[c-nsp] PIX VPN & packet loss

Andre Beck cisco-nsp at ibh.net
Tue Mar 29 07:24:16 EST 2005 

Re,

self-followup:

On Thu, Mar 24, 2005 at 05:55:35PM +0100, Andre Beck wrote:
> 
> I'm observing a small but "stable" amount of packet loss in a VPN
> built of a central PIX 515 and a bunch of 506s. There seems to be
> a loss of approx. 1.5% to 2% on VPN tunnels, regardless of the site
> talking to central, seemingly in the direction 515->506. PIX OS versions
> are latest, configuration is mostly trivial, VPN sites can basically
> do any IP traffic to the central site. Extensive ping tests in the
> respective broadcast domains to which the PIXen are connected as
> well as on the links interconnecting them show no packet loss at all.
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Well yeah, as always, something must have been missed here. I finally
found the packet loss to stem from a 3750 which routes the network to
which the 515 is connected. The 3750 seems to be L2-switching fine
but drops approx. 1.5 to 2% of traffic that it routes. This might not
actually be routing related, due to the 3750 beeing connected to a
7206VXR's I/O-2FE using a trunk on which exactly the VLAN that carries
the transit network between those two is *untagged* (Fa0/0 on the VXR
and configured as native on the 3750). This triggers the well known
problem of false runts beeing counted by the 3750, the runt counter
is speeding up at approx. 600/s on the trunk interface. Then again, the
packet loss has just manifested as of lately, it wasn't there in the
initial testing. And it doesn't need to be related to the runts problem,
however there are chances it is (in a way that again makes the problem
MTU related, but the other way around - and the routing dropping small
packets as well as large ones tells me it isn't directly due to false
runts).

Strange enough. I'll see whether the problem disappears when I reconfigure
the trunk to have the VLAN in question beeing tagged so it won't ever
produce false runts anymore. Upgrading the somewhat old IOS might be an
option, too - but I'll have to double check whether I can do that at all
without losing my perfectly working SFPs that might happen to stem from
the non-monopoly part of the bazaar...

Sorry for blaming it on the PIXen,
Andre.
-- 
                  The _S_anta _C_laus _O_peration
  or "how to turn a complete illusion into a neverending money source"

-> Andre Beck    +++ ABP-RIPE +++    IBH Prof. Dr. Horn GmbH, Dresden <-

More information about the cisco-nsp mailing list