DMVPN GRE over IPSEC Packet loss

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
Brenden

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

Similar Messages

DMVPN & GRE over IPsec on the same physical interface

Dear All,
I'm configuring two WAN routers, each wan router has one physical interface connecting to branches and regional office using same provider.
We'll be using GRE over IPsec to connect to regional office and DMVPN + EIGRP to branches.
I would like to know if it's possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Kindly reply, it's an urgent request and your response is highly appreciated.
Regards,

Hi Savio,
It should work. we can configure dmvpn and gre-over-ipsec on ASA using same physical interface.
Regards,
Naresh

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank

GRE OVER IPSec vpn

ACC
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag
this is lab i did, today,and offcouse i am able to understand this lab bus the confusion are
1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
2. when i remove crypto map from tunnel interface i recieve this message
( R2691#*Mar 1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
   please tell me what is meaning of this message
3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
R2691#sh crypto ipsec sa
interface: Serial0/0
    Crypto map tag: vpn, local addr 30.1.1.21
   protected vrf: (none)
   local ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
    #pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0
     local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xDBF65B0E(3690355470)
     inbound esp sas:
      spi: 0x44FF512B(1157583147)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4598427/3368)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xDBF65B0E(3690355470)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4598427/3368)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
R2691#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
30.1.1.21       10.1.1.1        QM_IDLE           1002    0 ACTIVE
IPv6 Crypto ISAKMP SA.
4 . how do i know it is useing GRE over IPsec.
i am also attach my topology on which i did lab

MR. Anuj here is my config
R7200#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial1/0                  10.1.1.1        YES NVRAM up                    up
Loopback1                  50.1.1.1        YES NVRAM up                    up
Loopback2                  50.1.2.1        YES NVRAM up                    up
Tunnel0                    40.1.1.2        YES NVRAM up                    up
Tunnel1                    40.1.2.2        YES NVRAM up                    up
Tunnel2                    40.1.3.2        YES NVRAM up                    up
=========================================================
R7200#sh int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 40.1.1.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1
Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     2229 packets input, 213651 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     2292 packets output, 220520 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
===============================================================
my cryto acl
is
access-list 101 permit gre host 10.1.1.1 host 30.1.1.1

High cpu consumption with GRE over IPSEC

Hi all,
After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
Cisco CISCO2921/K9 Version 15.0(1)M3.
Config of the tunnet is as follow :
- authentication pre-share
- encryption aes 256
- hash : sha
- transform set : esp-aes esp-sha-hmac mode transport
Routing process is eigrp.
Could anyone please help me on solving this issue?

Cool, good start.
Check "show ip traffic" on both sides, it would be interesting to see what's going on.
BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that).

DMVPN GRE with IPSEC fragmentation

When configuring our tunnel we get an error message indicating that the MTU is greater than the transport value 1376, fragmentation will occur (see below). We are using transport mode and using the recommended MTU settings of 1400 bytes. Could this be causing excessive fragmentation and affecting latency and user experience?
ro1-91309(config)#interface Tunnel2
service_policy on dynamic interface is not allowed if there is fair-queue configured on main interface
ro1-91309(config-if)# description GRE tunnel interface to Tempe
ro1-91309(config-if)# bandwidth 1500
ro1-91309(config-if)# ip address x.x.x.x.x
ro1-91309(config-if)# ip mtu 1400
%Warning: IP MTU value set 1400 is greater than the current transport value 1376, fragmentation may occur
ro1-91309(config-if)# ip hello-interval eigrp 65100 10
ro1-91309(config-if)# ip hold-time eigrp 65100 40
ro1-91309(config-if)# ip flow ingress
ro1-91309(config-if)# ip flow egress
ro1-91309(config-if)# ip pim sparse-mode
ro1-91309(config-if)# ip nat outside
ro1-91309(config-if)# ip nhrp authentication cisco
ro1-91309(config-if)# ip nhrp map 10.2.0.1 x.x.x.x
ro1-91309(config-if)# ip nhrp map multicast x.x.x.x
ro1-91309(config-if)# ip nhrp network-id 1001
ro1-91309(config-if)# ip nhrp holdtime 600
ro1-91309(config-if)# ip nhrp nhs 10.2.0.1
ro1-91309(config-if)# ip nhrp registration timeout 30
ro1-91309(config-if)# ip virtual-reassembly in
ro1-91309(config-if)# zone-member security TRUST
ro1-91309(config-if)# ip tcp adjust-mss 1360
ro1-91309(config-if)# ip summary-address eigrp 65100 10.8.80.0 255.255.255.0 5
ro1-91309(config-if)# load-interval 30
ro1-91309(config-if)# if-state nhrp
ro1-91309(config-if)# qos pre-classify
ro1-91309(config-if)# tunnel source FastEthernet0/1
ro1-91309(config-if)# tunnel destination x.x.x.x
ro1-91309(config-if)# tunnel key 1001
ro1-91309(config-if)# tunnel protection ipsec profile iGBN
ro1-91309(config-if)# max-reserved-bandwidth 100
service_policy on dynamic interface is not allowed if there is fair-queue configured on main interface
ro1-91309(config-if)# hold-queue 4096 in
ro1-91309(config-if)# hold-queue 4096 out
ro1-91309(config-if)#end
Crypto settings
crypto isakmp policy 1
encr aes
hash md5
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 12
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set iGBN esp-aes esp-md5-hmac
mode transport
crypto ipsec profile iGBN
set transform-set iGBN

You should be good with this configuration -
Here is the explaination-
When an IP packet has been split into two fragments and encapsulated by GRE. In this case IPsec will see two independent GRE + IP packets. Often in a default configuration one of these packets will be
large enough that it will need to be fragmented after it has been encrypted. The IPsec peer will have to reassemble this packet before decryption. This "double fragmentation" (once before GRE and again after IPsec) on the sending router increases latency and lowers throughput. Also, reassembly is process-switched, so there will be a CPU hit on the receiving router whenever this happens. This situation can be avoided by setting the "ip mtu" on the GRE tunnel interface low enough to take into account the overhead from both GRE and IPsec (by default the GRE tunnel interface "ip mtu" is set to the outgoing real interface MTU - GRE overhead bytes).

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps -

Over 50% packet loss...

For the past 2 weeks i have noticed that my online gameplay has been suffering from, what I initially thought were latency issues. However after further investigation I have identified one of Comcast's servers to be the culprit. The server 23.30.207.98 registered to Comcast Business Solutions, outside Witchita Kansas, is dropping over 50% of the packets that pass through it on the way to San Jose CA. Over the past few days I have ran multiple tests on the route. They all look like the one i have attached, some worse, but none better. Is this issue on Comcast's radar, and is a resoulution on the horizon?

ZeroZuluBravo wrote: ... myonlinegameplay has been suffering ...What EG said. However, max latency on all your hops is very high. This might also be due to rate limiting, but a poor connection between your modem and Comcast is possible as well. If you collected these stats using Wifi, you should redo them using an Ethernet connection if possible for a truer picture of what's going on. To rule out a local signal problem, please provide Information Requested for Connection-Related Posts.

GRE over EasyVPN

I have a PIX 501 connecting to a VPN Concentrator via EasyVPN. That connection works fine, now I want to add a router running GRE.
I cannot get my GRE tunnels to come up. I have added the fixup pptp command and a static translation, translating the Easy VPN obtain address to the router's inside address however nothing seems to be workingâ¦ Any suggestions can any one confirm that you can run GRE over Easy VPN?

I think if you are doing NEM mode then you should be able to do GRE over Ipsec.
But when EasyVPn is "client mode" , all networks from remote site gets PAT'ed before they are sent through IPsec.Therefore it may not work.
GRE tunnel destination should be reachable for GRE tunnel to work , therefore , in client mode the PAT can hide the tunnel source address of remote site .
Check what mode of EasyVPN is ?
HTH
Saju
Pls rate helpful posts

DMVPN Issues - IPsec packets

Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea        N - NATed, L - Local, X - No Socket        # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10   Source addr: 11.11.11.1, Dest addr: MGRE Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS:       172.17.100.1 EType:Spoke, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb    Target Network----- --------------- --------------- ----- -------- ----- -----------------    1         1.1.1.1    172.17.100.1   IKE    never S       172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98] Crypto Session Status: DOWN fvrf: (none),   IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1        Active SAs: 0, origin: crypto map   Outbound SPI : 0x       0, transform :    Socket State: ClosedPending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sainterface: Tunnel0    Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1   protected vrf: (none)   local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)   current_peer 1.1.1.1 port 500     PERMIT, flags={origin_is_acl,}    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 46, #recv errors 0     local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0     current outbound spi: 0x0(0)     inbound esp sas:     inbound ah sas:     inbound pcp sas:     outbound esp sas:     outbound ah sas:     outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
Thanks

Thanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks

Serious packet loss creating roaming network over Ethernet.

Comcast Business Gateway modem/router with static addressing provides one address for an externally accessible web/mail server on one of its four RJ45 LAN ports. The second RJ45 LAN port provides a second external address with NAT & DHCP to an internal private 10.1.10.x network connected to a 24-port Netgear gigabit switch. The Netgear is our home's primary switch, with most of the ports going to different jacks thrpughout our house. We have various PCs and Macs, a home server and other similar devices hardwired through the house jacks back to the Netgear receiving DHCP assignments from the Comcast router.
We've had (1) Airport Extreme base station (last generation, not the tall one) connected to the network, also receiving a DHCP IP address from the Comcast box. It's set to bridging mode, cabled from its WAN port by CAT5e to the Netgear switch and offering a Wi-Fi SSID with WPA2 PSK. NAT/DHCP etc is disabled. IPv6 is set to link-local only. No disks attached. Wireless channels set to Automatically.
At this point we have fairly smooth network performance, everything connects immediately (iOS devices, Android devices, utility boxes, computers, etc) and 0% apparent packet loss.
We have some weak Wi-Fi coverage on the far side of the house and I'd like to establish a roaming network, with a new Airport Express (most recent gen) plugged into a wall jack on that side of the house, cabled by Ehternet back to the Netgear, and set up identically. Same SSID and PSK. But when I activate this, I'm finding the network gets anywhere from 88% to 98% packet loss pinging the Comcast router and going outbound. And none of the iOS devices I tried could establish a functional network connection.
I tried replacing the Airport Express with another similar Airport Express, to same effect. I set the Airport Express to create a second SSID and that seemed to work OK, but then I had two distinct networks instead of a roaming network. I also tried disabling DHCP on the Comcast router and enabling it on the Airport Extreme Base Station, but still had the same packet loss. I also tried setting one, the other, and then both Airport boxes to static addressess bypassing the DHCP for their LAN-side connections (although still bridging) and still too much packet loss. No matter what I do, I can't seem to establish a functional Ethernet-connected roaming network with both Airport boxes.
Any ideas?

Thank you for the reply. The Netgear switch I'm using is a GS724T -- it has management features which I'm working through, but all the ports are set to auto-negotiate and the port the Airport Express is on is lit for 100baseT. I didn't see any way to set the MTU in the Airport Utility menus/buttons.
When I join the Airport Express to the network, it sets up the roaming network as intended. But then performance all across the switch goes downhill -- even when pinging from a PC attached to one of the switch ports to the Comcast router I get 90% packet loss or worse, so that nothing seems to get out or in until I disconnect the Airport Express.. It's that dramatic a difference. It doesn't make sense to me that a wireles roaming network across the two Airport boxes should kill performance through the router...

Packet Loss after Reboot of ASA 5510

Hi all,
I have an ASA and a 2811 behind it and I had to replace a battery on a UPS so I had to take down the network to do it. Before doing it the network ran fine, but I did a WR MEM and a Copy RUNNING to STARTUP config thinking that the configs I had were fine. At some point in the past I must of made a change and never applied it and maybe it is causing the issue, but I am at a loss as to what is the cause. I am getting consistent packet loss from the ASA out. Any address I ping on the inside is clear and quick. Also, I do not know if it is related, but I cannot get results from TRACE ROUTES and I believe I used to.
I have confirmed the PL is related to my network, if I plug the static IP info from the provider in to a laptop, it is clear. I am at my wits end, and I know just enough to be dangerous, so any help would be appreciated.
Here are my configs:
ASA5510# sh run
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name m.int
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 68.233.x.x 255.255.255.128
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
interface Ethernet0/3
description VOIP
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 68.233.xx.5
name-server 68.233.xx.6
domain-name m.int
same-security-traffic permit inter-interface
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object network BLUE
host 192.168.1.6
description Blue Iris Server
object network M_LAP_LEA
host 192.168.1.20
description Laptop from LEA
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 162.128.1.0 255.255.255.0
network-object 162.128.10.0 255.255.255.0
network-object 162.128.20.0 255.255.255.0
network-object 142.16.1.0 255.255.255.0
network-object 142.16.10.0 255.255.255.0
network-object 142.16.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx object WEBCAM-01 eq www inactive
access-list Outside_access_in extended permit tcp host 98.22.xxx object RDP-DC1 eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx object BLUE eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-3745 eq ssh
access-list Outside_access_in extended permit tcp any object BLUE eq xxxx
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access remark Permit ICMP to all devices in DC
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu DMZ 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh x
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh x
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www x
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh x
object network RDP-DC1
nat (Inside,Outside) static interface service tcp xxxx xxxx
object network BLUE
nat (Inside,Outside) static interface service tcp xxxx xxxx
nat (any,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 68.233.151.1 1
route DMZ 128.162.1.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.10.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.20.0 255.255.255.0 10.10.0.2 1
route VOIP 142.16.1.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.10.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.20.0 255.255.255.0 10.10.2.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.10.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (Inside) host 192.168.1.2
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx 255.255.255.255 Outside
snmp-server host Inside 192.168.1.2 community ***** version 2c udp-port 161
snmp-server location Lovington NM USA
snmp-server contact Mitchell Tuckness
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source Outside prefer
username xxxx password x encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
hpm topN enable
Cryptochecksum:949189d67866f6c09450769d41649992
: end
C2811#sh run
Building configuration...
Current configuration : 3925 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname C2811
boot-start-marker
boot system flash
boot-end-marker
enable secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M
aaa new-model
aaa session-id common
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip domain name maladomini.int
ip name-server 192.168.1.2
ip name-server 8.8.8.8
ip name-server 68.233.xxx.x
ip name-server 68.233.xxx.x
no vlan accounting input
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1290569776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1290569776
revocation-check none
rsakeypair TP-self-signed-1290569776
crypto pki certificate chain TP-self-signed-1290569776
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035
36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE
611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9
2345AE37 D93C5753 E425E85A EB22C2C9 CFC5D1A0 F800449B 0419A5C8 A0A101EC
02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761
DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06
03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609
2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10
63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D
71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD
044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266
A0655526 CBCB4982 F30D68E9 D70753
quit
license udi pid CISCO2811 sn FTX1041A07T
username admin secret 5 $1$iBeC$8dqYMcpTex8gtUfannzox.
username xxxx privilege 15 secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M
redundancy
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface FastEthernet0/1.2
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface Dialer0
no ip address
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip ospf name-lookup
access-list 1 permit any
dialer-list 1 protocol ip permit
snmp-server community Maladomini-RW RW
tftp-server system:running-config 1
control-plane
line con 0
exec-timeout 0 0
password 7 101D58415D361606050A147A
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 0527031B2C49470758
transport input ssh
scheduler allocate 20000 1000
end
2821:
C2821#sh run
Building configuration...
Current configuration : 4128 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname C2821
boot-start-marker
boot system flash
boot-end-marker
enable secret 4 x
aaa new-model
aaa session-id common
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip domain name maladomini.int
ip name-server 192.168.1.2
ip name-server 8.8.8.8
ip name-server 68.233.xxx.x
ip name-server 68.233.xxx.x
no vlan accounting input
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3335929422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3335929422
revocation-check none
rsakeypair TP-self-signed-3335929422
crypto pki certificate chain TP-self-signed-3335929422
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333335 39323934 3232301E 170D3134 30313135 30333537
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333539
32393432 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AF6D 8C23745E 80AA83AC BE0243DD C8F8EC56 85BBE495 EF790354 B7E81921
4C46CE35 F840420A 8385D3E3 B7B14EDF F4A8DB51 1A29E0ED A2704F69 9632ED7E
5F66E546 486B2821 FB77266F 950D351E 13AA18FE 687643F6 FB9BF95F E56A0195
19B8A7B6 7A582357 2517F08E 5E3BA197 2CD71E3E 32AB4B96 412E9AE3 1932A218
7A1F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A86115 C2CA9E15 399B2A9C 21585323 1E2F3D98 45301D06
03551D0E 04160414 A86115C2 CA9E1539 9B2A9C21 5853231E 2F3D9845 300D0609
2A864886 F70D0101 05050003 81810028 81D8F701 D6AFDC54 94A93185 1E5F4DAC
4DBF50B7 30B57ABD D1612E69 D964B77A A379F55C 7E823F42 4D01440C B237DED9
6B8047B7 0496D8BB BD7EAC18 E6ACA1B1 3B527172 4A7B0D7B 4A031168 F99B171D
D217CB06 2F31E4DF FD9AC1C9 1199869A 34E90671 5611A6DA 7CC6A7B0 A39F78FB
B3932E37 4B302779 E761DB00 AFA7CC
quit
license udi pid CISCO2821 sn FTX1327AH7A
username x privilege 15 secret 4 x
redundancy
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface GigabitEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.0.2 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description VLAN 10
encapsulation dot1Q 10
ip address 128.162.10.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface GigabitEthernet0/1.2
description VLAN 20
encapsulation dot1Q 20
ip address 128.162.20.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface GigabitEthernet0/1.3
description Trunk Interface VLAN1
encapsulation dot1Q 1 native
ip address 128.162.1.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface Serial0/0/0
no ip address
shutdown
interface Serial0/1/0
no ip address
shutdown
interface Serial0/2/0
no ip address
shutdown
interface Dialer0
no ip address
ip default-gateway 10.10.0.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.10.0.1
ip ospf name-lookup
access-list 1 permit any
dialer-list 1 protocol ip permit
snmp-server community Maladomini-RW RW
snmp-server host 192.168.1.2 version 2c Maladomini-RW envmon cpu snmp
control-plane
line con 0
exec-timeout 0 0
password 7 101D58415D361606050A147A
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 15415A545C0B2F29213D0B73
transport input ssh
scheduler allocate 20000 1000
end
POE Switch:
C3560#sh run
Building configuration...
Current configuration : 7368 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname C3560
boot-start-marker
boot-end-marker
enable secret 5 $1$wzS5$Kl0aHmGjOrfNL8H8QN9gJ1
enable password 7 091F1F514124131F02023A7B
username mtuckness privilege 15 secret 5 $1$j68Z$ObA6K7Qc2Vsmyu479Hlh6/
aaa new-model
aaa session-id common
clock timezone MST -7
system mtu routing 1500
ip domain-name maladomini.int
password encryption aes
crypto pki trustpoint TP-self-signed-2488747392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2488747392
revocation-check none
rsakeypair TP-self-signed-2488747392
crypto pki certificate chain TP-self-signed-2488747392
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343838 37343733 3932301E 170D3933 30333031 30303031
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34383837
34373339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B715 1CCA0EFB 6D550F27 A4B9F403 7D1CBCCE AB363F89 61AF4773 64351010
AB866AA6 411463BC A7D9C6E3 0CA4EEEC 47C50D33 2F904AD1 8FC5B10B 8F204157
FB5B3A4C 78BD4BDF 14F79CCC D9A0E10B 909BF5BA 095BB9AC 722197D4 3C2CB70B
15D2A221 5FF8BC03 6A642B36 437B9E22 858BF597 F1844026 5DAF2114 EF75718D
EC3B0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14433335 36302E6D 616C6164 6F6D696E 692E696E 74301F06
03551D23 04183016 8014D364 9162E0D2 C7936513 1E1C677C 73D675EC 37FF301D
0603551D 0E041604 14D36491 62E0D2C7 9365131E 1C677C73 D675EC37 FF300D06
092A8648 86F70D01 01040500 03818100 2DE49969 2E9C7A81 E96B97A8 7E15BC69
2DA62233 C958092D 2E51DD59 526DA795 CBFE219E 3536852A 5F71A90A BF5016E0
F93FA6F7 55D9BA23 52A2858E B927E0FB B3DC6B20 28FBD64C 6FA956EC 3E6E8756
F12F7182 538D13AE E343674E 41A1BDE1 A42579F2 8070FC92 5C805995 7BA25FA5
3A89C4E5 C6B2D76F FF2C1CF9 6A8DF631
quit
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
interface FastEthernet0/2
switchport mode access
spanning-tree portfast
Removed interfaces
interface GigabitEthernet0/1
description CONNECTION TO 2821 ROUTER - TRUNK
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface Vlan1
ip address 128.162.1.3 255.255.255.0
ip helper-address 192.168.1.2
no ip route-cache
no ip mroute-cache
interface Vlan10
ip address 128.162.10.3 255.255.255.0
ip helper-address 192.168.1.2
interface Vlan20
ip address 128.192.20.3 255.255.255.0
ip helper-address 192.168.1.2
ip default-gateway 10.10.0.2
no ip classless
ip http server
ip http authentication local
ip http secure-server
access-list 1 permit any
snmp-server community Maladomini-RW RO
snmp-server location Lovington NM USA
line con 0
exec-timeout 0 0
password 7 075C701416281D081E1C355D
line vty 0 4
password 7 0527031B2C49470758
transport input ssh
line vty 5 15
exec-timeout 0 0
password 7 05585757796D4A04100B2943
end

I located the issue of the packet loss. I have a security system that uploads FTP images of the cameras and after the reboot of the network, the only computer that wasn't shut down was the security camera PC.
So I think what happened was after I brought everything back up, it was saturating the outgoing bandwidth, causing packet loss and high latency. Once I determined what it was and shut off the FTP image upload, the pings stabilized and it is working fine now. Trace routes are still not functioning, but I can live without that for now.

Advice required on optimal MTU and MSS settings for GRE and IPSEC connections

Hi,
We have 2 remote sites (Site A and Site B) which connect to our datacentres (DC) over IPSEC VPN and connect to each other over GRE tunnels.
We had some issues recently which we believe were MTU/MSS related (browsing web servers at one location not appearing correctly etc)
We got some advice from our Cisco partner and tweaked some settings but I'm still not convinced we have the optimal configuration - and we still have some problems I suspect may be MTU related. For example, from our DC (connected to Site A by IPSEC), we CANNOT browse to the webpage of the phone system hosted at Site A. Yet, we CAN browse to the webpage of the Site A phone system from Site B (connected over GRE)
Site A and Site B have two WAN internet circuits each - and each provider presents their circuit to us as ethernet.
Here are the relevant interface settings showing the currently configured MTU and MSS (both routers are configured the same way)
Can someone advise on what the optimal settings should be for our MTU and MSS values on the various interfaces or how we might best determine the values?
interface Tunnel1
description *** GRE Tunnel 1 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface Tunnel2
description *** GRE Tunnel2 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface GigabitEthernet0/0
description "WAN Connection to Provider1"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
crypto map cryptomap
interface GigabitEthernet0/1
description "Connection to LAN"
no ip address
ip flow ingress
ip flow egress
duplex auto
speed auto
interface GigabitEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address [removed]
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 25
ip address [removed]
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/2
description "Connection to Provider2"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
duplex auto
speed auto
crypto map grecrypto
Thanks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Routing protocols over IPSEC

why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
HTH
Rick

Terrible Packet Loss in Game- Please help!

Computing statistics for 100 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 Sam-PC.home [192.168.1.5]
0/ 25 = 0% |
1 2ms 0/ 25 = 0% 0/ 25 = 0% Wireless_Broadband_Router.home [192.168.1.1]
1/ 25 = 4% |
2 13ms 1/ 25 = 4% 0/ 25 = 0% L100.WASHDC-VFTTP-126.verizon-gni.net [173.66.228.1]
0/ 25 = 0% |
3 11ms 1/ 25 = 4% 0/ 25 = 0% G1-5-0-4.WASHDC-LCR-21.verizon-gni.net [130.81.213.68]
0/ 25 = 0% |
4 20ms 1/ 25 = 4% 0/ 25 = 0% so-12-1-0-0.RES-BB-RTR1.verizon-gni.net [130.81.151.230]
0/ 25 = 0% |
5 12ms 1/ 25 = 4% 0/ 25 = 0% 0.xe-8-0-0.BR2.IAD8.ALTER.NET [152.63.38.129]
0/ 25 = 0% |
6 34ms 1/ 25 = 4% 0/ 25 = 0% ae17.edge1.washingtondc12.level3.net [4.68.62.137]
0/ 25 = 0% |
7 33ms 2/ 25 = 8% 1/ 25 = 4% vl-3503-ve-117.ebr1.Washington12.Level3.net [4.69.158.26]
0/ 25 = 0% |
8 29ms 3/ 25 = 12% 2/ 25 = 8% ae-6-6.ebr1.Atlanta2.Level3.net [4.69.148.105]
0/ 25 = 0% |
9 30ms 2/ 25 = 8% 1/ 25 = 4% ae-63-63.ebr3.Atlanta2.Level3.net [4.69.148.241]
0/ 25 = 0% |
10 50ms 1/ 25 = 4% 0/ 25 = 0% ae-7-7.ebr3.Dallas1.Level3.net [4.69.134.21]
1/ 25 = 4% |
11 56ms 2/ 25 = 8% 0/ 25 = 0% ae-63-63.csw1.Dallas1.Level3.net [4.69.151.133]
0/ 25 = 0% |
12 54ms 2/ 25 = 8% 0/ 25 = 0% ae-1-60.edge2.Dallas1.Level3.net [4.69.145.11]
0/ 25 = 0% |
13 54ms 2/ 25 = 8% 0/ 25 = 0% 4.59.197.34
1/ 25 = 4% |
14 50ms 3/ 25 = 12% 0/ 25 = 0% 64.25.32.9
0/ 25 = 0% |
15 --- 25/ 25 =100% 22/ 25 = 88% 64.25.32.26
0/ 25 = 0% |
16 48ms 3/ 25 = 12% 0/ 25 = 0% 64.25.39.1
These are the results of a test I ran, but I don't know how to solve the problem. The game is unplayable because of the amount of packet loss. I know it is an issue of connection between the game and my router, so should I get a new router if mine is old?

The router I would imagine to be okay for the first bit, but for the sake of things, reboot the router and also try giving your ONT a reboot by unplugging it from AC power and then disconnecting the battery. Re-connect it after 30 seconds by connecting the battery and then plugging it back into AC power.
Also, see if the packet loss takes place during specific times of the day. If your router has a WAN connection over Coax (rather than an Ethernet connection) to your ONT, also consider checking your MoCa speeds based on this FAQ. Poor MoCa speeds can suggest shoddy coaxial causing some issues, too: https://secure.dslreports.com/faq/verizonfios/3.2_MOCA#16569
========
The first to bring me 1Gbps Fiber for $30/m wins!

DMVPN GRE over IPSEC Packet loss

Similar Messages

Maybe you are looking for