Solved: VPN increases latency - workaround - vpn tunnel - different ISP adds milliseconds

Ranbeckycr_2 · ‎10-06-2011

Experts,

I ran into a very interesting issue. I am connecting 3 offices via point to point wireless antena. There is a main central location and 2 remote offices.

Previously all location were running under the same wireless antenna point to point provider. Each Antenna runs 10Mbps.

Central location Antenna1-------------------------------------remote peer 1 (vpn and latency works perfect)

Central location Antenna 2-------------------------------------remote peer 2 (vpn increases latency but ip to ip works fine).

For the central location 2 these are the tests that I ran

Central Location Antena 2

Router inside: 10.10.10.1

Router outside: 200.1.1.1

Remote peer 2:

Router inside: 10.9.9.1

Router outside: 195.2.2.2

Success rate is 100 percent (5/5), round-trip min/avg/max = 432/553/656 ms (This is when I ping via VPN from 10.10.10.1 to 10.9.9.1)

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/28 ms (this is when I ping 200.1.1.1 to 195.2.2.2.2 regular internet)

What could cause this huge delay? I have tested various routers on Antenna2 and it is the same result. Delay only happens when I add VPN.

THank you for any light.......

Randall

Kishore Chennupati · ‎11-02-2011

Hi Randal

Definetly, There is a work around. It is by lowering the ip mtu before its hits the tunnel. The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes(if you using GRE Tunnel with IPsec)you can lower it more as well.if you want as well.you can combine it with the ip tcp adjust-mss". Essentially , we dont let the packet size get any bigger than 1500bytes altogether so that hops in between dont have to do fragmenatation. The delay is caused by fragmentation in between

The below link should guide you in the right direction.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

HTH

Kishore

View solution in original post

Ranbeckycr_2 · ‎11-02-2011

Experts...any ideas :-(

Kishore Chennupati · ‎11-02-2011

Hi Randall,

When you VPN's like IPsec , GRE over IPsec etc they induce heavy overhead and require fragmentation along the path

For example

GRE ip mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on the encryptino you use. So the total packet size would become more like closely 1600bytes. So, they nede to be fragmented and hence they induce the additional latency. When you ping your ISP those packets are not encapsulated and do not contain any overhead so you get less latency.

Does this help? please let me know if you want more info

Happy to help

Regards

Kishore

Ranbeckycr_2 · ‎11-02-2011

Kishore,

Good evening!

Appreciate the info. Is there a workaround you suggest?

Oddly enough it does not happen with my other provider.

I own both ends of the tunnel so I can manipulate the router with any tweaks you suggest.

Thanks a bunch!

Kishore Chennupati · ‎11-02-2011

Hi Randal

Definetly, There is a work around. It is by lowering the ip mtu before its hits the tunnel. The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes(if you using GRE Tunnel with IPsec)you can lower it more as well.if you want as well.you can combine it with the ip tcp adjust-mss". Essentially , we dont let the packet size get any bigger than 1500bytes altogether so that hops in between dont have to do fragmenatation. The delay is caused by fragmentation in between

The below link should guide you in the right direction.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

HTH

Kishore

Ranbeckycr_2 · ‎11-02-2011

You da man!!!