Low Internet Speed Through Site to Site IPSEC Tunnel

CCIE Aspirant · ‎08-22-2022

I have cisco router as Hub which is connected to ISP with static IP and bandwidth is 60Mbps up/down.

the Spoke (Dynamic Public IP) is connected to local DSL/Cellular with speed not less then 20mbps/up/down.

When I use the internet at the spoke side using cellular or DSL the speed is good. But when i try to establish the Tunnel from spoke side and use to route all my spoke LAN traffic through tunnel, the speed get very worst and is around 1Mbps.

Kindly let me know what i need to do to resolve this issue? I have tried to play with mtu and tcp-adjust-mss values as well but no difference.

Best regards

MHM Cisco World · ‎08-22-2022

reduce the MTU size

CCIE Aspirant · ‎08-22-2022

Thanks for the reply.

I have tried to change the MTU sizes on both sides from 1500 to 700 in 40 differences. But i did not find any changes in the speed.

MHM Cisco World · ‎08-22-2022

OK,
try using Ping Sweep and find until where the packet is drop
share the result here if you can

CCIE Aspirant · ‎08-23-2022

what IP should i use to do Ping Sweep. I have not tried Ping sweep before. Kindly guide.

MHM Cisco World · ‎08-23-2022

I will share small lab show you how you can handle the MTU with Ping Sweep and DF bit

MHM Cisco World · ‎08-23-2022

I try ping R5 from R4, I config IPSec between R2 & R3 and the MTU 1200 ins config in interface show in topolgy

Now In R4 I need to config the F0/0 but I dont know the MTU of other interface so I start sweep-ping test
important filed is
ser df bit in ip header : y
sweep range of sizes: y
sweep min size: 1000 <<<- select the min mtu size
sweep max size: 1300 <<<- select the max mtu size
sweep interval : 100 <<<- between each ping and ping the MTU size will increase with this interval

! <<- success ping
M <<- failed ping

NOW the start is 1000 the end is 1300 and interval is 100
so there is four ping
ping 1 1000
ping 2 1100
ping 3 1200
ping 4 1300

in my lab shown above the value
ping 1 1000 !
ping 2 1100 !
ping 3 1200 M
ping 4 1300 M

so here you can see that 1200 is max value of MTU that you can use.
this is sweep-ping test

CCIE Aspirant · ‎08-24-2022

I am providing my configs from both side please take a look with Ping sweep test as well

******************************************************************************
HUB SIDE Connected to ISP Static IP
******************************************************************************

interface Tunnel970

ip address 172.22.11.2 255.255.255.252
no ip redirects
ip mtu 1398
ip nhrp map multicast dynamic
ip nhrp network-id 11
tunnel source Loopback970
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN_hub
ip virtual-reassembly

#sh crypto ipsec pro

IPSEC profile DMVPN_hub
IKEv2 Profile: prof
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
test_trans: { esp-aes esp-sha-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

#sh crypto ipsec trans
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set test_trans: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set myset: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },

Transform set MY-SET: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },

Transform set DMVPN2: { esp-3des esp-md5-hmac }
will negotiate = { Transport, },

#sh run | i ip route 185.62.178.36
ip route 185.62.178.36 255.255.255.252 172.22.11.1

******************************************************************************
SPOKE SIDE Connected to Fiber Internet
******************************************************************************

******************************************************************************

Router#sh crypto ipsec profile
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

IPSEC profile test_profile
IKEv2 Profile: prof
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
test_trans: { esp-aes esp-sha-hmac } ,
}

******************************************************************************
Router#sh crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set test_trans: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },

******************************************************************************

Router#sh run

!
crypto ikev2 proposal default
encryption des
integrity md5
group 1
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key ********
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ikev2 dpd 10 2 periodic
!
!
!
!
!
crypto ipsec transform-set test_trans esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile test_profile
set transform-set test_trans
set ikev2-profile prof
!
!
!
!
!
!
interface Tunnel1
ip address 172.22.11.1 255.255.255.252
no ip redirects
ip mtu 1398
ip nhrp network-id 11
ip nhrp nhs 172.22.11.2 nbma 185.62.179.129 multicast priority 1
ip nhrp shortcut
ip tcp adjust-mss 1050
tunnel source GigabitEthernet0/1
tunnel destination 185.62.179.129
tunnel protection ipsec profile test_profile
!

interface GigabitEthernet0/1
ip address 192.168.1.180 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 185.62.178.37 255.255.255.252
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 172.22.11.2
ip route 185.62.176.0 255.255.252.0 192.168.1.1
!
!

******************************************************************************
Ping Sweep Test from Spoke
******************************************************************************

Router#ping
Protocol [ip]:
Target IP address: 172.22.11.2
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0x0000ABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1000
Sweep max size [18024]: 1500
Sweep interval [1]: 100
Type escape sequence to abort.
Sending 12, [1000..1500]-byte ICMP Echos to 172.22.11.2, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!..!!!!..
Success rate is 66 percent (8/12), round-trip min/avg/max = 36/40/44 ms
******************************************************************************

Router#
Router#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 185.62.178.37
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0x0000ABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1000
Sweep max size [18024]: 1400
Sweep interval [1]: 100
Type escape sequence to abort.
Sending 10, [1000..1400]-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 185.62.178.37
Packet sent with the DF bit set
!!!!.!!!!.
Success rate is 80 percent (8/10), round-trip min/avg/max = 52/58/64 ms