cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1985
Views
0
Helpful
4
Replies

High Latency from LAN

eash
Level 1
Level 1

Dear All,

I have one customer there are experiencing high latency from their LAN. When I tried extended ping from the router the latency was 124ms to 144ms. When the customer is pinging from the LAN the latency is 260ms. We the customer disconnected the LAN and connected his laptop directly to the router and checked the response is same about 260ms.

Any suggestion on the cause.

The ping responses are as below,

Router#ping
Protocol [ip]:
Target IP address: 172.17.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 124/125/136 ms

Success rate is 100 percent (5/5), round-trip min/avg/max = 128/130/132 ms
Router#ping
Protocol [ip]:
Target IP address: 172.17.240.130
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.240.130, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!.!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (97/100), round-trip min/avg/max = 136/141/152 ms
Router#ping
Protocol [ip]:
Target IP address: 172.17.244.72
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.20.235.240
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.17.244.72, timeout is 2 seconds:
Packet sent with a source address of 172.20.235.240
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 144/148/164 ms

C:\Users\DKSPL003>ping 172.17.10.1

 

Pinging 172.17.10.1 with 32 bytes of data:

Reply from 172.17.10.1: bytes=32 time=260ms TTL=248

Reply from 172.17.10.1: bytes=32 time=260ms TTL=248

Reply from 172.17.10.1: bytes=32 time=259ms TTL=248

Reply from 172.17.10.1: bytes=32 time=259ms TTL=248

 

Ping statistics for 172.17.10.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 259ms, Maximum = 260ms, Average = 259ms

 

C:\Users\DKSPL003>tracert 172.17.10.1

 

Tracing route to ns.sys.mmc.co.jp [172.17.10.1]

over a maximum of 30 hops:

 

  1     1 ms    <1 ms    <1 ms  172.20.235.240

 2   260 ms   260 ms   259 ms  172.17.28.25

  3   260 ms   260 ms   260 ms  172.17.1.250

  4   260 ms   260 ms   260 ms  172.17.27.241

  5   259 ms   259 ms   259 ms  ns.sys.mmc.co.jp [172.17.10.1]

  6   260 ms   259 ms   259 ms  ns.sys.mmc.co.jp [172.17.10.1]

  7   260 ms   260 ms   261 ms  172.17.27.162

  8   261 ms   260 ms   261 ms  ns.sys.mmc.co.jp [172.17.10.1]

 

Trace complete.

 

C:\Users\DKSPL003>tracert 172.17.244.72

 

Tracing route to 172.17.244.72 over a maximum of 30 hops

 

  1     1 ms     1 ms    <1 ms  172.20.235.240

  2   261 ms   260 ms   260 ms  172.17.28.25

  3   260 ms   259 ms   268 ms  172.17.2.240

  4  1468 ms   264 ms   264 ms  172.16.1.6

  5     *      272 ms   270 ms  172.16.2.2

  6   275 ms   275 ms   274 ms  172.16.2.1

  7   275 ms   275 ms   275 ms  172.17.240.241

  8   275 ms   275 ms   275 ms  172.17.243.241

  9   285 ms   283 ms   282 ms  192.168.244.1

10   283 ms   283 ms   283 ms  172.17.244.72

 

Trace complete.

 

C:\Users\DKSPL003>ping 172.17.244.72

 

Pinging 172.17.244.72 with 32 bytes of data:

Reply from 172.17.244.72: bytes=32 time=282ms TTL=119

Reply from 172.17.244.72: bytes=32 time=283ms TTL=119

Reply from 172.17.244.72: bytes=32 time=285ms TTL=119

Reply from 172.17.244.72: bytes=32 time=294ms TTL=119

 

Ping statistics for 172.17.244.72:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 282ms, Maximum = 294ms, Average = 286ms

 

C:\Users\DKSPL003>

Regards,

Eash

4 Replies 4

eash
Level 1
Level 1

Dear All,

Any feedback on the above problem.

Eash

I also see a few drop in the ping test.

Look for a point of congestion.

Hi Joseph,

The checked the config in the router the customer has configured IPSec and GRE tunnels.

Request you to kindly check the config and let me know if the MTU setting are correct.

Current configuration : 5259 bytes    
!    
! No configuration change since last restart    
!    
version 12.4    
service timestamps debug datetime msec localtime show-timezone    
service timestamps log datetime msec localtime show-timezone    
service password-encryption    
!    
hostname Router    
!    
boot-start-marker    
boot-end-marker    
!    
logging buffered 16384 informational    
logging monitor informational    
enable secret 5     
!    
no aaa new-model    
!    
!    
dot11 syslog    
no ip icmp rate-limit unreachable DF    
ip cef    
!    
!    
!    
!    
no ip domain lookup    
!    
multilink bundle-name authenticated    
!    
!    
!     
!    
crypto isakmp policy 1    
 encr 3des    
 hash md5    
 authentication pre-share    
 group 2    
crypto isakmp key MMCG-VPN_Etype address X.X.X.X no-xauth    
crypto isakmp key MMCG-VPN_Etype address Y.Y.Y.Y no-xauth    
crypto isakmp keepalive 10 6 periodic    
!    
!    
crypto ipsec transform-set DEFAULT esp-3des esp-md5-hmac     
!    
crypto map VPN_M 1 ipsec-isakmp     
 set peer X.X.X.X    
 set transform-set DEFAULT     
 match address VPN_List(NC#4-1)    
crypto map VPN_M 11 ipsec-isakmp     
 set peer Y.Y.Y.Y    
 set transform-set DEFAULT     
 match address VPN_List(B_NC#1)    
!    
archive    
 log config    
  hidekeys    
!    
!    
ip telnet source-interface Loopback255    
!    
!    
!    
interface Loopback252    
 description *** for GRE#1 ***    
 ip address 172.20.252.173 255.255.255.252    
!    
interface Loopback253    
 description *** for GRE#2 ***    
 ip address 172.20.253.173 255.255.255.252    
!    
interface Loopback254    
 description *** VoIP Source_Address <Spare> ***    
 ip address 172.20.254.173 255.255.255.252    
!    
interface Loopback255    
 description *** Telnet Source_Address ***    
 ip address 172.20.255.173 255.255.255.252    
!    
interface Tunnel1001    
 description *** NC_GRE#1 ***    
 bandwidth 5000    
 ip unnumbered Loopback252    
 ip mtu 1366    
 ip hello-interval eigrp 100 10    
 ip hold-time eigrp 100 40    
 delay 1000    
 keepalive 10 4    
 traffic-shape rate 5000000 125000 125000 1000    
 tunnel source Loopback252    
 tunnel destination 172.17.28.25    
 crypto map VPN_M    
!    
interface Tunnel1011    
 description *** to B_NC_GRE ***    
 bandwidth 5000    
 ip unnumbered Loopback252    
 ip mtu 1366    
 ip hello-interval eigrp 100 10    
 ip hold-time eigrp 100 40    
 delay 3000    
 keepalive 10 4    
 traffic-shape rate 5000000 125000 125000 1000    
 tunnel source Loopback252    
 tunnel destination 172.17.241.129    
 crypto map VPN_M    
!    
interface FastEthernet0/0    
 description LAN    
 bandwidth 100000    
 ip address 172.20.235.240 255.255.255.0    
 ip helper-address 172.17.10.22    
 ip helper-address 172.17.10.23    
 ip route-cache policy    
 ip tcp adjust-mss 1326    
 ip policy route-map Ether-Prec    
 speed 100    
 full-duplex    
 no cdp enable    
!    
interface FastEthernet0/1    
 description  *** new link ***
 bandwidth 1000000
 ip address  a.b.c.d 255.255.255.252
 ip access-group Filter_List(IN) in    
 ip mtu 1400
 duplex full
 speed 100
 no cdp enable    
 crypto map VPN_M    
!    
interface Serial0/0/0    
 no ip address    
 shutdown    
 clock rate 2000000    
!    
router eigrp 100    
 passive-interface default    
 no passive-interface Tunnel1001    
 no passive-interface Tunnel1011    
 network 172.20.0.0    
 default-metric 10000 100 255 1 1500    
 distribute-list prefix LAN out Tunnel1001    
 distribute-list prefix LAN out Tunnel1011    
 no auto-summary    
!    
ip local policy route-map Precedence    
ip forward-protocol nd    
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 e.f.g.h
ip route 172.17.28.24 255.255.255.252 FastEthernet0/1 e.f.g.h name NC#4-1
ip route 172.17.241.128 255.255.255.224 FastEthernet0/1 e.f.g.h  name B_NC#1
!    
!    
no ip http server    
no ip http secure-server    
!    
ip access-list extended Filter_List(IN)    
 permit udp any eq isakmp any eq isakmp    
 permit esp any any    
 permit icmp any any echo    
 permit icmp any any echo-reply    
ip access-list extended VPN_List(B_NC#1)    
 permit gre host 172.20.252.173 host 172.17.241.129    
ip access-list extended VPN_List(NC#4-1)    
 permit gre host 172.20.252.173 host 172.17.28.25    
!    
!    
ip prefix-list LAN seq 5 permit 172.20.235.0/24    
ip prefix-list LAN seq 10 permit 172.20.252.0/24 ge 30 le 30    
ip prefix-list LAN seq 15 permit 172.20.253.0/24 ge 30 le 30    
ip prefix-list LAN seq 20 permit 172.20.254.0/24 ge 30 le 30    
ip prefix-list LAN seq 25 permit 172.20.255.0/24 ge 30 le 30    
access-list 1 remark ***VTY***    
access-list 1 permit 172.0.0.0 0.255.255.255    
access-list 105 permit tcp any eq telnet any    
access-list 105 permit tcp any any eq telnet    
access-list 120 permit ip any any precedence immediate    
access-list 121 permit ip any any precedence priority    
access-list 122 permit ip any any precedence routine    
dialer-list 1 protocol ip permit    
snmp-server community white RO    
snmp-server community black RW    
snmp-server trap-source FastEthernet0/0    
snmp-server packetsize 2048    
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart    
snmp-server host 172.17.14.1 white  snmp    
no cdp run    
!    
!    
!    
route-map local-prec permit 11    
 match ip address 105    
 set ip precedence priority    
!    
route-map ether-prec1 permit 10    
 match ip address 105    
 set ip precedence priority    
!    
!    
!    
!    
control-plane    
!    
!    
!    
line con 0    
 exec-timeout 5 0    
 password 7     
 logging synchronous    
 login    
line aux 0    
line vty 0 4    
 access-class 1 in    
 exec-timeout 5 0    
 password 7     
 logging synchronous    
 login    
!    
scheduler allocate 20000 1000    
ntp clock-period 17178322    
ntp source FastEthernet0/0    
ntp server 172.17.5.240    
end    

Regards,

Easwar

If your end-points support it, you might consider using VTI tunnels.

Your f0/1 tunnel has a MTU of 1400.  If it's the outside facing interface, why isn't set to 1500?

Your tunnel IP MTU of 1366 is a bit odd.  Cisco, I recall recommends they be set to 1400.  mss-adjust is 40 less then your tunnel MTU, which is fine, but it should be set on the tunnel interface, not f0/0.

Not withstanding the foregoing comments, why you have, I believe should work and I don't see it causing an issue, i.e. it's perhaps just sub-optimal.

How's ping performance between physical interface, outside the tunnel?