[c-nsp] PIX VPN & packet loss

Andre Beck cisco-nsp at ibh.net
Mon Mar 28 07:44:45 EST 2005


Re,

On Thu, Mar 24, 2005 at 09:01:29AM -0800, Big Wave Dave wrote:
> Have you done ping tests with varying packet size and MTU?

Yes, but they make no difference. The problem is not MTU-related (if it
would be, there would be a packet size limit at which the loss would
jump from 0% to 100%). I see the loss even with the typical 100 Byte
ping of a Cisco or the one that mtr sends. Pings are quite different,
the Cisco sending as fast as possible to keep a ping-pong while mtr
sending in 1s intervals - yet they both achive the same overall loss
statistic. It actually appears as if some "just drop every 70th packet"
mechanism would be in place behind the scenes. Of course there are no
stats on the pixen to prove this, SA counters seem well...

> Remember that you typically need to have 1500 MTU .... yet you
> lose some because of the VPN overhead... Perhaps try a 1300 MTU?

If I had any MTU problems (I don't seem so, PMTUD works as it should
in this scenario) I could tune around that value, yes. But MTU cannot
explain a small but stable packet loss. As said, I seem to lose some-
thing like 1.5% of all packets in this VPN. Theres a slight statistical
noise to it, but having a Cisco send 1000 Pings is sufficient to get
to almost equal numbers: 982 to 988 echoes that make it through.

-- 
                  The _S_anta _C_laus _O_peration
  or "how to turn a complete illusion into a neverending money source"

-> Andre Beck    +++ ABP-RIPE +++    IBH Prof. Dr. Horn GmbH, Dresden <-


More information about the cisco-nsp mailing list