[c-nsp] GRE tunnel optimization

Pavel Skovajsa pavel.skovajsa at gmail.com
Wed Jan 13 04:37:20 EST 2010 

Hi Adam,

The " ip tcp adjust-mss 1460" adjusts TCP traffic which IPsec is not,
so you can safely remove it.
Try to change the TCP MSS on the Sonicwalls - I suggest to something
conservative - 1390 for example.

If it won't help (or there is no knob for this on Sonicwalls) try to:
- ping across GRE tunnel on clear without IPSEC
- determine whether this is MTU size issue - by pinging with larger
and larger packets.

-pavel

On Tue, Jan 12, 2010 at 10:12 PM, Adam Greene <maillist at webjogger.net> wrote:
> Hi,
>
> I'm trying to pass IPSec VPN traffic over a simple GRE tunnel, with mixed
> results (some packet loss, high latency).
>
> Configs on both ends:
>
> ==========
> 2811, 12.4(21), traffic is sent over bonded DSL lines
> ==========
> interface Tunnel0
> ip address 172.16.16.9 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source x.x.x.x
> tunnel destination y.y.y.y
> !
> interface ATM0/0/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
>  protocol ppp Virtual-Template1
> !
> interface ATM0/1/0
> no ip address
> no ip mroute-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> hold-queue 224 in
> pvc 0/35
>  protocol ppp Virtual-Template1
> !
> interface Virtual-Template1
> no ip address
> ppp multilink
> ppp multilink group 1
> !
> interface Multilink1
> ip address x.x.x.x z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ppp multilink
> ppp multilink group 1
>
> ==========
> 1841, 12.4(24)T2, traffic is sent over Cablevision link
> ===========
> interface Tunnel0
> ip address 172.16.16.10 255.255.255.252
> ip tcp adjust-mss 1460
> tunnel source y.y.y.y
> tunnel destination x.x.x.x
> !
> interface FastEthernet0/0/0
> description *** Cablevision ***
> ip address y.y.y.y z.z.z.z
> ip nat outside
> ip virtual-reassembly
> ip tcp adjust-mss 1460
> duplex auto
> speed auto
>
> The VPN is being generated by Sonicwalls on both ends. I've set MTU to 1460
> on them as well.
>
> I had originally set MTU to 1400, but it was worse.
>
> Are there any obvious configurations I am missing to optimize this traffic?
>  For example, is  something like the following recommended on the Tunnel
> interfaces?
>
> hold-queue 1024 in
> hold-queue 1024 out
>
>
> Thanks for your help.
>
> Adam
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list