[c-nsp] 2821 ipsec poor performance ?
Andrew Yourtchenko
ayourtch at gmail.com
Tue Mar 6 17:24:29 EST 2007
On 3/6/07, Piotr Nowacki <piotr.nowacki at interia.pl> wrote:
> Hi,
> I just began troubleshooting poor (strange) ftp connection
> via ipsec tunnel terminated on 2821.
>
> Customer has hot 10Mb/s pipe to Inet.
> Upload speed is around 7 time lower than download.
>
> Any suggestions where to look first ?
>
> Regards
> Peter
I would beg to disagree with both of the previous esteemed authors -
both delay and the MTU should be symmetric (under some assumptions,
which I find reasonable in the absence of any evidence of the
otherwise).
I'd start by installing wireshark on both hosts (if you use
linux/unix, then you might have tcpdump already), then taking
simultaneous pcap traces on both sides - for "good" scenario and for
the "bad" scenario, and then looking at 4 windows in
wireshark/ethereal trying to find the differences between the two
connections.
That should give you the most yield for the time spent - and will help
later on if you need to talk to TAC.
But if you want a really wild guess, I'd put a couple of beers on
duplex mismatch - this looks suspiciously similar.
thanks,
andrew
p.s. I assume the cleartext traffic is all downstream, so "it works"
in a sense that you had not tested the upload there - that might be
another first step to see whether IPSEC is at all in the picture.
More information about the cisco-nsp
mailing list