Hello, I know this thread is old but it is exactly relevant to what i have now. We have implemented the dual hub dual dmvpn solution over the last year on our remote sites. The head ends are 7200s w/C7200P-ADVSECURITYK9-M, Version 12.4(24)T3 and the remotes are 1700s (slowly being replaced with 1800s) and 1800 series routers. there are about 60 sites, most of them riding over Comcast cable (preferred) or Verizon DSL. Many of our sites have both, where comcast is primary and DSL is secondary, so on these sites there are 4 tunnels. Our connections are getting very slow. For instance, at one site they have paid for 50mb cable connection, which, when plugged directly into the cable modem, reaches those speeds. When going through the tunnel back to our core, where we have mutiple GB ISP connections out to the internet, they are getting 2mb download speeds.  Actually, they don't even have to be going out to the internet, just hitting our internal servers in the core is slow for them. We started testing multiple sites and it seems all of them are getting very slow compared to the service they have. In looking at the troubleshooting options available you listed above, I am very curious about making sure none of the devices are oversubscribed. Since we have no spoke to spoke connections I am assuming that this troublshooting should be done on the 7200s. What commands would be good to run to check for oversubscription on the 7200s regarding CPU and crypto accelerator? Also, when you mention QoS, where does this get applied? I am familar with manual QoS config for voice and video, but how does it relate to VPN? Is there anything else i can look at/modify that will help alleviate the slowness of these tunnels? Any help would be greatly appreciated!!

Thank you,

Noel

Noel,

Performance problems can be tough. Usually they will require going through multiple outputs/captures back and forth.

It will depend whether we're talking about some protocols only and if we'll be talking about single flow performance or multiple :-)

Can I suggest opening a TAC case, if you're based in EMEA I can pick up the case if needed. That being said.

QoS for me is more about shaping rather then priritizing, guaranteeing bandwidth.

Base things to see:

- show buffer

- show int

- show crypto engine accel stati

- proc and mem stats.

- CEF stats.

I already assume you have proper config on tunnel interfaces in terms of MTU and MSS and (if ISR G2 are involved) licenses.

Indeed hub is a good place to start, but not everything will depend on it.

M.

Thank you very much for the reply Marcin. Instead of modifying my existing tunnels, since we are talking about production sites (Baltimore City Government), I went ahead and created another tunnel on the 7200 and on the 1841 in this case with the MTU and MSS settings at 1400 and 1360 respectively . This is a site with 16mb comcast service. Unfortunately it didn't seem to help. I am going to do some more digging around but I probably will be creating a TAC case shortly.

I appreciate your help.

Best regards,

Noel

Noel,

1400/1360 is a good start but is it really the optimal MTU for this setup? ;-)

Let's see what we can find with a TAC case.

M.

Did you ever find out anything about this? We are seeing a very similar issue. I opened a TAC, but all they told me was the delay was caused by internet latencies. We are getting 5 Mb throughput on a 22 Mb Comcast line.

Brent Magnant

We are seeing the same issue as described in the discussion. We have a Cisco 2801 router using DMVPN to our hub at the corpoorate office and we are only getting about 4 to 5 Mbps on a Comcast 50Mbps Cable Internet connection. Its only using about 30% of the CPU and memory is using 70% of router memory. We have other DMVPN spokes connected to 15/5 Cox Communications internet connections and they are able to get the full bandwidth on the DMVPN tunnel, so it almost appears to be related to the Comcast connections as i've seen this same issue at another site that was using an 1841 router connected to Comcast. I don't think its a fragmentation issue as i have verified that CEF is being used on the hub and spoke routers for forwarding packets. I also bypassed the routers and connected directly to the Cable modems to verify that we do get the full speeds when connected directly to the ISP.

Very strange issue and i would think alot of people out there have experienced this and hopefully will have an answer.

Brandon