11-19-2016 01:55 AM - edited 03-05-2019 07:30 AM
Hello,
I am having a very strange data/file corruption over GRE/IPSEC tunnels. I have two sites connected with WAN links (four links, 80mbps one, 50mbps another, and 20mbps remaining ones). I am using GRE over IPSEC tunnels between sites. The issue is that very often files transferred from one site to another get corrupted but the corruption pattern is actually very interesting. The file size remains the same and in received file some bytes are simply shifted from original location. If I open the file in HEX editor and manually move the bytes to correct place the file and its checksum are becoming OK. Any thoughts what can this be related with? Some additional info.
1. For testing I am using 5GB sample file.
2. When testing purely over WAN links (PCs directly connected to the WAN link, no routers and tunnels between them) no corruption.
3. I am using 3945E routers on both ends. Replaced them with spare ones - no change.
4. The corruption happens not always. There are successful transfers as well.
5. For copying I am using FTP and SMB
6. Here is the tunnel config
interface GigabitEthernet0/0
description toSite2
bandwidth 50000
ip address XXXX
ip access-group ACL_1 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CMAP
interface Tunnel10
description GREVPN_GE0/0_2Site2
ip address YYYY
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10
ip ospf dead-interval 9
ip ospf hello-interval 3
qos pre-classify
keepalive 3 3
tunnel source GigabitEthernet0/0
tunnel destination ZZZZ
tunnel path-mtu-discovery
crypto map CMAP 10 ipsec-isakmp
set peer ZZZZ
set transform-set AES-256
match address CRYPT
11-19-2016 01:58 PM
Hello,
which IOS version(s) are you using ? When you say the sites are connected by WAN links, is that multiple links between the sites and load balancing/load sharing ?
11-19-2016 08:59 PM
gpauwen,
thanks for the reply.
1. IOS version is 151-4.M8
2. No no multiple links and load balancing involved. The links are only for redundancy. I tried also with physically disconnecting other links and leaving only one connected.
11-20-2016 02:40 AM
Hi neroshake , This is ISR router . Please check the inspection also check the packet-tracer with the port for ftp & smb... if possible share running config..
Regards ,
Mani
11-20-2016 11:10 PM
Thanks. Can you please clarify what you mean by "check the packet-tracer with the port for ftp & smb.:? Thanks
11-20-2016 04:42 AM
Hello,
as Mani suggested, seeing the full configuration would be helpful.
You might want to try and configure your tunnel for transport mode (mode transport).
11-20-2016 11:10 PM
Thanks. Will try transport mode and let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide