site to site vpn slowness HELP

Discussion in 'Cisco' started by decibel101, Jul 6, 2006.

  1. decibel101

    decibel101

    Joined:
    Jul 6, 2006
    Messages:
    1
    So I have two people that connect to a cisco 1812 series router that has a site to site setup with a checkpoint on the other side.

    No GRE, no tunnel interface used.

    I'm using 3des sha1 and group 2, and the site to site works fine, but they are experinecing slowness.

    The link they are on is a DSL line

    The one user who maily uses the site to site is connected currently via the wired FastEthernet interface.

    So. Slowness, I think it has to due with MTU and TCP MSS, but I have no idea what to change them to, and which interface to apply the command to.

    I see a bucnch of ICMP ERRORS in the log when I have my debug running, so the user .5 is was trying to get to .11 but DF is set:

    002238: *Jul 3 13:39:15.801 NewYork: ICMP: dst (10.127.226.11) frag. needed and DF set unreachable sent to 10.128.68.5


    Please advise, see config below

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.07.06 09:03:07 =~=~=~=~=~=~=~=~=~=~=~=


    ROUTERNAME#sh runn
    Building configuration...

    Current configuration : 7076 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname ROUTERNAME

    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 4096 debugging
    logging console critical
    enable secret 5 *******************
    !
    aaa new-model
    !
    !

    !
    aaa group server radius skunkworks
    server 10.127.226.10 auth-port 1812 acct-port 1813
    server 10.127.226.11 auth-port 1812 acct-port 1813
    ip radius source-interface FastEthernet0
    !
    aaa authentication login eap_methods group skunkworks
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone NewYork -5
    clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    --More-- ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    no ip dhcp use vrf connected
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    no ip domain lookup
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ip ips deny-action ips-interface
    ip ips notify SDEE
    !
    !
    crypto pki trustpoint TP-self-signed-*
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-*
    revocation-check none
    rsakeypair TP-self-signed-*
    !
    !
    crypto pki certificate chain TP-self-signed-*
    certificate self-signed 01
    *
    **
    *
    *
    *
    *
    *
    *

    username **** privilege 15 secret 5 ***
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 6 ******* address 1.1.1.1
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
    !
    crypto map vpnmap 1 ipsec-isakmp
    set peer 1.1.1.1
    set transform-set vpn1
    match address 107
    !
    bridge irb
    !
    !
    Interface BRI0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    !
    interface Dot11Radio0
    no ip address
    !
    broadcast-key vlan 1 membership-termination capability-change
    !
    !
    encryption vlan 1 mode ciphers tkip wep128
    !
    ssid MYSID
    vlan 1
    authentication open
    authentication network-eap eap_methods
    authentication key-management wpa optional
    wpa-psk ascii 7 *******
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no snmp trap link-status
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio1
    no ip address
    shutdown
    speed 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface FastEthernet0
    ip address 10.128.64.9 255.255.255.252
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    duplex auto
    speed auto
    !
    interface FastEthernet1
    description OUTSIDE INTERFACE
    ip address 2.2.2.2 255.255.255.0
    ip access-group 103 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    crypto map vpnmap
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    --More-- !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Vlan1
    description KWTS LAB NY
    no ip address
    ip helper-address 10.127.226.10
    ip helper-address 10.127.226.11
    ip directed-broadcast
    bridge-group 1
    !
    interface BVI1
    description INSIDE INTERFACE
    ip address 10.128.68.1 255.255.255.224
    ip helper-address 10.127.226.10
    ip helper-address 10.127.226.11
    ip directed-broadcast
    ip mtu 1452
    ip virtual-reassembly
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet1
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source list 101 interface FastEthernet1 overload
    !
    logging trap debugging
    access-list 103 permit udp host 1.1.1.1 any eq isakmp
    access-list 103 permit udp host 1.1.1.1 eq isakmp any
    access-list 103 permit esp host 1.1.1.1 any
    access-list 103 deny ip any any
    access-list 107 permit ip 10.128.68.0 0.0.0.31 any
    no cdp run
    !
    !
    !

    radius-server host 10.127.226.10 auth-port 1812 acct-port 1813 key 7 ***
    radius-server host 10.127.226.11 auth-port 1812 acct-port 1813 key 7 ***
    radius-server vsa send accounting
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    ROUTERNAME#
     
    decibel101, Jul 6, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stubby

    Moz .8 "Save As" dialog slowness

    Stubby, Jun 28, 2005, in forum: Firefox
    Replies:
    4
    Views:
    563
    Stubby
    Jun 29, 2005
  2. Phin
    Replies:
    0
    Views:
    1,931
  3. The Prisoner
    Replies:
    2
    Views:
    469
    The Prisoner
    Feb 3, 2004
  4. pasatealinux
    Replies:
    1
    Views:
    2,067
    pasatealinux
    Dec 17, 2007
  5. aung

    Slowness of site to stie VPN

    aung, Nov 24, 2008, in forum: Hardware
    Replies:
    0
    Views:
    1,778
Loading...

Share This Page