Package and drop on GRE tunnel CPU high usage

Hello world

We have GRE tunnel between 2 sites.

Users have complained about the slow pace and I checked the CPU usage is too high.

She went from 40-70% on average in the last hours.

Here is the setting of the tunnel interface

MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,

reliability 255/255, txload 235/255, rxload 241/255

Input queue: 0, 75, 4339, 0 (size/max/drops/dumps); Total output drops: 89

Other end has 39 drops

Is it ok to have drops when there is large amount of traffic through the tunnel of?.

Need to know what I should look for?

Are these drops 89 ok to have?

Thank you

MAhesh

Hello Manu,

If this is not yet a subject that would be close to me, but I'll have a try.

What model device you use on the site where you use an observer the CPU high? Maybe the device cannot handle the amount of traffic using this method?

Can you post any output of the command "show interface Tunnel x"?

What type of connection WAN this GRE Tunnel use?

Is the bandwidth on what whether failure 8000 kbps both inside and outside?

I think that you can configure by using the commands

"transmission of bandwidth of tunnel.

"bandwidth tunnel receive."

There also a command

"bandwidth".

What you use this connection for, were there changes in the use of network between sites that would explain the increased use of the processor?

It seems according to the output above the Tunnel is simply "push and in" as much traffic as possible. Or as much traffic it can push accoring to the configuration of the interface.

txload 235/255, rxload 241/255

This coupled with high CPU usage could explain naturally drops. Although of course, the CPU usage is probably the effect of the use of the tunnel bandwidth.

-Jouni

Tags: Cisco Security

Similar Questions

  • Host process for the Wondows Service CPU high usage

    Assalamualaikum...

    Dear Admin and Expert.

    I am currently using a genuine Windows 7 Home Premium SP1 64 bit. I have reinstall my laptop a few days and do the update process. everything worked well. the update process completed successfully after more than 12 hours.

    My problem occurred after the update to complete. The 'process for Wondows host Service' runs automatically and consuming most of the CPU.

    Could you please tell me what is 'Host process for Service of Wondows' and what is its role in reality? Is there a method I can use to fix this?

    I really thank you if you answer...

    Windows 7 update problems? First read this.

    :)

  • Major issues with plugincontainer.exe gel firefox 34 CPU high usage

    Plugincontainer.exe is ruining my experience with firefox by endlessly to freeze due to the high utilization of the processor. Please provide a work around or another solution. Thank you.

    Thanks for posting back. Looks like it's pages using the plugin container are the important source of the processor.

    It is possible to disable hardware acceleration of Flash to see if there are improvements:

    Please tell us if it helped!

  • Reference Dell unified Suite wireless CPU high usage

    This software (Dell Unified Wireless Suite) as a Wcct.exe is using a lot of CPU on my Latitude E7440.  It's a consitently upper-year 20 to 30 years to low.  It causes the battery take much faster since the unit heats and the fan works.  I can finish the process (Wcct.exe) and everything seems to work very well.

    I've run the Dell Client system update utility but it does not seem to be updated for it.  Any suggestions?

    I had the same problem with a Dell E6440 laptop. Installed a Siemens software that requires a dongle for security checks. After the dongle driver installed, the WCCT. EXE process started by using 30% more permanently on the CPU usage.

    The solution is to uninstall the following Unified Wireless and just use the base wireless driver.

    Here's what I did:

    1. uninstall the driver of the offending dongle (or anything that is in conflict with it)

    2 then uninstall the Dell Unified Wireless Suite. This will leave the card driver wireless and will show a 'bang' in Device Manager.

    3. Download driver Dell Wireless but NOT install them via the setup .exe but rather, using winzip or another program to extract the files to any folder (desktop?).

    4. in the Device Manager, click on the NIC 'bang' and right click to "Update driver". Point to the directory with the extracted drivers and let him find the correct driver.

    5. now install the offending software (driver of the dongle in my case).

  • Manager tasks shows my CPU 100% usage but when I go to the process tab only a handful of programs with a percentage higher than 0 if displayed and none of those who are more than 3%

    Original title: Task Manager

    Manager tasks shows my CPU 100% usage but when I go to the processes tab and sort by CPU usage there are only a handful of programs with a percentage higher than 0 if displayed and none of those who are more than 3%.  What else is using my system resources that is not displayed by the Task Manager?

    Click Show processes from all users . There may be other systemic processes and processes that run under other accounts.

    Ramesh Srinivasan, Microsoft MVP [Windows Desktop Experience]

  • IGP and GRE Tunnel

    Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

    Case 1:

    We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

    • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
    • This will make the redundant paths between two routers
    • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
    • Or we can tunnel just for the exchange of traffic between two routers.

    My Question:

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

    Case 2:

    If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

    My Question:

    • I just want to know there is a valid case and also do we get this case in a review?

    What comments can you do on both cases freely, I just create these two cases to clear my mind.

    Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

    In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

    Answer to your question on my opinion are as below

    case 1

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

    Case 2

    • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

    Please always evaluate the useful post!

    Kind regards

    Pawan (CCIE # 52104)

  • GRE tunnels and no gre

    I am doing a test vpn on a router to an ASA 18xx.

    the existing router already has 3 site-to-site vpn/s. They use GRE tunnels. I would like to add another site to site VPN but not not using gre Tunnels.

    I don't have what an output interface, which has the card crypto applied gre. If I add it to the existing encryption card, he will try to go through the gre tunnel

    Is there a way I can get this to work?

    This part of the config seems to be OK.

    You need to know why the tunnel peer X.X.X.44 is not to build.

    Check the ACL 180 and also make sure that you are not blocking that traffic to AL-FA0-IN

    I see you do NAT on fa0 - propably you have to exclude that VPN NAT traffic.

    ---

    Michal

  • Significant decline in performance on the GRE tunnel after using cryptographic protection

    Hi all

    I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

    Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

    No idea as to why this is?

    My conclusions:
    According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
    The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
    I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
    ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

    IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

    My config:

    crypto ISAKMP policy 10
    BA aes 256
    sha512 hash
    preshared authentication
    Group 20
    isakmp encryption key * address *.
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    transport mode
    !
    Profile of crypto ipsec VPN
    game of transformation-ESP-AES256-SHA
    !
    Tunnel10
    IP 10.251.251.1 255.255.255.0
    no ip redirection
    no ip proxy-arp
    load-interval 30
    source of tunnel FastEthernet0
    tunnel destination *.
    tunnel path-mtu-discovery
    Tunnel VPN ipsec protection profile
    !

    Output:

    ISR1811 #sh crypto ipsec his
    Interface: Tunnel10
    Tag crypto map: addr Tunnel10-head-0, local *.

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
    current_peer * port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
    #pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    endpt local crypto. : *, remote Start crypto. : ***
    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
    current outbound SPI: 0x8D9A911E (2375717150)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:
    SPI: 0xD6F42959 (3606325593)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563208/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:
    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x8D9A911E (2375717150)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563239/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:
    outgoing CFP sas:

    ISR1811 #show in detail his crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    T - cTCP encapsulation, X - IKE Extended Authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption
    IPv4 Crypto ISAKMP Security Association

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    2015 * * ACTIVE aes sha5 psk 20 12:42:50
    Engine-id: Conn-id = SW: 15
    2016 * * ACTIVE aes sha5 psk 20 12:42:58
    Engine-id: Conn-id = SW: 16
    IPv6 Crypto ISAKMP Security Association

    Use of CPU for the transfer with crypto:

    ISR1811 #sh proc cpu its

    ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

    544444555555555544444444445555544444555556666644444555555555
    355555000001111133333888884444444444333333333377777666662222
    100
    90
    80
    70
    60                                          *****     *****
    50 ****************     **********     ************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    ISR1812 #sh proc cpu history

    ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

    666666666666666666666666666666666666666666655555444445555544
    777888883333344444555555555566666777770000055555777776666666
    100
    90
    80
    70 ********          ********************
    60 ************************************************     *****
    50 ************************************************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

    For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

    As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.

  • Configuration of Site VPN connection to another via GRE Tunnels

    I am trying to connect VPN site to site on the internet using GRE tunnels. I am able to reach from a WAN interface to another. But I am not able to get the ISAKMP and IPSec to work. Below the configuration and a simplified below flowchart. In the scenario below, I am also running BGP between these routers. The BGP neighbor-ships are trained through the tunnels. But I want traffic between tunnels to encrypt. IPsec and ISAKMP not running BGP routes and other traffic is not encrypted.

    This is why I would like to know what could the reason for this.

    Router config VPN 1

     crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================

    Router config VPN 2

     crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================

    Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.

    crypto ISAKMP policy 10
    aes encryption
    sha hash
    preshared authentication
    Group 5
     
    cisco crypto isakmp key address
     
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT
     
    Profile of crypto ipsec MYPROFILE
    transformation-RIGHT game
     
    interface tunnel 10
    Unnumbered IP gig0/0
    tunnel source gig0/0
    tunnel destination
    ipv4 ipsec tunnel mode
    Profile of tunnel MYPROFILE ipsec protection
     

    --

    Please do not forget to select a correct answer and rate useful posts

  • The GRE Tunnel descends?

    So here's my setup:

    Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

    Internal Cluster ASA a configured PAT production internal then all the VLANS.

    The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

    The external control point is configured with NAT for the incoming and outgoing traffic.

    The branch is a DSL router with a static IP address.

    The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

    The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

    The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

    I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

    I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

    However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

    1 = to branch tunnel

    Tunnel of 100 = internal

    002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
    002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
    002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
    002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
    002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
    002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
    002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

    The IPSec tunnel, for the branch remains in place throughout.

    Can anyone help!?

    The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

    This is how the branch was to learn the route to the tunnel destination:

    Tunnel1 interface

    Tandragee Sub Station router VPN Tunnel description

    bandwidth 64

    IP 172.17.205.62 255.255.255.252

    no ip-cache cef route

    delay of 20000

    KeepAlive 10 3

    source of tunnel Loopback1

    tunnel destination 172.17.255.23

    be-idz-vpn-01 #sh ip route 172.17.255.23

    Routing for 172.17.255.23/32 entry

    Through the 'static', the metric distance 1 0 known

    Routing descriptor blocks:

    * 172.17.252.129

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/25 entry

    Known via 'connected', distance 0, metric 0 (connected, via the interface)

    Routing descriptor blocks:

    * directly connected by GigabitEthernet0/1

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #.

    This is how the next hop as learned GRE Tunnel between internal and DMZ routers

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/27 entry

    By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

    Redistribution via eigrp 1

    Last updated on Tunnel100 192.168.5.66, ago 00:07:25

    Routing descriptor blocks:

    * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

    Path metric is 40258816, 1/number of shares of traffic is

    Time total is 10110 microseconds, minimum bandwidth 64 Kbps

    Reliability 255/255, MTU minimum 1476 bytes

    Loading 1/255, 2 hops

    We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

    This case causes the Tunnel 1 drops.

    The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

    The solution we applied:

    Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

    Router eigrp 1

    distribute-list 1

    Network 10.10.10.0 0.0.0.3

    network 172.17.203.56 0.0.0.3

    network 172.17.203.60 0.0.0.3

    network 172.17.205.60 0.0.0.3

    network 172.19.98.18 0.0.0.0

    network 192.168.5.64 0.0.0.3

    passive-interface Loopback1

    be-idz-vpn-01 #sh access-list 1

    IP access list standard 1

    10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

    20 permit (1230 matches)

    be-idz-vpn-01 #.

    Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

  • Decision on DMVPN and L2L simple IPsec tunnels

    I have a project where I need to make a decision on which solution to implement... environment is as follows...

    • 4 branches.
    • Each branch has 2 subnets; one for DATA and another for VOICE
    • 2 ISPS in each (an Internet access provider and a provider of MPLS)
    • Branch #1 isn't necessarily the HUB office that all database servers and files are there are
    • Branch #2 is actually where the phone equipment
    • Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
    • MPLS is currently used for telephone traffic.
    • ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
    • I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

    My #1 Option

    Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

    My #2 Option

    My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

    Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

    Thanks in advance

    Hi ciscobigcat

    Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

    The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

    Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

    So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

    QoS, it is important to use "prior qos rank".

    See for example

    http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

    http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

    HTH

    Herbert

  • Impossible to copy files to the Sansa Fuze using Windows 7 (drag and drop, or Windows Media Player)

    Hello

    Yesterday, I bought the Sansa Fuze and I have problems copying files to the device using either Windows Media Player (Sync) or Drag and Drop (Explorer).

    The symptoms are:

    (1) the device is recognized and available in Windows 7 (Series USB MSC - sorry don't have it with me right now)

    (2) took me to upgrade to the latest firmware, which has worked flawlessly

    (3) when I try to drag and drop a file on the device (I use Windows 7, 64-bit), it starts, but doesn't seem to calculate the size of the files or waiting time to download correctly.  It is followed by a slow progressive, until the computer crashes, resulting in a constant 100% of the CPU.  The only solution is a hard reboot

    (4) when you use Windows WM, the device is recognized, okay and the synchronization starts, but it then stops without reason.  Once again, the processor springs and requires a reboot

    (5) using the results 3 and 4 in 1-5 files being copied across, but not more.

    (6) I tried several albums and one album at a time, but cannot determine if that makes a difference.

    Help, please!

    See you soon,.

    Richard

    It may be a bug in Windows 7. But one thing to try is to go to the Device Manager (assuming that Windows 7 still has), uninstall the "rocket" (under USB controllers), and then run add hardware to find and reinstall the driver.

    Use the MTP with Windows Media Player mode, MSC mode without.

  • How to import or drag and drop photos into Windows Live Movie Maker?

    I'm unable to either import or drag and drop photos into Windows Live Movie Maker.  I just finished a movie and when I try to open a new project, I click on "Add photos and video", taking me to 'my pictures', but when I try to open him "add photos and video", the "file name" has so much history, it doesn't allow me to click on the location of my file.  How can I get rid of this story?  The first film was so easy, but this new project has been up to this impossible after about 7 hours of attempts.  Help, please!

    Hi Anniebp2,

    I think perhaps the best next step after all your efforts of trying to fix the program.  For this, since it is part of the Windows Essentials pack, you can go to the page Windows Essentials and re - download and re-install the package, which will update and fix the movie maker if necessary. I hope that this solves the problem for you. Please let me know how it goes.

  • Multicast over GRE tunnel traffic

    Hi guys,.

    I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

    I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

    Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

    Hello

    There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

    Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

    HTH.

    Evaluate the useful ticket.

    Kind regards

    Terence

  • VPN3000 as an end of GRE tunnel

    Dear all,

    Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?

    Best regards

    Engel

    Engel,

    You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)

    Hope that answers your question

    Jean Marc

Maybe you are looking for