Small packets on VPN tunnel being dropped

Martin Mc Court · ‎05-03-2014

I have two 871 routers connected using a VPN tunnel. The tunnel is up, however, when I do a standard ping from a windows desktop on one lan to a host on the remote lan about 50% of the packets are dropped. If I increase the ping packet size to greater than 1300 bytes I get 100% success.
Any help would be much appreciated.

One router is connected to the Internet using PPPoE on the DSL line, while the other router connects over a standard Ethernet connection.

The configuration on both routers is the same except for the "dialer0" for the PPPoE.

Any help is appreciated.

hostname House
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1520788826
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1520788826
revocation-check none
rsakeypair TP-self-signed-1520788826
!
!
crypto pki certificate chain TP-self-signed-1520788826
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353230 37383838 3236301E 170D3032 30363039 30313331
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35323037
38383832 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D43C 67A0181C 4B3619F3 3FA15745 1CC7A66C A9ACA19F 629F7EF5 0F6DB8C3
2AFF5AE2 156F8EFA CF2F2BAB 8320C121 DFE0E70F 5F3D3D59 59CEF372 7562BC25
B94FFAED 9525B692 C89C4E41 14687A27 CB71F7F0 D4A609BA 1E095D2E FACAF62D
61067141 BFF9A5C9 89E8530A 299DDBC3 DD19DCBA E660DA26 B62B0059 11D1CABE
495B0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 05486F75 7365301F 0603551D 23041830 168014A6 FB5A936D
F44D2BB7 1738263D 06A2871B 9E2E5E30 1D060355 1D0E0416 0414A6FB 5A936DF4
4D2BB717 38263D06 A2871B9E 2E5E300D 06092A86 4886F70D 01010405 00038181
0011A696 318CACB4 B4C6C936 C8743D4A B2CB5F36 EC652D0D FD06A21F C20D6F0A
F6FEA406 F0D72C73 B039F662 521FBC93 D04E1F1E 422A7333 F34369EF 94BCC68C
F5AC29B2 6CB6D261 89DE39DA AD68713A 12724EB1 81B6F60A 6E9D6945 8E113AA3
DC18E481 0A98B5BD 82D062CC 7B52E1E7 ACCBE3AE 58FDFF63 A9A4192E AB046583 FF
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.6.1 172.16.6.9
!
ip dhcp pool sdm-pool
   import all
   network 172.16.6.0 255.255.255.0
   default-router 172.16.6.1
   dns-server 84.203.254.34 84.203.255.34
   lease 0 23 59
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 84.203.254.34
ip name-server 84.203.255.34
!
!
!
username lancon privilege 15 secret 5 $1$hIa7$EdstZv5LLPlC2nOqImfLE/
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key lanconsultants address 89.234.119.30
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map To_Office 1 ipsec-isakmp
set peer 89.234.119.30
set transform-set ESP-3DES-MD5
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
no ip address
ip verify unicast reverse-path
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 172.16.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
no ip address
!
interface Dialer0
ip address 84.203.116.182 255.255.0.0
ip mtu 1480
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username 0429328725 password 0 nwyjnkdsrjef
crypto map To_Office
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.6.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 172.16.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

House#