07-22-2013 02:00 AM
Hello.
There is some net design as shown on diagram in attachment.
R1:CISCO1921/K9:c1900-universalk9-mz.SPA.152-4.M4.bin
R2:CISCO881-K9:c880data-universalk9-mz.151-4.M5.bin
R2 acts also as border with 2 ISP. Default route is switched by IP SLA object tracking. Primary ISP WAN IP address on R1 is Y.Y.Y.Y.
At first we use ASA1 to terminate VPN from branch with AES encrypted tunnel (classic crypto-map + ACL).
Bandwidth of tunnel was equal to WAN bandwidth at branch Internet connection (3Mbps).
Then we switch tunnel at headquarters site from ASA1 to R1 (also IPSec). Bandwidth of tunnel degraded to 1,4Mbps. There was no CPU overload (10%), no log events, no errors on interfaces. We can see this moment of switching between VPNs on 'sh int fa4 history' output:
3211111 111111111
0644443151122112177198333443344251111211122117154132261271121312111
9733347787518970820208996019810726385058900636479451093055818962889
1330320748705997046508136613313388808076903000046414999771732945089
3120 *
2810 **
2500 **
2190 **
1880 **
1570 #*****
1260 #*#*##* *******#*
950 #*####* ***#######*
640 ######* * ** **######### * * ** * *
330 #######*** ******** **#########** * * **** * ** **** ** **** ****
20 ###################################################################
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
FastEthernet4 input rate(kbits/sec) (last 72 hours)
* = maximum # = average
We decided to change VPN technology from IPSec to point-to-point GRE and both devices were reconfigured (R2, R1). Still no luck - bandwidth is 1,4 Mbps.
X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z are globally routable IP addresses (not RFC1918) so there is no NAT between them.
R1's GRE part of config is very simple:
interface Tunnel3
ip address 192.168.128.9 255.255.255.252
ip ospf network point-to-point
history BPS
tunnel source Port-channel1.550
tunnel destination Z.Z.Z.Z
Can anyone give me a suggestion how to test environment and localize a problem?
Thank you!
08-07-2013 08:02 AM
After series of tests we discovered that problem is on remote site's ISP.
We opened case on their TAC and they found some strange service-policy on equipment.
Policy was deleted and now we have no problem with bandwidth between sites.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide