekeys
!
!
ip telnet source-interface Loopback255
!
!
!
interface Loopback252
description *** for GRE#1 ***
ip address 172.20.252.173 255.255.255.252
!
interface Loopback253
description *** for GRE#2 ***
ip address 172.20.253.173 255.255.255.252
!
interface Loopback254
description *** VoIP Source_Address <Spare> ***
ip address 172.20.254.173 255.255.255.252
!
interface Loopback255
description *** Telnet Source_Address ***
ip address 172.20.255.173 255.255.255.252
!
interface Tunnel1001
description *** NC_GRE#1 ***
bandwidth 5000
ip unnumbered Loopback252
ip mtu 1366
ip hello-interval eigrp 100 10
ip hold-time eigrp 100 40
delay 1000
keepalive 10 4
traffic-shape rate 5000000 125000 125000 1000
tunnel source Loopback252
tunnel destination 172.17.28.25
crypto map VPN_M
!
interface Tunnel1011
description *** to B_NC_GRE ***
bandwidth 5000
ip unnumbered Loopback252
ip mtu 1366
ip hello-interval eigrp 100 10
ip hold-time eigrp 100 40
delay 3000
keepalive 10 4
traffic-shape rate 5000000 125000 125000 1000
tunnel source Loopback252
tunnel destination 172.17.241.129
crypto map VPN_M
!
interface FastEthernet0/0
description LAN
bandwidth 100000
ip address 172.20.235.240 255.255.255.0
ip helper-address 172.17.10.22
ip helper-address 172.17.10.23
ip route-cache policy
ip tcp adjust-mss 1326
ip policy route-map Ether-Prec
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description *** new link ***
bandwidth 1000000
ip address a.b.c.d 255.255.255.252
ip access-group Filter_List(IN) in
ip mtu 1400
duplex full
speed 100
no cdp enable
crypto map VPN_M
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
router eigrp 100
passive-interface default
no passive-interface Tunnel1001
no passive-interface Tunnel1011
network 172.20.0.0
default-metric 10000 100 255 1 1500
distribute-list prefix LAN out Tunnel1001
distribute-list prefix LAN out Tunnel1011
no auto-summary
!
ip local policy route-map Precedence
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 e.f.g.h
ip route 172.17.28.24 255.255.255.252 FastEthernet0/1 e.f.g.h name NC#4-1
ip route 172.17.241.128 255.255.255.224 FastEthernet0/1 e.f.g.h name B_NC#1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Filter_List(IN)
permit udp any eq isakmp any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
ip access-list extended VPN_List(B_NC#1)
permit gre host 172.20.252.173 host 172.17.241.129
ip access-list extended VPN_List(NC#4-1)
permit gre host 172.20.252.173 host 172.17.28.25
!
!
ip prefix-list LAN seq 5 permit 172.20.235.0/24
ip prefix-list LAN seq 10 permit 172.20.252.0/24 ge 30 le 30
ip prefix-list LAN seq 15 permit 172.20.253.0/24 ge 30 le 30
ip prefix-list LAN seq 20 permit 172.20.254.0/24 ge 30 le 30
ip prefix-list LAN seq 25 permit 172.20.255.0/24 ge 30 le 30
access-list 1 remark ***VTY***
access-list 1 permit 172.0.0.0 0.255.255.255
access-list 105 permit tcp any eq telnet any
access-list 105 permit tcp any any eq telnet
access-list 120 permit ip any any precedence immediate
access-list 121 permit ip any any precedence priority
access-list 122 permit ip any any precedence routine
dialer-list 1 protocol ip permit
snmp-server community white RO
snmp-server community black RW
snmp-server trap-source FastEthernet0/0
snmp-server packetsize 2048
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host 172.17.14.1 white snmp
no cdp run
!
!
!
route-map local-prec permit 11
match ip address 105
set ip precedence priority
!
route-map ether-prec1 permit 10
match ip address 105
set ip precedence priority
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7
logging synchronous
login
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7
logging synchronous
login
!
scheduler allocate 20000 1000
ntp clock-period 17178322
ntp source FastEthernet0/0
ntp server 172.17.5.240
end

Regards,

Easwar

Joseph W. Doherty · ‎11-24-2016

If your end-points support it, you might consider using VTI tunnels.

Your f0/1 tunnel has a MTU of 1400. If it's the outside facing interface, why isn't set to 1500?

Your tunnel IP MTU of 1366 is a bit odd. Cisco, I recall recommends they be set to 1400. mss-adjust is 40 less then your tunnel MTU, which is fine, but it should be set on the tunnel interface, not f0/0.

Not withstanding the foregoing comments, why you have, I believe should work and I don't see it causing an issue, i.e. it's perhaps just sub-optimal.

How's ping performance between physical interface, outside the tunnel?