Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site-to-Site VPN

Status
Not open for further replies.
ruswahyudi

ruswahyudi

Technical User
Jan 25, 2004
13
ID
I implemented site-to-site VPN using CISCO 2621 & AIM-VPN at both side. Everything was working fine in testing environment until we went to production mode.

In testing environment, I just connected two laptops at both side & did the testing. The testing including:

1. Ping at various size.
- at normal ping size 32 bytes = 30-50ms
- at not fragmented 1400 bytes = 200ms (MTU 1440)
The result is stable, timeout were rarely occured.
2. Transfer files ~ 10MB. I takes 2-4 times longer than our existing frame relay connection.

Basically, we pleased with the results. Based on those, we decided to move to the production mode.

Unfortunately, once we went to the production mode, everything was going wrong. The ping result was no longer satisfied, even at 32 bytes the timeout are frequently occured. We have checked at the routing table, everything looks fine.

Somebody could help me please? I think I have missed something.

Regards,
Ruswahyudi
 
Sort by date Sort by votes
First thing I would look at is the CPU, its possible that hitting the router with production traffic is maxing out the processor?

Look at `sh proc' and `sh mem', what do you see. Also run sh ver, it should report the VPN encryption module, do you see it?

How about posting up the config if your still having problems.
 
Upvote 0 Downvote
Hi, thanks for reply.
I did check the CPU & Mem, everything is normal <5%.

We also do the MRTG monitoring for bandwidth utilization. During the testing period, the traffic can go to the limit, i.e. 512kb/s. But during the production, it cannot pass the 40kb/s.

I quote some lines of my router confing at one end:

!
crypto isakmp policy 30
encr 3des
hash md5
authentication rsa-encr
group 2
lifetime 43200
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
mode transport
!
!
---- Jump to another lines ----
!
!
policy-map MYPOLICY
class VPN-TRAFFIC
shape peak 512000
!
!
Interface Tunnel1
bandwidth 512
ip address <ip_addr> <netmask>
ip mtu 1440
service-policy output MYPOLICY
no ip route-cache cef
ip ospf cost 200
ip ospf mtu ignore
tunnel source <ip_addr_from_isp>
tunnel destination <ip_addr_dest>
crypto map MYMAP
!
!
--- Jump to another lines ----
!
Interface Serial0/0
ip address <ip_addr_from_isp> <netmask>
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit input access-group 101 8000 1500 2000 conform-action transmit exceed-action drop
crypto MYMAP
!
------------------------------------------------

A story about IP MTU on Tunnel1.
We did set the MTU to 1440 (Transport mode), but the performance during testing period is bad. We try to use another value, i.e. 1500 -- the performance is good during test period.

I know, theoretically possible value is 1440. I do not know why 1500 was better in this case.


Regards,
Ruswahyudi
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
158
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
224
madwok
madwok
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
70
quazimotto
quazimotto
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
186
bdk76
bdk76
phonedudeSr
  • Locked
  • Question
Collaboration Cluster Force fallover to secondary site
Replies
0
Views
60
phonedudeSr
phonedudeSr

Part and Inventory Search

Sponsor

Back
Top