Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
0
Helpful
1
Replies

Packet loss in IPSec tunnel but not on WAN line

sebastian.lemke
Level 1
Level 1

‎12-03-2010 06:57 AM - edited ‎02-21-2020 05:00 PM

Hello all,

Scenario:

Central Router (WAN 33.33.33.33) -----------------I-N-T-E-R-N-E-T---------------------------Branch Router (WAN 44.44.44.44)

Tunnel IP 10.10.10.1                                                                                                                 Tunnel IP 10.10.10.2

Both routers are 2821 HSEC/K9

I have an Internet connection between a central location and a branch. When doing Ping tests over that connection from WAN IP to WAN IP, i have no packet loss:

Central_Router#ping 44.44.44.44 sou Gi0/0 rep 1000 size 1400 df-bit

Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 33.33.33.33
Packet sent with the DF bit set
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(...)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/45/68 ms

When doing Ping test over the IPSec VPN Tunnel (which has the WAN IPs as source), I see packet loss:

Central_Router#ping 10.10.10.2 sou Tunnel1 rep 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!.!!!!.!!!!..!!!!.!!!!!!!!!!.!!!!!!!..!!.!.!!.!.!!!.!.!!!!!.!!!!!!.
(...)
!!.!!!.!!.!!!!!!!.!!!!!!..!!!!!!!!!!!!!!!.!.!!!!!.!!!!!!!.!!!!!.!.!!..
!!!!!!!!!!!!!!!!!!!!!!.!!!!!.!!!.
Success rate is 85 percent (624/733), round-trip min/avg/max = 36/38/60 ms

Here are the Tunnel-configs:

Central_Router:

interface Tunnel1
  bandwidth 10000
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication vpncust
ip nhrp map multicast dynamic
ip nhrp network-id 123456
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 2
no ip mroute-cache
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile vpncust shared

Branch_Router:

interface Tunnel1
  bandwidth 500
ip address 10.10.10.2 255.255.255.0
ip mtu 1400
ip nhrp authentication vpncust
ip nhrp map 10.10.10.1 33.33.33.33
ip nhrp network-id 123456
ip nhrp holdtime 300
ip nhrp nhs 10.10.10.1
ip tcp adjust-mss 1360
delay 500
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel destination 33.33.33.33
tunnel key 123456
tunnel protection ipsec profile vpncust shared

Crypto parameters (equal on both):

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2


crypto ipsec transform-set custcpe esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile vpncust
set transform-set custcpe

I tried to disable "ip cef" on the branch router, but no success. Any ideas?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

rahgovin
Level 4
Level 4

‎12-03-2010 07:56 AM

Hi,

If this is like a test network, I would check where the packets are getting dropped by looking at the encaps and decaps count on both the ipsec sa s. Also are there any logs on both the routers?

Also if there is no other traffic on the routers other than the pings(very important), try a debug tunnel to see the log messages that come up.

Also do you any eigrp neighbourship flaps?

0 Helpful
Customers Also Viewed These Support Documents