Remote Ingress Shaping not working

Krzysztof Zaleski · ‎05-11-2012

Hello,

I have some DMVPN WAN topology (EIGRP based) running over the Internet. Initialy there was only one global routing table and simple multipoint tunnel interface on all spokes. It worked fine. Now, we added Remote Ingress Shaping (RIS) feature to provide ingress QoS for spokes. After implementing it, two things happened. First, shaping on internal tunnel is not working at all. Shaper is set to 256k, but the traffic axceeds even above 1.5Mb. It's not a problem with displaying policy counters as the relevant traffic is also observed on thysical interfaces (WAN and LAN).

TEST#show policy-map interface tunnel 6

Tunnel6

Service-policy output: qos-shaping-lan

Class-map: class-default (match-any)

64494 packets, 59307655 bytes

30 second offered rate 504000 bps, drop rate 0 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 256000, bc 25600, be 0

target shape rate 256000

Second, which is worse, the traffic becomes very unstable. The configuration itself seems to be OK, as pings can go from LAN PC to the hub. However, larger, mixed traffic is not working. Actualy it is quite hard to find a single point of issue. I mean, I can ping local LAN from the hub, I can even do RDP to remote workstation. Also, copying files from the HUB to that workstation using CIFS is OK. However, when I try for example to connect to the Exchange server, or update AD policy (miscelanous TCP/UDP ports are used), it just stops working. Wireshark shows many duplicate and fragmented packets. When I remove that internal tunnel and VRF from LAN interface, everything starts working fine. So, what I can see is that DMVPN tunnel is OK, but additional, internal tunnel breaks the traffic somehow. Here is relevant code:

interface Loopback5

description Source for RIS inside VRF

ip address 1.1.1.1 255.255.255.255

interface Loopback6

description Source for RIS inside Global

ip address 2.2.2.2 255.255.255.255

interface Tunnel0

[...]

description DMVPN#1 via Internet

bandwidth 256

ip mtu 1400

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel protection ipsec profile IPSEC-DMVPN shared

[...]

interface Tunnel5

description Tunel RIS VRF

ip vrf forwarding LAN

ip address 3.3.3.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Loopback5

tunnel destination 2.2.2.2

interface Tunnel6

description Tunel RIS global

bandwidth 256

ip address 3.3.3.2 255.255.255.252

ip tcp adjust-mss 1360

tunnel source Loopback6

tunnel destination 1.1.1.1

service-policy output qos-shaping-lan

interface GigabitEthernet0/0

description Internet access

bandwidth 256

[...]

service-policy output qos-shaping-wan

interface GigabitEthernet0/1

description LAN Switch

interface GigabitEthernet0/1.10

description Workstations

encapsulation dot1Q 100

ip vrf forwarding LAN

ip address 10.0.0.1 255.255.255.0

[...]

ip route 0.0.0.0 0.0.0.0 x.x.x.x name Def_towards_internet

ip route 10.0.0.0 255.255.255.0 Tunnel6 name LAN_Net

ip route vrf LAN 0.0.0.0 0.0.0.0 Tunnel5 name Def_towards_global

policy-map qos-shaping-wan

class class-default

shape average 256000 25600 0

service-policy qos-wan-out

policy-map qos-shaping-lan

class class-default

shape average 256000 25600 0

service-policy qos-lan-out

I played with different MTUs, MSS, and path-mtu discover on that internal tunnel. It seems that some bug in IOS (2901, 15.1(4)M3) makes this internal tunnel to misbehave. Has anyone implemented RIS feature using internal tunnels? Is there anything wrong with the above config?

Cheers,

Krzysztof