[c-nsp] Problems with a Cisco 2821 and IOS c2800nm-adventerprisek9_ivs-mz.150-1.M.bin

[Randy]

--- On Fri, 5/28/10, Stephane MAGAND <stmagconsulting at gmail.com> wrote:

> From: Stephane MAGAND <stmagconsulting at gmail.com>
> Subject: [c-nsp] Problems with a Cisco 2821 and IOS c2800nm-adventerprisek9_ivs-mz.150-1.M.bin
> To: cisco-nsp at puck.nether.net
> Date: Friday, May 28, 2010, 8:45 PM
> Hi
> 
> i have a big problem and request your help ;=) :
> 
> We have a Cisco 2821 with AIM VPN card and 1 Go of memory
> connected to internet by gigabits interface.
> 
> On this cisco 2821, i have 7 IPSec/GRE tunnel. On the
> remote site,
> i have a cisco 1721 and internet access.
> 
> On remote access, when i am fownload on a FTP server, i get
> 5 Mbits
> full download. When i download on a internal FTP and use
> the tunnel, i
> download at 68 or 70 Kbits ... very slow ..
> 
> On the same network of the 2821, i have a old 3640, if i
> create a
> tunnel from 1721
> to 3640, i download at 5 Mbits on internet and ~4 Mbits on
> a internal FTP.
> 
> Anyone know if the problems are on the IOS of the cisco
> 2821 ? the card AIM-VPN
> create a problems ?
> 
> Thanks
> for your help
> stephane
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi Stephane,
Sounds like a fragnemtation/reassembly issue: encrypted fragments being process switched for reassembly before they can be handed to AIM-VPN for decryption.

Some things to look at:

Are the tunnel MTU's set correcly to account for the IPSEC overhead? What about ip tcp-adj-mss?
Is tunnel PMTUD enabled?
Is  Crypto Map applied only to outbound physical interface?
Is IPSEC operating Transport mode or Tunnel mode

Perhaps you could post a snippet of your GRE/IPSEC config.

./Randy