Sorry for the delay - I wasn

Brian Green · ‎03-16-2016

Hi,

I anm having a problem that I can't find a solution for. I have two routers with workstations behind them connected via a DMVPN Tunnel. When I run a tool to measure the bandwidth available (jperf) I see a total of about 200Kbps - a LOT less than it should be. I've tried removing all QoS service-policy statements from the interfaces - that didn't make a difference. The tunnel runs over a 100Mbps link.

Anyone have any ideas what else could be impeding the traffic so much?

Thanks,

Brian

Shaunak · ‎03-16-2016

Hi Brian,

Did you check if CEF is enabled on the device? What is the model of the device and IOS version on the router?

Thanks,

Shaunak

Brian Green · ‎03-16-2016

CEF is enabled, on both ends. Both routers are 2921s, running 15.4(3)M3

Shaunak · ‎03-16-2016

To isolate this can you configure a GRE tunnel without any kind of VPN encryption on both the routers and check what kind of a throughput the devices are getting.

Brian Green · ‎03-16-2016

There is no encryption set on this tunnel - it is a fairly simple config:

interface Tunnel100

ip vrf forwarding vrf-name

ip address XXX.XXX.XXX.XXX 255.255.255.0

no ip redirects

ip mtu 1340

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1400

ip ospf network broadcast

ip ospf mtu-ignore

cdp enable

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXX

The config on the other end is very similar - it uses the hub as a destination address - so the nhrp multicast address is different, and there is an nhs address. There is no encryption on this tunnel that I can see.

Shaunak · ‎03-16-2016

can you check the show ip traffic command on the router and see if the number of fragments is increasing?

run the show command multiple times and see if the counters change on the device and how aggressively they change.

Also, check if CEF has been explicitly disabled on any of the interfaces, WAN facing or LAN facing or you have an ingress ACL on the LAN interface with log keyword.

Brian Green · ‎03-17-2016

I ran it at both ends when a transfer is going - one end is increasing the number of fragments slowly, and the other doesn't seem to change at all. As for CEF, I can't see any commands that it is disabled on the interface - either the physical or the tunnel. And there are no ACLs on these routers at all.

Jon Marshall · ‎03-17-2016

What does the hub tunnel configuration look like in terms of these settings -

"ip mtu ?" and "ip tcp adjust-mss ?"

Jon

Brian Green · ‎03-21-2016

Sorry for the delay - I wasn't in the office for a few days.

I've since found out that the network is levelling automatically - I am not responsible for the devices behind the tunnels so I can't change any of the configuration there. So this isn't an issue, apparently!

Thanks for the help!

Brian

Ich Nafi · ‎03-18-2016

I'm wondering why your ip mtu is smaller than your adjust-mss value. GRE removes the Dont-Fragment Bit, so this config will in my opinion fragment every single packet.

I would suggest:

tunnel path-mtu-discovery (<- let's the GRE-Tunnel keep the DF-Bit and send ICMP packet to big messages)

ip mtu 1400

ip tcp adjust-mss 1360 (optional i suppose)

DMVPN Throughput problem