Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
3
Replies

Application performance issue over DMVPN

Amit Singh2000
Level 1
Level 1

‎11-29-2017 06:34 PM - edited ‎03-12-2019 04:47 AM

Hi Guys

 

    I am dealing with a very strange issue and cant seem to get my head around. I have a customer, they use DMVPN for some of the sites. Its a standard DMVPN setup nothing complicated at all. During an audit they identified that encryption was weak. We too the opportunity and designed a new DMVPN which allows EIGRP to advertise the Next hop of the remote site so that site to site connectivity is direct. In the past all the traffic was hair pinned to the hub routers. We have also started using IKEv2 instead of IKE v1

 

The only thing that has change on the remote sites is the type of encryption. Hub routers have an additional command no ip eigrp next-hep-self . The EIGRP works fine , end to end ping works fine, ping with 1550 bytes etc..

 

The only problem is that after the cutover some modules of SAP are not accessible. The IP connectivity to those servers is there, i can ping sap server with 1500 bytes, But end user is not able to login at all. the user keep getting error message. When i switch to the older tunnel, it works straight away.

 

People who access different modules of SAP, everything seems to be fine .. Could someone share what i should be looking or have fixed similar kinda issue.?

 

Tunnel configuration Before cut over (Old Design, with every application working)

interface Tunnel10
 description *** Multipoint GRE Tunnel-S ***
 bandwidth 100000
 ip address 10.35.232.30 255.255.248.0
 no ip redirects
 ip mtu 1400
 ip wccp 62 redirect in
 ip nhrp authentication tXXX
 ip nhrp map multicast dynamic
 ip nhrp map 10.35.232.1 XXXXXX
 ip nhrp map multicast XXXXX
 ip nhrp network-id 10
 ip nhrp holdtime 120
 ip nhrp nhs 10.35.232.1
 ip nhrp redirect
 zone-member security XXXXX
 ip tcp adjust-mss 1360
 delay 1000
 shutdown
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 10
 tunnel protection ipsec profile x.x.x.x.x--y.y.y.y-Tu10
end

crypto ipsec transform-set x.x.x.x.x--y.y.y.y--Tu10 esp-3des esp-md5-hmac
 mode transport

 

 

 

Configuration of new tunnel ( All applications work, except some modules of SAP).

 


interface Tunnel20
 description *** Multipoint GRE Tunnel-
 bandwidth 1000000
 ip address 10.35.224.30 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip wccp 62 redirect out
 ip authentication mode eigrp 800 md5
 ip authentication key-chain eigrp 800 XXXXX
 ip nhrp authentication XXXXX
 ip nhrp map multicast dynamic
 ip nhrp map multicast XXXXX
 ip nhrp map 10.35.224.1 XXXXX
 ip nhrp map 10.35.224.2 XXXX
 ip nhrp map multicast XXXXX
 ip nhrp network-id 100
 ip nhrp holdtime 120
 ip nhrp nhs 10.35.224.1
 ip nhrp nhs 10.35.224.2
 ip nhrp redirect
 zone-member security XXXXX
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile XXXXXX-IKEv2
end

 

 

crypto ipsec transform-set  XXXXXXXXX-set esp-aes 256 esp-sha512-hmac
 mode transport

 

Thanks in advance ,.

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎11-29-2017 08:22 PM

Hi

You changed only the crypto moving from ikev1 to ikev2?
Nothing else?

Have you tried to apply the following command to avoid fragmentation issue: crypto IPSec fragmentation after-encryption

You can reach sap using icmp packet right?

Have you done a Wireshark to see what's going on at hub site?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Amit Singh2000
Level 1
Level 1
In response to Francesco Molino

‎11-29-2017 09:18 PM

Hi Fransesco

 

         We have started using IKE v2 and the AES 256 encryption for the payload instead of 3DES.

 

Thats all we have changed. Absolutely nothing else.

 

Yes i can ping the SAP server with 1500 by MTU from the PC. However tunnel interface has MTU set to 1400, hence the router the maximum size ping to the server that works is 1400 bytes.

 

from a PC ping MTU 1600 works as well, but not with DF-bit.  i assume from PC MTU1350 would work easily with DF-bit. Haven't tested the last bit yet.

 

Regards

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Amit Singh2000

‎11-30-2017 01:28 PM

Can you plz run a wireshark when you're trying to access the server and share the result?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents