Paul, James,

I have not been following on both of the threads fully, so forgive me if I'm asking for something already discussed/checked.

I beleive:

- Keepalives are ment as isakmp keepalives - and they were not configured as far as I understand? "show run | i keep" will show you.

Them not being enabled will basically say that tunnel itself does not drop (even tho connectivity MIGHT be impacted between IKE sites)

- if it's GRE keepalives you're looking for - they are not supported with tunnel protection.

My eariler suggestion was to check "show crypto engine accel stati" during the issue to see if there is something wrong there.

I would advise a simple and effective test during scheduled window - disable encryption on both sides and check if the issue perists.

If the issue does not persist without crypto (tunnel protection) it's either crypto accelarator problem or a hidden MTU problem.

What is the maximum ICMP packet size you can ping through the GRE tunnel with Df-bit set?

Remember that ip policy will not impact locally generated packets. (unless it's "ip local policy ...")

Marcin

Hi,

I have looked the trace file. was it captured between Volume to Blue Square? The traffic direction is from 172.16.8.1 to 172.16.33.100, is 172.16.8.1 in Volume?

Based on the trace, I can see some packets been dropped from 172.16.8.1 to 172.16.33.100, which cause lot retransmissions. Probably you can identify where does the packet been dropped first. It could be dropped by Router interface, or vpn card, or provider. After we know where the packet been dropped, it will be easier to find the solution.

HTH,

Lei Tian

Hi Marcin,

VOL-GATEWAY#show run | i keep
crypto isakmp keepalive 3600
no keepalive
no keepalive

I believe there are a few ways to setup GRE ipsec protected tunnels, the guy who did ours used tunnel protection, however on a test enviroment using Cisco Professional wizzard (sorry) it seemed to use crypto maps?

VOL-GATEWAY#show crypto engine accel stati

Device:   Onboard VPN
Location: Onboard: 0
        :Statistics for encryption device since the last clear
         of counters 1475003 seconds ago
              131135714 packets in                   131135704 packets out
            83412267287 bytes in                   83024152649 bytes out
                     88 paks/sec in                         88 paks/sec out
                    452 Kbits/sec in                       450 Kbits/sec out
               69454566 packets decrypted             61681138 packets encrypted
            47919849488 bytes before decrypt       35486928075 bytes encrypted
            45333650429 bytes decrypted            37690502220 bytes after encrypt
                      0 packets decompressed                 0 packets compressed
                      0 bytes before decomp                  0 bytes before comp
                      0 bytes after decomp                   0 bytes after comp
                      0 packets bypass decompr               0 packets bypass compres
                      0 bytes bypass decompres               0 bytes bypass compressi
                      0 packets not decompress               0 packets not compressed
                      0 bytes not decompressed               0 bytes not compressed
                  1.0:1 compression ratio                1.0:1 overall
                Last 5 minutes:
                  17819 packets in                       17819 packets out
                     59 paks/sec in                         59 paks/sec out
                 236369 bits/sec in                     237824 bits/sec out
                2335953 bytes decrypted                6137127 bytes encrypted
                  63133 Kbits/sec decrypted             165868 Kbits/sec encrypted
                  1.0:1 compression ratio                1.0:1 overall

----------------------------

On one of the links I have removed tunnel protection and copied files over, did seem a little better however still failed!

C:\Users\paulb>ping -f -l 1372 172.16.33.100

Pinging 172.16.33.100 with 1372 bytes of data:
Reply from 172.16.33.100: bytes=1372 time=8ms TTL=125
Reply from 172.16.33.100: bytes=1372 time=8ms TTL=125
Reply from 172.16.33.100: bytes=1372 time=8ms TTL=125
Reply from 172.16.33.100: bytes=1372 time=8ms TTL=125

Ping statistics for 172.16.33.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

C:\Users\paulb>ping -f -l 1373 172.16.33.100

Pinging 172.16.33.100 with 1373 bytes of data:
Reply from 10.1.255.1: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 172.16.33.100:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Thanks for your post!

Hi Lei

Correct the trace was from Volume 172.16.0.0/20 to Bluesqaure 172.16.33.0/24

Do I just try an position my laptop on different areas of the network to check where the packets are dropped?

We have an ISP managed router in Volume and we buy transit at bluesquare with our own routers so will be easier to monitor that end.

Have not done too much with packet tracing on a switched network any pointers welcome

Thanks

Paul

Hi,

Can the provider help to test the link?

Here is a SPAN configuration guide for 3560, other cisco switches use similar syntax. You can use SPAN to trace packets on your switch. The initial trace file you provided missed lot packets, not sure if it is sniffer's filter problem, a lot packets are not seen on either end.

Regards,

Lei Tian

Thanks Lei,

FYI the filter was applied after the capture on the TCP stream so I believe that packets were being dropped.

I shall look a little more into SPAN have heard it being talked about before.

Thanks

Paul