871 site to site vpn

[srv1strat]

Hi,

i have configured 2 871 dual ethernet routers to connect via site to site vpn.
to test before installing them on site i've connected them with a crossover cable using their fastethernet 4 interfaces. the wan (fa4) interfaces are set to static addresses. i've connected both to our internet connection & have no connectivity issues. i can get a continous ping to an external address with no packet loss.

the problem
i do an extended ping from router A with a source address of routerA/vlan1 ip address to target address Router B/vlan1 ip address. 100% success.
i ping from any local host on lanA to router B/vlan1 ip address and i get 50% packet loss.
this happens in the reverse direction from lanB also. the problem is identical from both sites.
the fact i can ping successfully (50%) site to site is suggesting to me that my vpn configuration is correct.
also i have a remote client vpn configuration on the routers. this works fine, again no packet loss.
the problem looks like it is only vpn traffic site to site that is affected.

any thoughts?
regards

 

[GM2005]

Try extended pings lowering the MTU gradually and see if it it is related to that. If thats what it is it should come good around 1400. Just a guess but i've seen this occur with multiple encapsulations.

 

[srv1strat]

Hi GM2005,

thanks for the reply. i don't understand how an extended ping will help identify the problem as I get 100% success with an extended ping. perhaps we're talking about different things?
an extended ping to me is using the extended commands from under the ping command on the cli.
what interface do you suggest i change the mtu on? vlan1?

regards

 

[kbing]

srv1strat,

ping from a PC on one end of the network to a device on the other end of the network. Be sure these are internal devices. Use the following ping test:

a. Ping with 1200 bytes

sample: ping x.x.x.x -l 1200 -t

does this work?

If so, increase the 1200 until the ping fails. Then use the # the highest # that works in the following command on the routers.

conf t
int fastethernet0/0
ip tcp adjust-mss 1200

replace 1200 with the number you found from your pings in the first test.

for example, if I can ping with byte size of 1350 successfully, then I configure my internal ethernet router interfaces on both ends with 'ip tcp adjust-mss 1350'.

What results do you get?

 

[srv1strat]

Hi Kbing,

thanks for the reply.

i'm using a standard ping with 32 bytes & i'm only getting 50% packets. this is pinging from lanA device to lanB device.

regards

 

[kbing]

have you adjusted the ip tcp adjust-mss command to test results?

maybe you having a routing problem. Check your route tables to ensure that a routing entry isn't competing with another.

I had a situation before where I had two routing statement configured and the packets would go down path1 and succeed then the next packet would go down path2 and fail.

every other packet would succeed.

 

[srv1strat]

Just an update.
we erased the config on both routers and configured them both from scratch.
the problem has not returned.