03-16-2016 10:34 AM - edited 03-08-2019 04:59 AM
Hi,
I anm having a problem that I can't find a solution for. I have two routers with workstations behind them connected via a DMVPN Tunnel. When I run a tool to measure the bandwidth available (jperf) I see a total of about 200Kbps - a LOT less than it should be. I've tried removing all QoS service-policy statements from the interfaces - that didn't make a difference. The tunnel runs over a 100Mbps link.
Anyone have any ideas what else could be impeding the traffic so much?
Thanks,
Brian
03-16-2016 10:50 AM
Hi Brian,
Did you check if CEF is enabled on the device? What is the model of the device and IOS version on the router?
Thanks,
Shaunak
03-16-2016 10:56 AM
CEF is enabled, on both ends. Both routers are 2921s, running 15.4(3)M3
03-16-2016 11:03 AM
To isolate this can you configure a GRE tunnel without any kind of VPN encryption on both the routers and check what kind of a throughput the devices are getting.
03-16-2016 11:23 AM
There is no encryption set on this tunnel - it is a fairly simple config:
interface Tunnel100
ip vrf forwarding vrf-name
ip address XXX.XXX.XXX.XXX 255.255.255.0
no ip redirects
ip mtu 1340
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1400
ip ospf network broadcast
ip ospf mtu-ignore
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXX
The config on the other end is very similar - it uses the hub as a destination address - so the nhrp multicast address is different, and there is an nhs address. There is no encryption on this tunnel that I can see.
03-16-2016 11:49 AM
can you check the show ip traffic command on the router and see if the number of fragments is increasing?
run the show command multiple times and see if the counters change on the device and how aggressively they change.
Also, check if CEF has been explicitly disabled on any of the interfaces, WAN facing or LAN facing or you have an ingress ACL on the LAN interface with log keyword.
03-17-2016 05:36 AM
I ran it at both ends when a transfer is going - one end is increasing the number of fragments slowly, and the other doesn't seem to change at all. As for CEF, I can't see any commands that it is disabled on the interface - either the physical or the tunnel. And there are no ACLs on these routers at all.
03-17-2016 06:03 AM
What does the hub tunnel configuration look like in terms of these settings -
"ip mtu ?" and "ip tcp adjust-mss ?"
Jon
03-21-2016 08:58 AM
Sorry for the delay - I wasn't in the office for a few days.
I've since found out that the network is levelling automatically - I am not responsible for the devices behind the tunnels so I can't change any of the configuration there. So this isn't an issue, apparently!
Thanks for the help!
Brian
03-18-2016 01:34 AM
I'm wondering why your ip mtu is smaller than your adjust-mss value. GRE removes the Dont-Fragment Bit, so this config will in my opinion fragment every single packet.
I would suggest:
tunnel path-mtu-discovery (<- let's the GRE-Tunnel keep the DF-Bit and send ICMP packet to big messages)
ip mtu 1400
ip tcp adjust-mss 1360 (optional i suppose)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide