Slow traffic speed on spoke over dmvpn when using Dailer/pppoe

mdzaf · ‎06-13-2025

Hello,

I have dmvpn with hub and spoke topology. I route all traffic from spoke to HUB. So i have phsyical wan interface in vrf internet, point tunnel interface source vrf Internet, and have default route in that vrf internet. When i test speed it is good it is how much router can d/u crypto traffic aroung 50mbps.

But i have situation where i have spoke which connect via pppoe. First when i setup pppoe, put dialer in vrf internet i successfully recieved ip address, but i didnt recieve default route.so i create default route in that vrf pointing on dialer interface. after that dmvpn comes up, but when i test speed it is very slow around 10mbps.. Also i notice the message on router: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

Can someone help please.

MHM Cisco World · ‎06-19-2025

In dmvpn tunnel

Config mtu 1400

Tcp with 1360

MHM

mdzaf · ‎06-27-2025

Hello,

I tried with that but unfortunatly the same situation.

best regards

MHM Cisco World · ‎06-27-2025

Ok'

1-Ping <tunnel destiantion> 1500 df-bit source <tunnel source>

Check if ping is success

2- share

Show crypto engine brief

MHM

mdzaf · ‎06-27-2025

Hi,

Without any ip mtu and mss configuration on tunnel interface:

i can ping ip size 1472 df-bit source vlan1, 1473 cant ping

with ip mtu 1400 and mss 1360:

i can ping with size 1400, 1401 cant ping

show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 1
Time running: 39915 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0050
Maximum SA index: 0050
Maximum Flow index: 0100
Maximum RSA key size: 0000

crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: D41D7844
crypto engine state: installed
crypto engine in slot: N/A

MHM Cisco World · ‎06-27-2025

Keep mtu with 1400 and tcp mss 1360

Add below command

crypto ipsec df-bit clear

And check if there speed still slow and error log appear

MHM

mdzaf · ‎07-01-2025

Hi,

Sorry for late replay. The situation is the same also after adding this.

MHM Cisco World · ‎07-01-2025

three points

1- keep tunnel mtu 1400 tcp mss 1360
2- crypto ipsec df-bit clear
3- crypto ipsec frag before-encryption

check then error and slow, focus first on error, after you add these commands do you see anymore error log or not ?

MHM

mdzaf · ‎07-01-2025

Hi,

% Crypto Fragmentation setting not applicable on tunnel interface

MHM Cisco World · ‎07-01-2025

what is Spoke plat you have ?
is it support capture

monitor capture CAP1 interface Tunnel0 both match ip fragment any
monitor capture CAP1 start
... (capture runs) ...<<- dont long run capture, stop it immediate after 1-2 max
monitor capture CAP1 stop
show monitor capture CAP1 buffer <<- share this

MHM

mdzaf · ‎07-01-2025

Hi,

881 and 891. But the same situation is with new c1000.

Just to mention with static public ip is ok. When connection to ISP is via pppoe this situation happend

MHM Cisco World · ‎07-01-2025

debug ppp negotiation

This can use to see what is mtu recommend by ISP when you use PPPoE

I think value less than 1400 that make issue with dmvpn

But let see

By the way' capture I mention before also can help use to see in which size the router start frag the packet.

MHM

mdzaf · ‎07-07-2025

Hi,

I configure on Dialer interface mtu 1492 and 1592 mss. Also i configure on tunnel ip mtu 1380 and tcp mss 1340. For now it seems to fit and dont have anymore fragments and reasembled packets. Thank you

MHM Cisco World · ‎07-07-2025

Finally happy end

Have a nice day

MHM