Wireless Access

I have two 650 controllers that have an IPsec tunnel connecting them  with a GRE inside the IPSEC to provide a bridged VLAN.  When I try to do a speed test without using the vlan associated with the tunnel i get 30Mbs up and down.  When I use the tunnel i get 20Mbps up and only 3Mbps down.   Something seems to be significantly slowing down the traffic.  I am not sure if it is with the GRE or the IPSec tunnel

Tunnel 199 is up line protocol is up

Description: Tunnel Interface

Source  10.24.242.1

Destination 10.30.42.19

Tunnel mtu is set to 1200

Tunnel is a Layer2 GRE TUNNEL

Tunnel is Trusted

Inter Tunnel Flooding is enabled

Tunnel keepalive is disabled

tunnel vlan 33

Tunnel 199 is up line protocol is up

Description: Tunnel Interface

Source  10.30.42.19

Destination 10.24.242.1

Tunnel mtu is set to 1200

Tunnel is a Layer2 GRE TUNNEL

Tunnel is Trusted

Inter Tunnel Flooding is enabled

Tunnel keepalive is disabled

Keepalive type is Default

tunnel vlan 33

There is definitely overhead, whether it be encapsulation or serialization when doing GRE through IPSEC.  The MTU also might play a part as well (try increasing it on both sides).

Other things you can try:

- Disable Inter-tunnel flooding on both sides

- Enable BCMC Optimization on on VLAN 33 on both controllers.

Thanks Colin,

a slow down from 30Mbps to 3 is normal?  I am thinking it must be a duplex mismatch along the way somewhere.  I have alot of success with RAPs do they useally have that kind of preformance hit? what do they do differnetly then IPSEC with GRE?

mattjhughes,

I did not say normal.  I am just giving you ideas on what to check, in addition to what you came up with, as well.

ok gotcha,  I will keep looking, I turned off tunnel-flooding, and have BCMC on. I have tweaked MTU but not sure how to go about picking the numbers I tried 1100, 1200, 1500.

Well,

You should try to see what the TOP MTU is in the first place.  Increase the MTU and use the instructions on the page here:  http://samdobs.blogspot.com/2012/12/setting-df-bit-from-windows-machine.html to see when it fails.  Ideally you would ping a site that is outside of your network to test maximum MTU end-to-end or some site inside your network to test MTU for internal apps.

The only other answer is to do a wireshark packet capture on the client to see what could be happening.  You might also require a packet capture on the near end and someone to interpret what it all means.  It could really be anywhere.

I have the exact same problem. In my case the probles started after 3 years. GRE layer 2 tunnel between 650 and 3500 controllers. From 650 to 3200 I get almost line speed (100 Mbps) and from 3200 to 650 3 Mbps. I have other tunnel that is working fine on the same VLAN. That is also between 650 and 3500 controllers. Strange. 

I finally got this fixed. It was all about the MTU. Dropped it down from 1500 to 1200 and speeds are up again. Mayde my broadband provider changed something to make my MTU 1500 fail.

Do you recall how you adjusted the MTU on the IPSec tunnel?  Did you use the "Crypto Ipsec MTU" global command or did you adjust the GRE tunnel MTU?