Re: VPN - Extreme latency

vhashrjacksb2 · ‎05-01-2007

Hello,

I have a site to site vpn setup between a 7206vxr and a 2801. Everytime I bring the tunnel interfaces up, the machines at the remote end begin to experience extreme latency. I have tried adjusting the bandwidth on the tunnel interface and decreasing the MSS setting on the tunnel interface but with no luck. Below are the configs and output of the show commands:

sh run int tunnel0

Building configuration...

Current configuration : 217 bytes

!

interface Tunnel0

bandwidth 3162

ip address 192.168.0.14 255.255.255.252

shutdown

tunnel source 192.168.0.34

tunnel destination 192.168.0.33

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

end

VPN CONFIG:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set TSET

!

sh int tunnel0

Tunnel0 is administratively down, line protocol is down

Hardware is Tunnel

Internet address is 192.168.0.14/30

MTU 1514 bytes, BW 3162 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 192.168.0.34, destination 192.168.0.33

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "VTI")

Last input never, output never, output hang never

Last clearing of "show interface" counters 03:30:14

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2922

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

751 packets input, 140283 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

335490 packets output, 27052740 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Thanks for the help!

Brian

markedwards · ‎05-01-2007

Is the slowness noted when using any type of secure applications (sharepoints, exchange). If so you might be running into a packet fragmentation issue (encrypted packet hate it). try adjusting down the MTU allowed, either on the routers or the end-node hosts. Best way I've found, is to use a MTU adjustment tool on the workstations and set it around 1300 (same amount I think the cisco VPN client adjusts to). Me

vhashrjacksb2 · ‎05-02-2007

Thanks for the reply!

The slowness occurs as soon as the I perform a "no shut" on the interfaces and the tunnel comes up. Unfortunately, due to the number of hosts, I can't change the MTU size on each host. I tried changing the MTU on the router interface but get the same results as before... extreme latency almost immediately.

markedwards · ‎05-02-2007

On the router you can try additional commands mss-adjust and PMTU Dicovery (there is a known DOS issue with that though), along with adjusting the MTU on the interface. They seem to be intermittnent in effect. If the hosts are running a Local FireWAll, they may block the PMTUD notifications as bad traffic and ignore the router trying to help out. These commands have helped intermittnetly for me, as they change/modify the hosts with security updates..

Me