Options
Tunnel Issues
wrwarwick
Member Posts: 104
in CCNA & CCENT
Hi all,
I have a question about a config that I am working on currently. A little background on how the network is setup:
Customer Router ----> GRE w/ IPSec (through Internet)
> Sonicwall NSA 2400
> Customer Router (at our location, end point of Tunnel)
Basically we are hosting a customer system at our location. Our main router is a Sonicwall NSA 2400 connected to an AT&T Metro-E line. The customer has given us a Cisco 800 to use behind our Sonicwall for a VPN from their office to ours.
The customer is complaining that speeds from their system (an AS/400) is slow at certain times. It seems like the slowdown occurs when the perform an intensive data pull from their system to their office. During this time they complain of extreme slowness, even though an AS/400 is all terminal traffic.
Here are the two configs...
Customer Office Router:
FDLBump-FDL#sh run
Building configuration...
Current configuration : 8689 bytes
!
! Last configuration change at 23:52:58 CST Mon Feb 14 2011 by svcuser5
! NVRAM config last updated at 23:48:54 CST Mon Feb 14 2011 by svcuser5
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname FDLBump-FDL
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_AUTHEN group radius local
aaa authorization exec default local
aaa authorization network VPN_AUTHOR local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
!
dot11 syslog
!
!
ip cef
ip dhcp excluded-address 192.168.0.201 192.168.0.254
ip dhcp excluded-address 192.168.0.1 192.168.0.40
ip dhcp excluded-address 192.168.0.42 192.168.0.99
!
!
no ip domain lookup
ip domain name fdlbx.local
!
multilink bundle-name authenticated
!
!
username svcuser5 privilege 15 secret 5
username remoteadmin privilege 15 secret 5
!
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp key address 12.196.33.94 no-xauth
crypto isakmp key address 71.117.49.3 no-xauth
!
crypto isakmp client configuration group FDLBVPN
key
dns 192.168.0.80
wins 192.168.0.80
domain fdlbx.local
pool CVPN_POOL
acl SPLIT_TUN
split-dns fdlbx.local
!
!
crypto ipsec transform-set AESSHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set AESSHATRANS esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile TUN_SEC
description Tunnel IPSec Profile
set security-association lifetime seconds 86400
set transform-set AESSHATRANS
!
!
crypto dynamic-map DYN_MAP 10
set security-association lifetime seconds 14400
set transform-set AESSHA
reverse-route
!
!
crypto map VPN_MAP client authentication list VPN_AUTHEN
crypto map VPN_MAP isakmp authorization list VPN_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic DYN_MAP
!
archive
log config
hidekeys
path flash:cfgbackup
maximum 5
write-memory
!
!
ip scp server enable
!
track 1 rtr 1
!
class-map match-all SAN_Repl_Class
match access-group name SAN_Repl
!
!
policy-map Internet_Policy
class SAN_Repl_Class
bandwidth percent 10
random-detect
class class-default
bandwidth percent 90
policy-map Internet_Output
class class-default
shape average 1450000
service-policy Internet_Policy
!
!
!
!
interface Loopback0
description Loopback of Static Bypass
ip address 192.168.252.1 255.255.255.252
!
interface Tunnel0
description Tunnel to Wausau
bandwidth 1500
ip address 192.168.254.1 255.255.255.252
ip route-cache flow
qos pre-classify
tunnel source FastEthernet0
tunnel destination 71.117.49.3
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel1
description Tunnel to ServIT
bandwidth 1500
ip address 192.168.254.5 255.255.255.252
ip route-cache flow
qos pre-classify
tunnel source FastEthernet0
tunnel destination 12.196.33.94
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface FastEthernet0
description TDS XData Internet
bandwidth 1500
ip address 69.128.112.78 255.255.255.252
ip access-group OUT_ACL in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map VPN_MAP
service-policy output Internet_Output
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description Router Link
switchport access vlan 2
!
interface FastEthernet9
!
interface Vlan1
description FDL LAN Connection
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
standby 1 ip 192.168.0.2
standby 1 ip 192.168.0.1 secondary
standby 1 priority 150
standby 1 preempt delay minimum 30
standby 1 track 1 decrement 125
!
interface Vlan2
description L3 Router Link
ip address 192.168.254.253 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
shutdown
!
router eigrp 100
redistribute static route-map STATIC_DIST_MAP
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Vlan2
network 192.168.0.0 0.0.255.255
default-metric 1500 1 255 1 1500
no auto-summary
!
ip local pool CVPN_POOL 192.168.253.1 192.168.253.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 69.128.112.77
!
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 192.168.0.81 9996
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.0.80 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.0.80 143 interface FastEthernet0 143
ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.83 3306 interface FastEthernet0 3306
ip nat inside source static tcp 192.168.0.78 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.0.78 20 interface FastEthernet0 20
ip nat inside source route-map NAT_MAP interface FastEthernet0 overload
!
ip access-list standard CVPN_ACL
permit 192.168.253.0 0.0.0.255
ip access-list standard DEFAULT_ROUTE
permit 0.0.0.0
ip access-list standard SNMP_ACL
permit 192.168.0.81
!
ip access-list extended NAT_BYPASS
permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
ip access-list extended NAT_LAN
deny ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
deny ip any 192.168.253.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended OUT_ACL
permit tcp host 204.11.140.224 any eq smtp
permit tcp host 82.165.253.100 any eq smtp
permit tcp host 74.86.118.9 any eq smtp
permit tcp 174.37.170.192 0.0.0.31 any eq smtp
permit tcp 174.36.242.64 0.0.0.31 any eq smtp
permit tcp 208.43.201.128 0.0.0.31 any eq smtp
permit tcp 38.105.35.64 0.0.0.63 any eq smtp
permit tcp 67.225.140.128 0.0.0.63 any eq smtp
deny tcp any any eq smtp
permit tcp host 12.196.33.94 any eq ftp
permit tcp host 12.196.33.94 any eq ftp-data
permit tcp host 12.196.33.91 any eq ftp
permit tcp host 12.196.33.91 any eq ftp-data
permit tcp host 69.21.172.118 any eq ftp
permit tcp host 69.21.172.118 any eq ftp-data
deny tcp any any eq ftp
deny tcp any any eq ftp-data
permit ip any any
ip access-list extended SAN_Repl
permit tcp any any eq 873
permit tcp any eq 873 any
permit ip host 192.168.0.81 host 192.168.5.5
ip access-list extended SPLIT_TUN
permit ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255
ip access-list extended VTY
permit tcp host 216.127.205.253 any eq 22
permit tcp host 69.128.112.78 any eq 22
permit tcp host 24.158.8.234 any eq 22
permit tcp 192.168.0.0 0.0.255.255 any eq telnet
permit tcp 192.168.0.0 0.0.255.255 any eq 22
!
ip radius source-interface Vlan1
ip sla 1
icmp-echo 4.2.2.2 source-interface FastEthernet0
timeout 250
frequency 30
ip sla schedule 1 life forever start-time now
snmp-server community MonitoringRO RO SNMP_ACL
snmp-server community MonitoringRW RW SNMP_ACL
snmp-server ifindex persist
!
!
!
route-map NAT_MAP_BACKUP permit 10
match ip address NAT_LAN
!
route-map STATIC_BYPASS_MAP permit 10
match ip address NAT_BYPASS
set ip next-hop 192.168.252.2
set interface Loopback0
!
route-map STATIC_DIST_MAP permit 10
match ip address CVPN_ACL
!
route-map NAT_MAP permit 10
match ip address NAT_LAN
match interface FastEthernet0
!
!
!
tacacs-server host 192.168.0.80 key 7
radius-server host 192.168.0.80 auth-port 1645 acct-port 1646 key
!
control-plane
!
!
line con 0
line 1
modem InOut
no exec
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
no exec
line vty 0 4
access-class VTY in
!
ntp clock-period 17179810
ntp server 192.168.0.80
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Customer Router at our location:
FDLBump-ServIT#sh run
Building configuration...
Current configuration : 7131 bytes
!
! Last configuration change at 23:39:01 CST Mon Feb 14 2011 by svcuser5
! NVRAM config last updated at 23:39:02 CST Mon Feb 14 2011 by svcuser5
!
version 15.1
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname FDLBump-ServIT
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging buffered 8196
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_AUTHEN group radius local
aaa authorization exec default local
aaa authorization network VPN_AUTHOR local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
!
!
!
aaa session-id common
!
clock timezone CST -6
clock summer-time CDT recurring
!
!
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name fdlbx.local
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX135180V1
!
!
archive
log config
hidekeys
path flash:cfgbackup
maximum 5
write-memory
username svcuser5 privilege 15 secret 5
username admin privilege 15 secret 5
username FDLBVPN password 7
username remoteadmin privilege 15 secret 5
!
!
!
!
no ip ftp passive
ip ssh logging events
ip ssh version 2
ip scp server enable
!
policy-map 1.4Mbps_Output
class class-default
shape average 1400000
!
!
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp key address 69.128.112.78
crypto isakmp key address 71.117.49.3
crypto isakmp key address 216.127.205.253 no-xauth
!
crypto isakmp client configuration group FDLBVPN
key
dns 192.168.0.80
wins 192.168.0.80
domain fdlbx.local
pool CVPN_POOL
acl SPLIT_TUN
split-dns fdlbx.local
!
!
crypto ipsec transform-set AESSHATRANS esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AESSHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TUN_SEC
description Tunnel IPSec Profile
set security-association lifetime seconds 86400
set transform-set AESSHATRANS
!
!
crypto dynamic-map DYN_MAP 10
set security-association lifetime seconds 14400
set transform-set AESSHA
reverse-route
!
!
crypto map VPN_MAP client authentication list VPN_AUTHEN
crypto map VPN_MAP isakmp authorization list VPN_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
!
interface Loopback0
description Loopback for Management
ip address 192.168.252.9 255.255.255.252
!
interface Tunnel0
description Tunnel to FDL
bandwidth 1500
ip address 192.168.254.6 255.255.255.252
ip flow ingress
qos pre-classify
tunnel source FastEthernet8
tunnel destination 69.128.112.78
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel1
description Tunnel to Wausau
bandwidth 1500
ip address 192.168.254.9 255.255.255.252
ip flow ingress
qos pre-classify
tunnel source FastEthernet8
tunnel destination 71.117.49.3
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel2
description Tunnel to FDL Backup
bandwidth 1500
ip address 192.168.254.134 255.255.255.252
ip flow ingress
delay 500100
qos pre-classify
tunnel source FastEthernet8
tunnel destination 216.127.205.253
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description Internet Connection
bandwidth 1500
ip address 12.196.33.94 255.255.255.224
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map VPN_MAP
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description ServIT LAN
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1350
ip policy route-map STATIC_BYPASS_MAP
!
interface Async1
no ip address
encapsulation slip
shutdown
!
!
router eigrp 100
network 192.168.0.0 0.0.255.255
redistribute static route-map STATIC_DIST_MAP
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Tunnel2
!
ip local pool CVPN_POOL 192.168.251.1 192.168.251.99
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 192.168.0.81 9996
!
ip nat inside source route-map NAT_MAP interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 12.196.33.65
!
ip access-list standard CVPN_ACL
permit 192.168.251.0 0.0.0.255
ip access-list standard SNMP_ACL
permit 192.168.0.81
!
ip access-list extended NAT_BYPASS
permit ip any 192.168.251.0 0.0.0.255
ip access-list extended NAT_LAN
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended OUT_ACL
permit tcp host 204.11.140.224 any eq smtp
permit tcp host 82.165.253.100 any eq smtp
permit tcp host 74.86.118.9 any eq smtp
permit tcp 174.37.170.192 0.0.0.31 any eq smtp
permit tcp 174.36.242.64 0.0.0.31 any eq smtp
permit tcp 208.43.201.128 0.0.0.31 any eq smtp
permit tcp 38.105.35.64 0.0.0.63 any eq smtp
permit tcp 67.225.140.128 0.0.0.63 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended SPLIT_TUN
permit ip 192.168.0.0 0.0.255.255 192.168.251.0 0.0.0.255
ip access-list extended VTY
permit tcp host 216.127.205.253 any eq 22
permit tcp host 69.128.112.78 any eq 22
permit tcp host 24.158.8.234 any eq 22
permit tcp 192.168.0.0 0.0.255.255 any eq telnet
permit tcp 192.168.0.0 0.0.255.255 any eq 22
ip access-list extended VTY_ACL
permit ip 192.168.0.0 0.0.255.255 any
permit tcp host 24.158.8.234 any eq 22
permit tcp host 69.128.112.78 any eq 22
!
ip radius source-interface Vlan1
!
!
!
!
route-map STATIC_BYPASS_MAP permit 10
match ip address NAT_BYPASS
set ip next-hop 192.168.252.10
set interface Loopback0
!
route-map STATIC_DIST_MAP permit 10
match ip address CVPN_ACL
!
route-map NAT_MAP permit 10
match ip address NAT_LAN
!
snmp-server community MonitoringRO RO SNMP_ACL
snmp-server community MonitoringRW RW SNMP_ACL
snmp-server ifindex persist
!
tacacs-server host 192.168.0.80 key 7
radius-server host 192.168.0.80 auth-port 1645 acct-port 1646 key 7
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
no exec
line vty 0 4
access-class VTY in
transport input all
!
scheduler max-task-time 5000
ntp server 192.168.0.80
end
The only thing that stands out to me is that the GRE tunnel interfaces are missing "ip tcp adjust-mss XXX" command, which if I understand correctly can prevent fragmentation on the connection, which could possibly be causing the slowdown.
Any ideas?
I have a question about a config that I am working on currently. A little background on how the network is setup:
Customer Router ----> GRE w/ IPSec (through Internet)
> Sonicwall NSA 2400
> Customer Router (at our location, end point of Tunnel)
Basically we are hosting a customer system at our location. Our main router is a Sonicwall NSA 2400 connected to an AT&T Metro-E line. The customer has given us a Cisco 800 to use behind our Sonicwall for a VPN from their office to ours.
The customer is complaining that speeds from their system (an AS/400) is slow at certain times. It seems like the slowdown occurs when the perform an intensive data pull from their system to their office. During this time they complain of extreme slowness, even though an AS/400 is all terminal traffic.
Here are the two configs...
Customer Office Router:
FDLBump-FDL#sh run
Building configuration...
Current configuration : 8689 bytes
!
! Last configuration change at 23:52:58 CST Mon Feb 14 2011 by svcuser5
! NVRAM config last updated at 23:48:54 CST Mon Feb 14 2011 by svcuser5
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname FDLBump-FDL
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_AUTHEN group radius local
aaa authorization exec default local
aaa authorization network VPN_AUTHOR local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
!
dot11 syslog
!
!
ip cef
ip dhcp excluded-address 192.168.0.201 192.168.0.254
ip dhcp excluded-address 192.168.0.1 192.168.0.40
ip dhcp excluded-address 192.168.0.42 192.168.0.99
!
!
no ip domain lookup
ip domain name fdlbx.local
!
multilink bundle-name authenticated
!
!
username svcuser5 privilege 15 secret 5
username remoteadmin privilege 15 secret 5
!
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp key address 12.196.33.94 no-xauth
crypto isakmp key address 71.117.49.3 no-xauth
!
crypto isakmp client configuration group FDLBVPN
key
dns 192.168.0.80
wins 192.168.0.80
domain fdlbx.local
pool CVPN_POOL
acl SPLIT_TUN
split-dns fdlbx.local
!
!
crypto ipsec transform-set AESSHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set AESSHATRANS esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile TUN_SEC
description Tunnel IPSec Profile
set security-association lifetime seconds 86400
set transform-set AESSHATRANS
!
!
crypto dynamic-map DYN_MAP 10
set security-association lifetime seconds 14400
set transform-set AESSHA
reverse-route
!
!
crypto map VPN_MAP client authentication list VPN_AUTHEN
crypto map VPN_MAP isakmp authorization list VPN_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic DYN_MAP
!
archive
log config
hidekeys
path flash:cfgbackup
maximum 5
write-memory
!
!
ip scp server enable
!
track 1 rtr 1
!
class-map match-all SAN_Repl_Class
match access-group name SAN_Repl
!
!
policy-map Internet_Policy
class SAN_Repl_Class
bandwidth percent 10
random-detect
class class-default
bandwidth percent 90
policy-map Internet_Output
class class-default
shape average 1450000
service-policy Internet_Policy
!
!
!
!
interface Loopback0
description Loopback of Static Bypass
ip address 192.168.252.1 255.255.255.252
!
interface Tunnel0
description Tunnel to Wausau
bandwidth 1500
ip address 192.168.254.1 255.255.255.252
ip route-cache flow
qos pre-classify
tunnel source FastEthernet0
tunnel destination 71.117.49.3
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel1
description Tunnel to ServIT
bandwidth 1500
ip address 192.168.254.5 255.255.255.252
ip route-cache flow
qos pre-classify
tunnel source FastEthernet0
tunnel destination 12.196.33.94
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface FastEthernet0
description TDS XData Internet
bandwidth 1500
ip address 69.128.112.78 255.255.255.252
ip access-group OUT_ACL in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map VPN_MAP
service-policy output Internet_Output
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description Router Link
switchport access vlan 2
!
interface FastEthernet9
!
interface Vlan1
description FDL LAN Connection
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
standby 1 ip 192.168.0.2
standby 1 ip 192.168.0.1 secondary
standby 1 priority 150
standby 1 preempt delay minimum 30
standby 1 track 1 decrement 125
!
interface Vlan2
description L3 Router Link
ip address 192.168.254.253 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
shutdown
!
router eigrp 100
redistribute static route-map STATIC_DIST_MAP
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Vlan2
network 192.168.0.0 0.0.255.255
default-metric 1500 1 255 1 1500
no auto-summary
!
ip local pool CVPN_POOL 192.168.253.1 192.168.253.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 69.128.112.77
!
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 192.168.0.81 9996
ip flow-top-talkers
top 10
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.0.80 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.0.80 143 interface FastEthernet0 143
ip nat inside source static tcp 192.168.0.80 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.83 3306 interface FastEthernet0 3306
ip nat inside source static tcp 192.168.0.78 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.0.78 20 interface FastEthernet0 20
ip nat inside source route-map NAT_MAP interface FastEthernet0 overload
!
ip access-list standard CVPN_ACL
permit 192.168.253.0 0.0.0.255
ip access-list standard DEFAULT_ROUTE
permit 0.0.0.0
ip access-list standard SNMP_ACL
permit 192.168.0.81
!
ip access-list extended NAT_BYPASS
permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
ip access-list extended NAT_LAN
deny ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
deny ip any 192.168.253.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended OUT_ACL
permit tcp host 204.11.140.224 any eq smtp
permit tcp host 82.165.253.100 any eq smtp
permit tcp host 74.86.118.9 any eq smtp
permit tcp 174.37.170.192 0.0.0.31 any eq smtp
permit tcp 174.36.242.64 0.0.0.31 any eq smtp
permit tcp 208.43.201.128 0.0.0.31 any eq smtp
permit tcp 38.105.35.64 0.0.0.63 any eq smtp
permit tcp 67.225.140.128 0.0.0.63 any eq smtp
deny tcp any any eq smtp
permit tcp host 12.196.33.94 any eq ftp
permit tcp host 12.196.33.94 any eq ftp-data
permit tcp host 12.196.33.91 any eq ftp
permit tcp host 12.196.33.91 any eq ftp-data
permit tcp host 69.21.172.118 any eq ftp
permit tcp host 69.21.172.118 any eq ftp-data
deny tcp any any eq ftp
deny tcp any any eq ftp-data
permit ip any any
ip access-list extended SAN_Repl
permit tcp any any eq 873
permit tcp any eq 873 any
permit ip host 192.168.0.81 host 192.168.5.5
ip access-list extended SPLIT_TUN
permit ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255
ip access-list extended VTY
permit tcp host 216.127.205.253 any eq 22
permit tcp host 69.128.112.78 any eq 22
permit tcp host 24.158.8.234 any eq 22
permit tcp 192.168.0.0 0.0.255.255 any eq telnet
permit tcp 192.168.0.0 0.0.255.255 any eq 22
!
ip radius source-interface Vlan1
ip sla 1
icmp-echo 4.2.2.2 source-interface FastEthernet0
timeout 250
frequency 30
ip sla schedule 1 life forever start-time now
snmp-server community MonitoringRO RO SNMP_ACL
snmp-server community MonitoringRW RW SNMP_ACL
snmp-server ifindex persist
!
!
!
route-map NAT_MAP_BACKUP permit 10
match ip address NAT_LAN
!
route-map STATIC_BYPASS_MAP permit 10
match ip address NAT_BYPASS
set ip next-hop 192.168.252.2
set interface Loopback0
!
route-map STATIC_DIST_MAP permit 10
match ip address CVPN_ACL
!
route-map NAT_MAP permit 10
match ip address NAT_LAN
match interface FastEthernet0
!
!
!
tacacs-server host 192.168.0.80 key 7
radius-server host 192.168.0.80 auth-port 1645 acct-port 1646 key
!
control-plane
!
!
line con 0
line 1
modem InOut
no exec
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
no exec
line vty 0 4
access-class VTY in
!
ntp clock-period 17179810
ntp server 192.168.0.80
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Customer Router at our location:
FDLBump-ServIT#sh run
Building configuration...
Current configuration : 7131 bytes
!
! Last configuration change at 23:39:01 CST Mon Feb 14 2011 by svcuser5
! NVRAM config last updated at 23:39:02 CST Mon Feb 14 2011 by svcuser5
!
version 15.1
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname FDLBump-ServIT
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging buffered 8196
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_AUTHEN group radius local
aaa authorization exec default local
aaa authorization network VPN_AUTHOR local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
!
!
!
!
aaa session-id common
!
clock timezone CST -6
clock summer-time CDT recurring
!
!
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name fdlbx.local
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX135180V1
!
!
archive
log config
hidekeys
path flash:cfgbackup
maximum 5
write-memory
username svcuser5 privilege 15 secret 5
username admin privilege 15 secret 5
username FDLBVPN password 7
username remoteadmin privilege 15 secret 5
!
!
!
!
no ip ftp passive
ip ssh logging events
ip ssh version 2
ip scp server enable
!
policy-map 1.4Mbps_Output
class class-default
shape average 1400000
!
!
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp key address 69.128.112.78
crypto isakmp key address 71.117.49.3
crypto isakmp key address 216.127.205.253 no-xauth
!
crypto isakmp client configuration group FDLBVPN
key
dns 192.168.0.80
wins 192.168.0.80
domain fdlbx.local
pool CVPN_POOL
acl SPLIT_TUN
split-dns fdlbx.local
!
!
crypto ipsec transform-set AESSHATRANS esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AESSHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TUN_SEC
description Tunnel IPSec Profile
set security-association lifetime seconds 86400
set transform-set AESSHATRANS
!
!
crypto dynamic-map DYN_MAP 10
set security-association lifetime seconds 14400
set transform-set AESSHA
reverse-route
!
!
crypto map VPN_MAP client authentication list VPN_AUTHEN
crypto map VPN_MAP isakmp authorization list VPN_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
!
interface Loopback0
description Loopback for Management
ip address 192.168.252.9 255.255.255.252
!
interface Tunnel0
description Tunnel to FDL
bandwidth 1500
ip address 192.168.254.6 255.255.255.252
ip flow ingress
qos pre-classify
tunnel source FastEthernet8
tunnel destination 69.128.112.78
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel1
description Tunnel to Wausau
bandwidth 1500
ip address 192.168.254.9 255.255.255.252
ip flow ingress
qos pre-classify
tunnel source FastEthernet8
tunnel destination 71.117.49.3
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface Tunnel2
description Tunnel to FDL Backup
bandwidth 1500
ip address 192.168.254.134 255.255.255.252
ip flow ingress
delay 500100
qos pre-classify
tunnel source FastEthernet8
tunnel destination 216.127.205.253
tunnel key 5551212
tunnel path-mtu-discovery
tunnel protection ipsec profile TUN_SEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description Internet Connection
bandwidth 1500
ip address 12.196.33.94 255.255.255.224
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map VPN_MAP
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description ServIT LAN
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1350
ip policy route-map STATIC_BYPASS_MAP
!
interface Async1
no ip address
encapsulation slip
shutdown
!
!
router eigrp 100
network 192.168.0.0 0.0.255.255
redistribute static route-map STATIC_DIST_MAP
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Tunnel2
!
ip local pool CVPN_POOL 192.168.251.1 192.168.251.99
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 192.168.0.81 9996
!
ip nat inside source route-map NAT_MAP interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 12.196.33.65
!
ip access-list standard CVPN_ACL
permit 192.168.251.0 0.0.0.255
ip access-list standard SNMP_ACL
permit 192.168.0.81
!
ip access-list extended NAT_BYPASS
permit ip any 192.168.251.0 0.0.0.255
ip access-list extended NAT_LAN
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended OUT_ACL
permit tcp host 204.11.140.224 any eq smtp
permit tcp host 82.165.253.100 any eq smtp
permit tcp host 74.86.118.9 any eq smtp
permit tcp 174.37.170.192 0.0.0.31 any eq smtp
permit tcp 174.36.242.64 0.0.0.31 any eq smtp
permit tcp 208.43.201.128 0.0.0.31 any eq smtp
permit tcp 38.105.35.64 0.0.0.63 any eq smtp
permit tcp 67.225.140.128 0.0.0.63 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended SPLIT_TUN
permit ip 192.168.0.0 0.0.255.255 192.168.251.0 0.0.0.255
ip access-list extended VTY
permit tcp host 216.127.205.253 any eq 22
permit tcp host 69.128.112.78 any eq 22
permit tcp host 24.158.8.234 any eq 22
permit tcp 192.168.0.0 0.0.255.255 any eq telnet
permit tcp 192.168.0.0 0.0.255.255 any eq 22
ip access-list extended VTY_ACL
permit ip 192.168.0.0 0.0.255.255 any
permit tcp host 24.158.8.234 any eq 22
permit tcp host 69.128.112.78 any eq 22
!
ip radius source-interface Vlan1
!
!
!
!
route-map STATIC_BYPASS_MAP permit 10
match ip address NAT_BYPASS
set ip next-hop 192.168.252.10
set interface Loopback0
!
route-map STATIC_DIST_MAP permit 10
match ip address CVPN_ACL
!
route-map NAT_MAP permit 10
match ip address NAT_LAN
!
snmp-server community MonitoringRO RO SNMP_ACL
snmp-server community MonitoringRW RW SNMP_ACL
snmp-server ifindex persist
!
tacacs-server host 192.168.0.80 key 7
radius-server host 192.168.0.80 auth-port 1645 acct-port 1646 key 7
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
no exec
line vty 0 4
access-class VTY in
transport input all
!
scheduler max-task-time 5000
ntp server 192.168.0.80
end
The only thing that stands out to me is that the GRE tunnel interfaces are missing "ip tcp adjust-mss XXX" command, which if I understand correctly can prevent fragmentation on the connection, which could possibly be causing the slowdown.
Any ideas?