Packet Drops on IPSEC GRE Tunnels

From: Salau, Yemi (yemi.salau@siemens.com)
Date: Wed Aug 13 2008 - 11:57:00 ART

Next message: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Previous message: Fahad Khan: "Re: Manipulating External EIGRP Distance"
Next in thread: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Sadiq Yakasai: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Jason Madsen: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Salau, Yemi: "RE: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Daniel Valle: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Asif: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Asif: "Re: Packet Drops on IPSEC GRE Tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Experts,

I've searched everywhere I could, but need someone to kindly give an
expert opinion as to why outbound packets on IPSEC GRE tunnel interfaces
get dropped, even without congestion? I could understand inbound traffic
being dropped due to dencapsulation and decryption processes ie. loosing
of gre and ipsec headers etc. During these periods, the cpu is usually <
4% and there is usually no congestion or high bandwidth utilisation on
the tunnels.

Also, is there any correlation with IPSEC GRE packets flow and CPU
processor power on a router? Maybe that one sound a bit daft, but I
can't honestly figure out why encryption process on a Cisco 2811 will
jack up the cpu to about 95%; hence why I'm humbly asking the group for
further expert opinions on this.

************************************************************************
*************************

Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Description: Tunnel interface for GRE link from Rack1-R1 to Rack1-R4
  Internet address is 10.10.11.1/24
  MTU 1514 bytes, BW 1500 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive set (10 sec), retries 3
  Tunnel source 10.10.1.1 (Loopback1), destination 10.10.4.4
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 0w2d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
108961
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 9000 bits/sec, 6 packets/sec
  5 minute output rate 3000 bits/sec, 4 packets/sec
     91212393 packets input, 1052133962 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     120861676 packets output, 1801671796 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

************************************************************************
*************************

Many Thanks.

Yemi Salau.

Blogs and organic groups at http://www.ccie.net

Next message: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Previous message: Fahad Khan: "Re: Manipulating External EIGRP Distance"
Next in thread: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Jose James: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Sadiq Yakasai: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Jason Madsen: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Salau, Yemi: "RE: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Daniel Valle: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Asif: "Re: Packet Drops on IPSEC GRE Tunnels"
Maybe reply: Asif: "Re: Packet Drops on IPSEC GRE Tunnels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:30 ART