Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
1
Replies

Performance on site-to-site VPN

Ilya Shilov
Level 1
Level 1

‎07-22-2013 02:00 AM

Hello.

There is some net design as shown on diagram in attachment.

R1:CISCO1921/K9:c1900-universalk9-mz.SPA.152-4.M4.bin

R2:CISCO881-K9:c880data-universalk9-mz.151-4.M5.bin

R2 acts also as border with 2 ISP. Default route is switched by IP SLA object tracking. Primary ISP WAN IP address on R1 is Y.Y.Y.Y.

At first we use ASA1 to terminate VPN from branch with AES encrypted tunnel (classic crypto-map + ACL).

Bandwidth of tunnel was equal to WAN bandwidth at branch Internet connection (3Mbps).

Then we switch tunnel at headquarters site from ASA1 to R1 (also IPSec). Bandwidth of tunnel degraded to 1,4Mbps. There was no CPU overload (10%), no log events, no errors on interfaces. We can see this moment of switching between VPNs on 'sh int fa4 history' output:

      3211111               111111111

      0644443151122112177198333443344251111211122117154132261271121312111

      9733347787518970820208996019810726385058900636479451093055818962889

      1330320748705997046508136613313388808076903000046414999771732945089

3120 *

2810 **

2500 **

2190 **

1880 **

1570 #*****

1260 #*#*##*               *******#*

  950 #*####*             ***#######*

  640 ######* *        ** **######### *            * **    *  *

  330 #######*** ******** **#########**  * * ****  * ** **** ** **** ****

   20 ###################################################################

     0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..

               0    5    0    5    0    5    0    5    0    5    0    5    0

      FastEthernet4 input rate(kbits/sec)  (last 72 hours)

              * = maximum   # = average

We decided to change VPN technology from IPSec to point-to-point GRE and both devices were reconfigured (R2, R1). Still no luck - bandwidth is 1,4 Mbps.

X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z are globally routable IP addresses (not RFC1918) so there is no NAT between them.

R1's GRE part of config is very simple:

interface Tunnel3

ip address 192.168.128.9 255.255.255.252

ip ospf network point-to-point

history BPS

tunnel source Port-channel1.550

tunnel destination Z.Z.Z.Z

Can anyone give me a suggestion how to test environment and localize a problem?

Thank you!

Labels:
Preview file
34 KB
0 Helpful
1 Reply 1

Ilya Shilov
Level 1
Level 1

‎08-07-2013 08:02 AM

After series of tests we discovered that problem is on remote       site's ISP.

We opened case on their TAC and they found some strange       service-policy on equipment.

Policy was deleted and now we have no problem with bandwidth       between sites.

0 Helpful
Customers Also Viewed These Support Documents