We have been trying to diagnose a performance problem and would like to get some comments
We have a 2 Cisco C870 routers connected via an EZVPN tunnel.
The remote site is experiencing performance issues connecting to an application at the main location. There are no performance issues at the main location.
Ping tests from the remote site to the main location are showing consistant packet loss with different datagram size. Ping tests to an internet ip are also showing consistant packet loss.
Ping tests from the main location to the remote site also are showing packet loss. Ping tests to an internet IP show no loss.
Attached is the router config
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
logging buffered 4096 informational
no logging console
aaa authentication login default local
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name lonny.com
login on-failure log
crypto isakmp policy 10
crypto isakmp key fTrdXS#12Aw%%6 address 220.127.116.11 no-xauth
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-MD5
match address 199
ip address x.x.x.x x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat outside
crypto map outside_map
ip address 10.64.14.1 255.255.255.0
ip helper-address 10.64.8.12
ip nat inside
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet4 overload
ip access-list extended ALLOW-MB-MANAGEMENT
permit tcp 192.168.5.0 0.0.0.255 any
permit tcp 192.168.4.0 0.0.0.255 any
permit tcp host 18.104.22.168 any eq 22
permit tcp host 22.214.171.124 any eq 22
permit tcp host 126.96.36.199 any eq 22
permit tcp host 188.8.131.52 any eq 22
access-list 100 deny ip 10.64.14.0 0.0.0.255 10.64.8.0 0.0.0.255
access-list 100 deny ip 10.64.14.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny ip 10.64.14.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit ip 10.64.14.0 0.0.0.255 any
access-list 199 permit ip 10.64.14.0 0.0.0.255 10.64.8.0 0.0.0.255
access-list 199 permit ip 10.64.14.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 199 permit ip 10.64.14.0 0.0.0.255 192.168.5.0 0.0.0.255
line con 0
no modem enable
line aux 0
line vty 0 4
access-class ALLOW-MB-MANAGEMENT in
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
Thanks in advance
Where are you pinging from and to exactly? For instance at the remote location you stated the
re is packet loss determined by ICMP to the main site and to the internet. Is the ICMP traffic sourced
from the router itself or from a client on the inside network?
Based on your description I would be looking at the interfaces from the source at the remote site all the way to your provider. For instance F0 is statically configured and F4 is not. Are you seeing errors on either interface? Do you have a duplex mismatch?
The pings are sourced from either the vlan for internal ICMP's remote sight source 10.64.14.1 (VLAN1) to main office 10.64.8.1 (BVI1)
We are getting good response times but loss of packets in the range of 85%.
We are also pinging Internet sites such as 184.108.40.206 and sourcing from interface f4 which is statically configured with public IP.
We are seeing the same percentage drop.
I did not include the public IP in the configuration.
When we ping a public IP from the main site there is no packet loss and speeds are acceptable
If you are seeing loss from F4 to 220.127.116.11, I would focus there and start from the ground up. Are you seeing errors on the interface for F4? F4 is set to auto negotiate, did it negotiate to half duplex?
Assuming F4 plugs into a cable modem or something, can you disconnect the router and replace it with a laptop temporarily? With the laptop attempting to ping 18.104.22.168 do you see the same loss?
We are not seeing any sort of errors on the the F4 interface or any of the other interfaces. We are not seeing any duplex mismatch. Connecting a laptop is still showing packet loss but not as much. We are currently working with the supplier to see if it may be related to there cable modem. But as stated we are perplexed by good response time 40 - 100 ms but dropped packets.
Keep the questions coming always good to get another perspective.
I'd also like to add that I'm having sort of the same problem, but only when under load.
I have a 50mbps connection and used to be able to utilize that no problem. Now, when I hit 30mbps, I get packet loss to the 871w, from it to my servers, and I can't seem to exceed 30mbps anymore.
And yes, bypassing shows 50mbps all day long. Sorry if this is irrelevant to your situation.
EDIT: adding examples
64 bytes from 192.168.0.254: icmp_req=716 ttl=255 time=5.79 ms
64 bytes from 192.168.0.254: icmp_req=717 ttl=255 time=23.7 ms
64 bytes from 192.168.0.254: icmp_req=718 ttl=255 time=17.9 ms
64 bytes from 192.168.0.254: icmp_req=720 ttl=255 time=68.9 ms
64 bytes from 192.168.0.254: icmp_req=721 ttl=255 time=24.5 ms
64 bytes from 192.168.0.254: icmp_req=722 ttl=255 time=164 ms
64 bytes from 192.168.0.254: icmp_req=723 ttl=255 time=10.9 ms
64 bytes from 192.168.0.254: icmp_req=724 ttl=255 time=3.37 ms
64 bytes from 192.168.0.254: icmp_req=725 ttl=255 time=40.8 ms
30 second input rate 28918000 bits/sec, 3074 packets/sec
30 second output rate 1052000 bits/sec, 1572 packets/sec
I don't know, I used to get 50 without a problem but now I can barely do 30.