2 Replies Latest reply on Jan 28, 2016 2:49 PM by buckaroo

    IPSec/GRE Tunnel between multiple NetVanta 3120 and a NetVanta 3448 (both Enhanced Feature Set) - bandwidth restricted to 1.4mbps?

    buckaroo New Member

      The Background:

      I have a WAN consisting of a hub site at a hosted Data Center with a 75mbps symmetrical Fiber line from Charter, and multiple branches with different internet types - one provided by a major university's network (many GB of bandwidth), several Charter 200/7 and 100/4 Cable Internet, and two HTC DSL (one 80/7, one 20/2). All sites have static addresses. The Data Center has a NetVanta 3448 w/Enhanced Feature Set, all hub sites have NetVanta 3120 w/EFS - except one, which has a NetVanta 3448 w/EFS. Firmware version on all is R11.6 or R11.7.

       

      The branches are all connected to the Data Center using GRE Tunnels with MTU set at 1400. In turn the GRE tunnels are sent through VPN/IPSec encryption.

       

      The Good News:

      Everything is working fine. RIPv2 routing across the tunnels works, traffic is passed all around, every branch can communicate with the data center and every other branch. Each Branch location has NAT set up to provide local Internet, but route WAN traffic across the tunnel. The Data Center router does not have NAT turned on, as it routes its Internet out through a content filter, but each VPN/GRE endpoint has a static route entry pointing to the ISP's gateway.

       

      The Bad News:

      My problem is that all of the branches using 3120s seem to be limiting incoming bandwidth to 1.4mbps, as shown via MRTG. When transferring data from the Data Center (75mbps outbound) to a branch (100mbps inbound) I'm still only getting 1.4mbps through the tunnel. Non-tunnel traffic, which is to say Internet traffic, is going up to the 100mbps limit imposed by the lack of Gigabit ports on the router - but traffic going through the tunnel is limited to 1.4mbps. I can find nothing in the configuration limiting the bandwidth.

      SHOW INTERFACE TUNNEL 40 returns:

       

      tunnel 40 is UP

        IP address 10.0.40.2, netmask 255.255.255.0

        IP MTU 1400 bytes

        BW 100000 Kbit

        Description: Downtown Branch

        Tunnel mode GRE, keepalive enabled (10 seconds, 3 retries)

        Tunnel source <Branch Public IP>, destination <Data Center Public IP>

        Key: 40, packet checksumming disabled, sequencing disabled

        Last clearing of "show interface" counters: never

          2433734 packets input, 1289254400 bytes

          1552739 packets output, 315477558 bytes

          0 rx broadcast pkts, 0 tx broadcast pkts

       

      The tunnel to the one branch with a 3448 is not so limited and went over 16mbps the first time I put that much load on it.

       

      My Worry:

      Is the 3120 just not capable of handling a tunnel at more than 1.4mbps? This would be seriously bad news for me, as we've already purchased 28 of them, and have 8 currently configured for VPN tunnels and 20 standing by for a network reconfiguration from MPLS to Internet/VPN.

       

      Please let me know if you need complete configurations or any other details.