11-02-2011 04:54 AM - edited 02-21-2020 05:41 PM
Hi There,
We have been facing a Tunnel throughput issue on our one of the GRE over IPSec tunnel. Actually the internet bandwidth at site A is 25mbps and at site B is 8mbps.. still when the user performs a throughput test it never goes beyond 1.8 - 2 mbps. When he does the same test without the VPN he gets a handsome 7-8mbps download speed. These tunnels are created with the LAN IP's as the source and destination (vice versa on both the routers).
Router-A:
!
interface Tunnel19
bandwidth 8192
ip address 10.74.252.42 255.255.255.252
keepalive 5 3
tunnel source 10.72.16.254
tunnel destination 10.74.36.100
crypto map vpn
end
!
Router-B:
!
interface Tunnel1
description ***Tunnel to Alpharetta***
bandwidth 8192
ip address 10.74.252.41 255.255.255.252
ip route-cache flow
keepalive 10 3
tunnel source 10.74.36.100
tunnel destination 10.72.16.254
crypto map vpn
end
!
Please let me know the possible reasons and/or how to troubleshoot it further. I will provide further information as per your requests.
Thanks,
Gaurav
11-02-2011 01:41 PM
hello - could be a fragmentation issue - have a look at the following doc:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
following link shows how to work out your mtu
http://wansend.wordpress.com/2007/05/17/using-ping-to-find-largest-mtu-along-a-vpn-route/
you can then use the "ip tcp adjust-mss" command on your tunnel interfaces with the correct mtu value
hth
andy
11-02-2011 05:51 PM
Hi,
It's the issue of Tunnels fragmenting the packets which go above its ip mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on the encryptino you use. So the total packet size would come down roughly 1400bytes which means your actual data(payload) will be 1360bytes. As you can see thats a signifcant drop in terms of throughput
You can see the fragemenatation issue by typing the command " sh ip traffic | i frag". That should give you a good hint of how many packets are getting fragemented.
The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes. This is the recommended one if you will . you can lower if you want as well.you can combine it with the ip tcp adjust-mss"
HTH
Kishore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide