Searching for something?
Reply
Fresh as a Daisy
gikseiman
Posts: 2
Registered: ‎01-12-2010

IPSEC VPN issues - packet drops and intermittent latency spikes

I've been experiencing stability issues with IPSEC VPN tunnels on my 20mb optic fibre connection.

 

The VPN is intermittently dropping and having diagnosed the issue, it appears, intermittently, upload VPN packets are being dropped.

 

Prior to moving to Virgin, I was with Nildram and had approx. 6 years of solid connections with IPSEC tunnels through their network.

 

I called the Virgin helpline and I had to explain about 6 times what the issue was, and still they didn't understand the issue. At one point, they tried to fob me off by giving me a "how to connect a PC to the Virgin router" helpline.

 

In the end, the tech admitted we wasn't getting anyway and promised an escalation and call back to help try fix the issue. Guess what, never got a call back.

 

I would still like to get this working properly and would appreciate if someone from Virgin Level 2 or 3 support could give me a shout.

 

Here's what I know so far: -

 

- No packet loss is experienced to the VPN gateways based on ICMP only

- Problem appears to be affecting IPSEC traffic only

- Connecting via other ISP's are fine, not experiencing the same instability issues

- VPN Gateways are fine as there are many other users connected and VPN tunnels are up and stable for a duration of time

- Other types of traffic such as HTTP/HTTPS/SSL are all good, no issues

 

I also kept on getting a comment from Virgin helpdesk saying they don't support VPN, which isn't 100% true because it is regular IP traffic flowing through their network. In addition, their routers support VPN passthrough.

 

Any help appreciated. Thanks!!

 

Please use plain text.
Gandalf
Pete_R
Posts: 4,943
Registered: ‎18-03-2010

Re: IPSEC VPN issues - packet drops and intermittent latency spikes

Hi gikseiman,

 

You're right in that we can deal wtih IPSEC traffic in the same manner that we deal with standard IP traffic. 

 

The difficulty is that from what you've described, none of your other IP traffic is being dropped, and we do not differentiate between different forms of IP traffic.

 

Could you please provide some information regarding the diagnostics you performed that indicated that IPSEC traffic is being dropped?

 

Does the issue still occur on a direct connection to your modem?

Regards,

Peter Rafferty

Help and Support Forum Team


If someone's helped you out say thanks by clicking on the Kudos Star. If someone's solved your problem, why not mark their message as an Accepted Solution? You can also help other users find useful posts by Tagging them with keywords.

If you are new to the forum, please remember to search the forum before posting your question.
Please use plain text.
Fresh as a Daisy
gikseiman
Posts: 2
Registered: ‎01-12-2010

Re: IPSEC VPN issues - packet drops and intermittent latency spikes

Hi Peter,

 

Thanks for replying.

 

If the Virgin network doesn't differentiate traffic, do you know if the Netgear modem differentiates traffic at all? I looked at the configurations and there isn't any indication of this.

 

Sure, the diag was the following: -

 

i.) ICMP ping towards the head end where the IPSEC tunnel terminates - no packet drops

ii.) ICMP ping towards other external location such as google - no packet drops

iii.) Monitor IPSEC VPN from the Cisco router, seeing IPSEC outbound drops but no corresponding packet drops

 

It appears like my upstream is being saturated, but I should be getting at least a 700bps upload speed: -

 

Primary Upstream Service Flow

Upstream(0) SFID 5643

Max Traffic Rate 768000 bps

Max Traffic Burst 3044 bytes

Mix Traffic Rate 0 bps

Max Concatenated Burst 1522 bytes

Scheduling Type Best Effort

 

Whats the 3k max traffic burst? Is this allowing us to burst over the 768kbps? Also out of curiosity, what is the max concatenated Burst value of 1.5k?

 

If no traffic is being differentiated, I suspect this may be an upload issue. However, doens't make sense why this is occuring if I have a 700kbps upload. I only used to have 512kbps and worked fine. Also, I have other test setups with around 256kbps which work.

 

Here's the diag which indicates potential upload speed issues: -

 

 

Interface: Tunnel200 Tunnel100

Uptime: 1d16h

Session status: UP-ACTIVE    

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 295077 drop 0 life (KB/Sec) 4580282/308

        Outbound: #pkts enc'ed 180390 drop 31 life (KB/Sec) 4581691/308

 

Interface: Tunnel200 Tunnel100

Uptime: 1d16h

Session status: UP-ACTIVE    

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 9328 drop 0 life (KB/Sec) 4590313/434

        Outbound: #pkts enc'ed 7843 drop 29 life (KB/Sec) 4590317/434

 

Assistance appreciated, thanks!

 

Thanks
Martin

Please use plain text.
Gandalf
Pete_R
Posts: 4,943
Registered: ‎18-03-2010

Re: IPSEC VPN issues - packet drops and intermittent latency spikes

Hi Gikseiman,

 

I'm a little confused by part i.  You mention an IPSEC tunnel to the headend, are you advising that you are not receiving any further ICMP responses past the 2nd hop?  Could you provide a copy for clarity?  If you're concerned about disclosing this information publicly, please feel free to PM me the information.

 

For point 3, the lack of packets being dropped in the preceding two checks indicate that IP packets are being delivered and responses received without issue. 

 

Routers provided by us shouldn't differentiate between packets unless you've configered them to do so, I can see that you're using one of our D2 hubs which have been noted to have issues with flood detection, could you advise whether you have the same issues after disabling firewall features within the router configuration pages?

 

The maximum burst rates refer to the amount of data that can be transmitted in one "timing unit" that the equipment at our end uses, essentially for flow control.  I doubt these would be causing the issue, but even if they were we would not be able to change them as they're standard for residential customers.

 

With respect to upstream issues, your upstream power level is within acceptable limits and your modem is not reporting any issues with station maintenance or power adjustments.  There is also only moderate utilisation on your cable upstream - as such it would be more likely to be that your upstream bandwidth may be being utilised, you can test this by connecting via ethernet to the hub and disabling wireless.

 

Please let us know how you get on.

 

Regards,

Peter Rafferty

Help and Support Forum Team


If someone's helped you out say thanks by clicking on the Kudos Star. If someone's solved your problem, why not mark their message as an Accepted Solution? You can also help other users find useful posts by Tagging them with keywords.

If you are new to the forum, please remember to search the forum before posting your question.
Please use plain text.