dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1481
share rss forum feed


yaplej
Premium
join:2001-02-10
White City, OR

VPN & Frags

I have GETVPN setup on my WAN and it seems to be working ok with the exception of the 2811 onboard encryption modules are dropping packets with only 3-6Mbps of traffic. Far under the 20Mbps of IMIX traffic the 2811 is claimed to be capable of with the onboard module.

Looking into the issue I am noticing all the routers experiencing this problem report a lot of fragmentation.

show ip traffic | i frag|Frag
  Frags: 241645 reassembled, 10 timeouts, 0 couldn't reassemble
         97039 fragmented, 194078 fragments, 0 couldn't fragment
 

These routers have a serial interface with a MTU of 1500 same as the client facing Ethernet ports. With GETVPN the client can use this same MTU 1500 and adding the GETVPN overhead is causing fragmentation. I knew that so all the client facing interfaces have "ip tcp adjust-mss 1360" to try and prevent that.

Well its apparently is not working. We also have some other routers with encryption modules not dropping packets and at the same time they dont suffer from the fragmentation issue either.
show ip traffic | i frag|Frag
  Frags: 630 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 fragments, 0 couldn't fragment
 

These routers are connected to a DS3 that has a MTU of 4470 vs the 1500 on the others. They also have a different encryption module so its not a totally fair comparison.

To fix the frag problem could I just increase the MTU of my serial interfaces to 4470 so they match the DS3? I could also try to set both the mss and IP MTU on each client facing interface.
ip tcp adjust-mss 1360 
ip mtu 1400
 

Should I disable "ip virtual-reassembly" on all my ip interfaces? Just not sure what the best way to address this would be.

Thanks!

--
sk_buff what?

Open Source Network Accelerators
»www.trafficsqueezer.org
»www.opennop.org


HELLFIRE
Premium
join:2009-11-25
kudos:18

said by yaplej:

We also have some other routers with encryption modules not dropping packets and at the same time they dont suffer from the fragmentation issue either.

Same make / model / config / IOS as the 2811 in question?

Regards


yaplej
Premium
join:2001-02-10
White City, OR

No, they are a different model of router so its not a fair comparison. I am going to grab a few spare 2811s and put together a small lab and see if I can use iperf to figure out the minimum and maximum throughput on of the Onboard encryption module using different sized packets.

Cisco has all sorts of claims about the 2800 onboard module but wondering if I can get 3-6Mbps of crypto through using 60-80byte packets then I should have no problem with my existing traffic.
»www.cisco.com/en/US/tech/tk652/t···ematters
--
sk_buff what?

Open Source Network Accelerators
»www.trafficsqueezer.org
»www.opennop.org



jester121
Premium
join:2003-08-09
Lake Zurich, IL
reply to yaplej

You don't need a bunch of routers to do that.

You need a command prompt using the PING command with the -F switch to disallow fragmenting, and the -L switch to set a packet size starting at 1360 and counting down one at a time until there is no more fragmenting.

ping 8.8.8.8 -f -l 1360
ping 8.8.8.8 -f -l 1359
ping 8.8.8.8 -f -l 1358
ping 8.8.8.8 -f -l 1357
...

once packets start flowing you know the setting you need.


JamesH5100

join:2005-08-17
Akron, OH
reply to yaplej

I went through something simular a little while back. Cisco recommended setting the MTU to 1476 or 1472. Everything has been fine since.



yaplej
Premium
join:2001-02-10
White City, OR
reply to yaplej

Im have already set the MSS to 1360 on all client/server facing interfaces. I have not had a chance to look at this as much as I want to. I know that something is causing a performance hit on the onboard encryption module but have a bigger project due that is getting all my attention right now.



F430

@cox.net

quote:
Im have already set the MSS to 1360
Of course MSS has no effect on any traffic other then TCP. In order to account for L2 overhead on serial links MTU should be set to a value lower then the actual MTU . I set MTU to 1400 on all links on my the routers. I know that is lower then it needs to be but I have never had any fragmentation problems this way.