Hi all,

I’m checking a weird problem in my network. I hope someone can help me with it.

I’ve configured GETVPN solution recently. Since we have changed to this solution people have detected some applications work slowly. Lines are working fine, there is no problem of jitter, icmp, lost of packets and the time response with the main site is working properly as well. We have tried to change the MTU to avoid fragmentation issues but the problem persist after the change. When we change the traffic to other line without GETVPN solution the applications work fine so I think GETVPN could be the cause of the problem. Connection is made through MPLS network. I paste the config used on the main site and on the branch site.

Topology:

GM1-> Cisco 1941

GM2 -> ASR1002

GM1 ---> GETVPN (MPLS Network) <--- GM2

GM1 - Site with problems.

crypto keyring GDOI

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

!

crypto isakmp policy 10

encr 3des

authentication pre-share

!

!

crypto gdoi group GETVPN

identity number 101

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

client registration interface LoopbackX

!

!

crypto map GETVPN_MAP 10 gdoi

set group GETVPN

WAN:

interface GigabitEthernet0/0

ip address X.X.X.X 255.255.255.252

load-interval 30

duplex auto

speed auto

crypto map GETVPN

ROUTERGM1#sh int giga 0/0 | i MTU

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

LAN:

interface GigabitEthernet0/1

ip address x.x.x.x 255.255.255.0

ip tcp adjust-mss 1360

duplex auto

speed auto

GM2 - Office with aplication servers.

crypto keyring GDOI

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

pre-shared-key address x.x.x.x key passwordkey

!

crypto isakmp policy 10

encr 3des

authentication pre-share

!

!

crypto gdoi group GETVPN

identity number 101

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

server address ipv4 y.y.y.y

client registration interface LoopbackX

!

!

crypto map GETVPN_MAP 10 gdoi

set group GETVPN

WAN:

interface GigabitEthernet0/0/1

ip address X.X.X.X 255.255.255.252

load-interval 30

duplex auto

speed auto

crypto map GETVPN

ROUTERGM2#sh int giga 0/0/0 | i MTU

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

LAN:

interface GigabitEthernet0/0/0

ip address x.x.x.x 255.255.255.0

ip tcp adjust-mss 1360

duplex auto

speed auto

Key Server - ACL used:

   access-list deny eigrp any any

   access-list deny pim any any

   access-list deny udp any port = 500 any port = 500

   access-list deny udp any any port = 848

   access-list deny udp any port = 848 any

   access-list deny tcp any port = 443 any

   access-list deny tcp any any port = 443

   access-list deny tcp any any port = 179

   access-list deny tcp any port = 179 any

   access-list deny esp any any

   access-list deny tcp any any port = 49

   access-list deny tcp any port = 49 any

   access-list deny ospf any any

   access-list deny pim any 224.0.0.0 0.0.0.255

   access-list deny udp any any port = 123

   access-list deny udp any any port = 1645

   access-list deny udp any any port = 1646

   access-list deny udp any any port = 1812

   access-list deny udp any any port = 1813

   access-list deny tcp any any port = 22

   access-list deny tcp any port = 22 any

   access-list permit ip any any

Any clue about this problem?

Thanks