02-23-2010 12:38 PM - edited 03-04-2019 07:35 AM
*** Here's the enviroment:
2 routers (Catalyst 2801 and 2821) each connected on "big internet".
Between the routers there are:
- VPN IPSec VPN
- inside the IPSec VPN a L2TPv3 tunnel.
*** Here's the problem:
When i test the connection I get the result i expect as long as the packet size is smaller then 1400.
Once the packet size is 1500 the cpu of one of the two routers gets to 100% and the throughput lowers to +/-1Mb/s.
Is there any option to avoid the problem with IPv4 traffic (TCP and UDP) ?
Can you check the configuration (in particular for mtu and mss options) ?
Is there any configuration option/feaure to avoid 100% CPU utilization ?
Following the configuration:
Router 1:
---------
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname router-1
!
boot-start-marker
boot system flash:c2801-adventerprisek9-mz.124-25c.bin
boot-end-marker
!
logging buffered 64000 debugging
no logging console
!
no aaa new-model
ip cef
!
!
!
!
ip domain name cisco.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxxxxxx privilege 15 xxxxxxxxxxxx
!
!
ip ssh version 1
pseudowire-class vlan-xconnect
encapsulation l2tpv3
protocol none
ip local interface Loopback1
ip tos reflect
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 1.20.1.157
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description *** Tunnel to 1.20.1.157
set peer 1.20.1.157
set transform-set ESP-AES256-SHA
match address 100
!
!
!
!
interface Loopback1
description *** L2TPv3 Tunnel Source
ip address 172.20.20.251 255.255.255.255
ip mtu 1420
ip tcp adjust-mss 1300
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description *** LAN INTERNAL
no ip address
ip tcp adjust-mss 1300
duplex auto
speed auto
no cdp enable
xconnect 172.20.20.250 1 encapsulation l2tpv3 manual pw-class vlan-xconnect
l2tp id 1002 2001
l2tp cookie local 4 102
l2tp cookie remote 4 201
!
interface FastEthernet0/1
description *** INTERNET
ip address 2.1.4.7 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.1.4.6
!
!
no ip http server
no ip http secure-server
!
access-list 100 remark IPSec phase 2 Rule
access-list 100 permit ip host 172.20.20.251 host 172.20.20.250
access-list 100 deny ip any any log
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 5
exec-timeout 5 0
login local
!
scheduler allocate 20000 1000
Router 2:
---------
version 12.4
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname router-2
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-25c.bin
boot-end-marker
!
logging buffered 64000 debugging
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login clientauth local
aaa authorization exec default local
!
aaa session-id common
clock timezone Rome 1
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
!
ip cef
!
!
ip domain name cisco.com
ip multicast-routing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 60 attempts 3 within 20
login on-failure log
login on-success log
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxxx privilege 15 password xxxxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
pseudowire-class vlan-xconnect
encapsulation l2tpv3
protocol none
ip local interface Loopback1
ip tos reflect
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 2.1.4.7
crypto isakmp keepalive 120 5
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description *** Tunnel to 2.1.4.7
set peer 2.1.4.7
set transform-set ESP-AES256-SHA
match address 100
!
!
!
!
interface Loopback0
no ip address
load-interval 30
!
interface Loopback1
description *** L2TPv3 Tunnel Source
ip address 172.20.20.250 255.255.255.255
ip mtu 1420
ip tcp adjust-mss 1300
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description ** To Internet **
ip address 1.20.1.157 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly
load-interval 30
!
interface GigabitEthernet0/1
description ** To internal networks **
no ip address
ip tcp adjust-mss 1300
load-interval 30
duplex auto
speed auto
no cdp enable
xconnect 172.20.20.251 1 encapsulation l2tpv3 manual pw-class vlan-xconnect
l2tp id 2001 1002
l2tp cookie local 4 201
l2tp cookie remote 4 102
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.20.1.156 name default
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1000
!
no ip http server
no ip http secure-server
!
!
access-list 100 remark IPSec phase 2 Rule
access-list 100 permit ip host 172.20.20.250 host 172.20.20.251
access-list 100 deny ip any any log
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
transport input telnet ssh
escape-character 3
!
scheduler allocate 20000 1000
02-23-2010 12:51 PM
Can't you configure your systems so to avoid bridging in first place?
02-23-2010 12:55 PM
Fragmentation is to be avoided in PW topologies. What you are seeing is quite normal.
Please refer to this article http://tools.ietf.org/html/draft-ietf-pwe3-fragmentation-10
02-23-2010 01:34 PM
1) As my transport is the "big internet" the MTU path between the 2 routers can be controlled
2) As the traffic inside the tunnel (the private traffic) is IP over ethernet (1500 byte) and the header of IPSEC and L2TPv3 add header need to fragment as the traffic between servers is UDP and TCP with or without DF ...
are there any L2TPv3 and IPSec Header compression method ?
which L2TPv3 configuration use the minimum header ?
which IPSec encryption protocol configuration use the minimum header ?
02-23-2010 01:21 PM
The customer have 2 small DataCenter connected by different ISP: on the 1st old DC there're 50 server with private IP 10.0.0.0/24 and public IP x.x.x.x/24 (the public ip address are PA assigned), on the 2nd new DC there're nothing (now).
The customer need to connect the 2 DC in the fastest way and "bring" the servers on the old and on the new DC.
As the only connection between the 2 DC are internet I try to use a L2L VPN bridging traffic...
Are there any other fast solution using internet: (L2TPv3 over IPsec) (using a simple VPN IPSEC need to do NAT) ?
Thanks for all !
Roberto Taccon
02-23-2010 01:31 PM
You have of of the few cases in which bridging would be really needed. Unfortunately, it never works well over the internet.
Try bridging over GRE (unsupported, may work)
02-23-2010 03:01 PM
Thanks for the solution with GRE ...
Please can you check the following sample configuration with internet IP as GRE tunnel source and destination:
it's possible to use "no ip address" on the gre tunnel ?
how i can resolve the extra GRE header encapsulation with the MTU ?
#router-1
!
bridge irb
bridge 1 protocol ieee
!
!
!
!
interface Tunnel1
description GRE tunnel to router-2
no ip address
tunnel source FastEthernet0/1
tunnel destination 8.8.8.9
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/0
description Link to lan 10.0.0.0/24
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/1
description *** Link to internet
ip address 1.2.3.5 255.255.255.252
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 1.2.3.6
!
#router-2
!
!
bridge irb
bridge 1 protocol ieee
!
!
!
!
interface Tunnel1
description GRE tunnel to router-1
no ip address
tunnel source FastEthernet0/1
tunnel destination 1.2.3.5
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/0
description Link to lan 10.0.0.0/24
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/1
description *** Link to internet
ip address 8.8.8.9 255.255.255.252
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 8.8.8.10
!
02-23-2010 03:04 PM
I think you need an additionar pair of routers, with ip routing disabled, for bridging over GRE.
You cannot do anything about MTU. just hope applications will still work. They may not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide