02-26-2020 01:18 AM
Hello,
I've just been facing a strage behavior.
I've an IPsec tunnel VPN between a Cisco 2911 and 3925. Both have the SEC license, and the tunnel is UP. Routing is working, traffic goes through the tunnel.
I've set a GRE tunnel to goes through this IPSec tunnel, with OSPFv3 and all is good. Route are exchanged, all is working fine. I took special attention to all the MTU size because my 3925 is connected via Dialer interface (1492 MTU) and my 2911 via ethernet (1500).
CE router (2911) has a 100/20 Mbps line (down/up) and PE router (3295) has a 100/30 Mbps line (down/up).
When trying to get a NAS synchronisation, I see that my 3925 router caps the traffic at 10.5 Mbps in upload trough the VPN tunnel. If I use internet I have 30~32 Mbps. It's like there is a limitation somewhere with the VPN, but I don't know what it is and I can't get my hand on this issue.
I performed iPerf3 test to validate, the VPN is clearly saturated at 10.5 mbps from 3925 to 2911. But from 2911 to 3925 I can get 20Mbps (max upload of the line) trough the VPN. I'm just stuck for now.
Maybe someone has an idea ?
02-26-2020 06:34 AM
Hello,
it is hard to figure out from your description what the actual problem is. Post a diagram showing your topology, and indicate what connection is slower than expected. Also, post the full configurations of both routers...
02-26-2020 12:12 PM
Hi,
I would look in two places:
- ensure your MTU is properly configured on both sides (so the routers don't end up fragmenting both before GRE and before IPsec; here's an amazing document to really understand the challenges: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html
- upgrade to a more stable IOS version, maybe you hit a bug
Regards,
Cristian Matei.
02-26-2020 10:37 PM
Hi,
Thank you for responding.
@Cristian Matei i've set up my network following the document you provided. It's a really good reference. This is mainly why I'm stuck, even with all recommendation, I have this limitation only in transmit on the 3925.
I'm on IOS 15.7(3)M3, on both ends, I'll follow your advise to upgrade to another version.
Scenario 1 : Upload measure with direct internet
Site A 20 Mbps ISP Upload, Cisco 2911
Site B 36 Mbps ISP Upload, Cisco 3925
PC1 ==== Router A ===== [Internet] ===== Router B ==== PC2
When I Upload from PC1 with iPerf3 in TCP, I receive 20Mbps at PC2
When I Upload from PC2 with iPerf3 in TCP, I receive 34Mbps at PC1
This test proves that my upload at both sides are honored by both ISPs and both routers are capable of handling it.
Scenario 2 : Upload measure with direct internet
Site A 20 Mbps ISP Upload, Cisco 2911
Site B 36 Mbps ISP Upload, Cisco 3925
PC1 ==== Router A ===== [vpn tunnel through internet] ===== Router B ==== PC2
When I Upload from PC1 with iPerf3 in TCP, I receive 20Mbps at PC2
When I Upload from PC2 with iPerf3 in TCP, I receive 10.5Mbps at PC1
This test shows the upload from the 3925 trough the VPN, doesn't go higher than 10.5Mbps.
The VPN, Tunne and routing are the same on both ends. MTU are good, and the Cisco 2911 goes higher than the 3925 with the same config.
Thanks for your time guys.
Regards
Jim
02-27-2020 12:14 AM
Hello,
post the full running configurations, maybe we can spot something...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide