PIX-to-1751 vpn performance issue

[Bubbalouie]

In the interests of full disclosure, I am what passes for a IT Dude where I work, but I ain't a router guy...

I have a PIX 506e that has 10 site-to-site vpn's on it. The far end of each vpn is a cisco 1750/1751 series router. At the site where the PIX is, I'll call it Site1 (192.168.1.0 255.255.255.0) from here on, I have a couple of application servers and I'll just call them Server1 and Server2. Both servers are plugged into the same Cisco 3548XL switch. There is a Cisco 1750 Router at Site1 that does routing (I 'inherited' the network so I think that's what it does...).

At one of the remote sites, I'll call it Site9 (192.168.9.0 255.255.255.0), I am having trouble with speed/performance issues accessing Server2 which houses a web application. The other sites have the same trouble it seems, but only Site9 actually needs to access the server. Site9's need for this app is recent whereas Site1 has used it on the LAN for a couple of years.

On Server1 I can ping workstations at Site9. On Server2 I cannot ping workstations at Site9. The reverse holds true in that, when I am at Site9 I can jump on a workstation and ping Server1 and I can't ping Server2. When at Site9 I can actually pull up the web app hosted on Server2, but the performance is very sluggish and makes the app virtually unusable.

When I do successfully ping from Site1 to Site9 or Site9 to Site1 I get some 'no response' messages, around 5%.

I cannot understand why the two servers would behave differently as far as the pinging goes. Outside of different fixed IP addresses, they are identical. I can ping one but not the other and they are right next to each other and plugged into the same switch.

Should I be looking at this as a routing issue, a config issue or should I be looking at MTU's, they seem different for each machine (Server1 is about 1416 for no df message though to get a response I have to take it down to about 1272. Server2 is no df message at 1472 but I never get a response regardless of packet size).

Also, in case it's a dumb config issue, this is new 2xT1 service at Site9, these are my interfaces on the 1751 router at that Site9

---Site9 Router---
interface Ethernet0/0
description WAN Interface to ATT 2801 router
ip address xx.xx.xx.xx 255.255.255.248
ip access-group FromOutside in
ip nat outside
no ip mroute-cache
half-duplex
no keepalive
no cdp enable
crypto map towash
!
interface FastEthernet0/0
description LAN Interface connected to 2924XL switch
ip address 192.168.9.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1400
no ip mroute-cache
speed auto
no cdp enable

This is the interface on the 2924XL switch that the fe0/0 interface on the router is connected to.

---Site9 Switch---
interface FastEthernet0/24
!

Should I have the speed and duplex hard coded on both those interfaces as speed 100 - duplex full.

The Site9 Router's Ethernet0/0 interface is connected the ATT router's FastEthernet0/0 interface. Should I be calling ATT and asking them how that interface is set up? If I'm connecting an ethernet interface to their fastethernet interface how should I config that interface?

And lastly, is there a way I can tell how much bandwidth on the PIX and on the 1751 are devoted to the vpn?

Whew! That's enough questions from me for the moment!

If anyone can just point me in the right direction as far as troubleshooting this issue I'd be most appreciative!

 

[North323]

changing the speed duplex to full/100 would be a good start. I would also check with ATT and find out if they are doing bandwidth management to your location. you would also need to post configs of both end points to compare/contrast what is going on.

 

[Bubbalouie]

OK, I changed to full/100. I'm still getting dropped ping requests but i'll see what the users say.

 

[Bubbalouie]

I had to email ATT for their router config so I can see how their router interface is set up.

In the meantime here is output from a show int ethernet0/0 command. It's the int hooked up to the fastethernet interface on the ATT router. There are a lot of collisions and deferred. What would that indicate?

MyRouter_1750#show int ethernet0/0
Ethernet0/0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Description: WAN Interface to ATT 2801 router
Internet address is xx.xx.xx.xx/29
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Half-duplex, 10BaseT
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 25000 bits/sec, 9 packets/sec
5 minute output rate 13000 bits/sec, 12 packets/sec
12689810 packets input, 721508073 bytes, 0 no buffer
Received 34158 broadcasts, 0 runts, 0 giants, 0 throttles
3 input errors, 0 CRC, 0 frame, 3 overrun, 0 ignored
0 input packets with dribble condition detected
11268266 packets output, 3935126324 bytes, 0 underruns
0 output errors, 37915 collisions, 0 interface resets
0 babbles, 0 late collision, 123423 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

 

[North323]

they have their port set at something other than 100/full. where did you change speed and duplex? your sh int shows: Half-duplex, 10BaseT

 

[Bubbalouie]

I changed the speed and duplex on the fastethernet0/0 port on my 1751 router and the port on my 2924xl switch that my router is hooked up to. They both now are hard coded to run full/100

The show int command above shows the output from the ethernet0/0 port on my 1751. The ethernet0/0 port on the 1751 is hooked to the fastethernet0/0 port on the front of ATT's 2801 router.

 

[Bubbalouie]

I still haven't got the config from ATT yet. I'm just wondering if there is some problem between the ethernet0/0 port on my 1751 and the fastethernet0/0 on ATT's 2801.

I can't seem to change the speed setting on the ethernet0/0 port though I can change the duplex. Since ATT is using a fastehternet port what should I ask them to set the fastethernet port on the 2801 to?

The outside interface of my PIX is hooked to an identical ATT router fastethernet0/0 port. The settings on it are:

MTU 1500 bytes, BW 10000 Kbit half duplex

Could it be that both the 1751 and the PIX ethernet ports being connected to a fastethernet port resulting in a speed and/or duplex mismatch is what is causing things to appear so sluggish?

I'll post the configs once I've scrubbed them.

 

[Bubbalouie]

I'd love to know how the nonat access-list works...

---Site9 Router Config---

Site9_1751#show run
Building configuration...

Current configuration : 2814 bytes
!
! Last configuration change at 00:38:42 UTC Wed Sep 28 2005
! NVRAM config last updated at 17:49:16 UTC Wed Sep 14 2005
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site9_1751
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xu1S$bBIlcpIaFLtLpiW/epKOZ/
enable password ************
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.9.1 192.168.9.20
!
ip dhcp pool 1
   network 192.168.9.0 255.255.255.0
   domain-name Site9
   dns-server 208.67.222.222 208.67.220.220
   netbios-name-server 192.168.1.222
   netbios-node-type h-node
   default-router 192.168.9.1
!
ip cef
ip audit po max-events 100
!
!
!
!
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key SecRetIsakMp357 address xx.xx.xx.xx
!
!
crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
!
crypto map towash 11 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set s1s2trans
 match address 121
!
!
!
interface Loopback0
 ip address 10.10.240.1 255.255.255.252
!
interface Ethernet0/0
 description WAN Interface to ATT 2801 router
 ip address xx.xx.xx.xx 255.255.255.248
 ip access-group FromOutside in
 ip nat outside
 no ip mroute-cache
 half-duplex
 no keepalive
 no cdp enable
 crypto map towash
!
interface FastEthernet0/0
 description LAN Interface connected to 2924xl Port 24
 ip address 192.168.9.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip tcp adjust-mss 1400
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
router rip
 version 2
 network 192.168.9.0
 no auto-summary
!
ip nat pool Site9_1750-natpool-1 192.168.9.21 192.168.9.254 netmask 255.255.
255.0
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
no ip http server
no ip http secure-server
!
!
!
ip access-list extended FromOutside
 deny   ip 192.168.9.0 0.0.0.255 any
 permit ip any any
ip access-list extended nonat
 deny   ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
 permit ip 192.168.9.0 0.0.0.255 any
access-list 10 permit 192.168.9.0 0.0.0.255
access-list 121 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 permit ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 125 permit ip host 192.168.9.11 192.168.1.0 0.0.0.255
access-list 125 permit tcp host 192.168.9.11 192.168.1.0 0.0.0.255
no cdp run
!
route-map nonat permit 10
 match ip address nonat
!
route-map letmego permit 10
 set ip next-hop 10.10.240.2
!
!
line con 0
line aux 0
line vty 0 4
 password ************
 login
!
end