Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
5
Helpful
4
Replies

IPSec/GRE network performance issues

tato386
Level 6
Level 6

‎11-02-2004 05:25 PM - edited ‎02-21-2020 01:25 PM

I have a VPN network that consists of two geographical regions (North and South) which are connected to each other using PIXes and GRE tunnels. Furthermore, each region is a hub-and-spoke network that also uses IPSec/GRE from spoke to hub. The network is fully meshed in the sense that any spoke site can pass traffic to any other spoke site whether it is in its home region or the remote region.

The routing therefore seems OK but performance is sluggish. I used MRTG to check bandwidth usage on all the routers and it seems that the links are not even close to being saturated. CPU usage and memory on the various routers and PIXes also seems rather light.

What else can I try/do to troubleshoot this problem?

TIA,

Diego

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎11-02-2004 06:28 PM

There are a couple of things which may contribute to the sluggish performance. One thing is the possibility that packets sent by an end station may require fragmentation and reassembly by routers in the data path. To help with this you may want to set the MTU on interfaces along the path to accomodate the extra headers imposed by GRE and by IPSec. Another thing that you might do is to get the end stations to use a smaller segment size by configuring ip tcp adjust-mss on the routers.

HTH

Rick

HTH

Rick
0 Helpful

tato386
Level 6
Level 6
In response to Richard Burts

‎11-02-2004 06:38 PM

>>set the MTU on interfaces along the path to accomodate the extra headers

Would this be done on the routers' physical interfaces or tunnel interfaces?

>>use a smaller segment size by configuring ip tcp adjust-mss

Same question as above...

TIA,

Diego

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tato386

‎11-02-2004 07:19 PM

I would be most concerned with setting MTU on the tunnel interfaces.

The documentation for ip tcp adjust-mss says that it is to be configured on the physical interface - not on the tunnel interface. I have heard some people say that they have configured it on tunnel interfaces and it worked. At the customer site where I have used it we configured it on the Ethernet (and Fast Ethernet) interfaces and have been quite pleased with the results.

HTH

Rick

HTH

Rick

tato386
Level 6
Level 6
In response to Richard Burts

‎11-02-2004 07:49 PM

Thanks, I will give both (MTU, tcp adjust-mss) a shot.

Diego

0 Helpful
Customers Also Viewed These Support Documents