[c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers

Dustin Schuemann dschuemann at gmail.com
Fri Oct 7 16:09:58 EDT 2011


I believe we have solved the issue. We tag our telnet and sip packets as AF
41. Removing the dscp AF 41 from these packets fixes the issue.

On Thu, Oct 6, 2011 at 2:05 PM, <Vinny_Abello at dell.com> wrote:

> We saw something similar with Global Crossing on and off where any IPSec
> tunnels we had that transited their network would have loss over the tunnel
> with the encrypted traffic, but no loss from peer to peer. Removing Global
> Crossing from the equation solved the issue. I couldn't imagine how they
> were accomplishing that other than perhaps QoS or rate-limiting involving
> ESP or UDP 4500 traffic which was very hard to prove. I don't know of an
> esptraceroute tool. :)
>
> -Vinny
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Dustin Schuemann
> Sent: Wednesday, October 05, 2011 9:22 PM
> To: Phil Mayers
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers
>
> Today I also noticed that all these connections are going over comcast
> business. Anyone seen anything like this?
>
> On Tue, Sep 27, 2011 at 5:43 PM, Dustin Schuemann <dschuemann at gmail.com
> >wrote:
>
> > Do you have any other suggestions. TAC is kinda going around in circles.
> > On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote:
> >
> > > On 09/27/2011 12:38 AM, Dustin Schuemann wrote:
> > >> Disabling CEF didn't correct the issue.
> > >>
> > >
> > > I'm not surprised. I'm amazed TAC would even suggest it.
> > >
> > > Disabling CEF on modern IOS isn't sensible. The slower code paths don't
> > get properly tested any more, and whole (large) chunks of functionality
> only
> > exist as CEF code.
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list