Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2556
Views
0
Helpful
2
Replies

Throughput issues on GRE over IPSec Tunnel

gauravshar
Level 2
Level 2

‎11-02-2011 04:54 AM - edited ‎02-21-2020 05:41 PM

Hi There,

We have been facing a Tunnel throughput issue on our one of the GRE over IPSec tunnel. Actually the internet bandwidth at site A is 25mbps and at site B is 8mbps.. still when the user performs a throughput test it never goes beyond 1.8 - 2 mbps. When he does the same test without the VPN he gets a handsome 7-8mbps download speed. These tunnels are created with the LAN IP's as the source and destination (vice versa on both the routers).

Router-A:

!

interface Tunnel19

  bandwidth 8192

ip address 10.74.252.42 255.255.255.252

keepalive 5 3

tunnel source 10.72.16.254

tunnel destination 10.74.36.100

crypto map vpn

end

!

Router-B:

!

interface Tunnel1

description ***Tunnel to Alpharetta***

bandwidth 8192

ip address 10.74.252.41 255.255.255.252

ip route-cache flow

keepalive 10 3

tunnel source 10.74.36.100

tunnel destination 10.72.16.254

crypto map vpn

end

!

Please let me know the possible reasons and/or how to troubleshoot it further. I will provide further information as per your requests.

Thanks,

Gaurav

Labels:
0 Helpful
2 Replies 2

andrewswanson
Level 7
Level 7

‎11-02-2011 01:41 PM

hello - could be a fragmentation issue - have a look at the following doc:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

following link shows how to work out your mtu

http://wansend.wordpress.com/2007/05/17/using-ping-to-find-largest-mtu-along-a-vpn-route/

you can then use the "ip tcp adjust-mss" command on your tunnel interfaces with the correct mtu value

hth

andy

0 Helpful

Kishore Chennupati
Level 7
Level 7

‎11-02-2011 05:51 PM

Hi,

It's the issue of Tunnels fragmenting the packets which go above its ip mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on the encryptino you use. So the total packet size would come down roughly 1400bytes which means your actual data(payload) will be 1360bytes. As you can see thats a signifcant drop in terms of throughput

You can see the fragemenatation issue by typing the command " sh ip traffic | i frag". That should give you a good hint of how many packets are getting fragemented.

The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes. This is the recommended one if you will . you can lower if you want as well.you can combine it with the ip tcp adjust-mss"

HTH

Kishore

0 Helpful
Customers Also Viewed These Support Documents