ADWAN solution, slow PC speed test under the router
- 0 Followed
- 0Collected ,4Browsed
Network Topology
HQ2(SR6602-I) HQ1
| |
MSR 3620
|
Access SW
|
PC
Problem Description
MSR3620 and HQ1/HQ2 uMSR3620 and HQ1/HQ2 use VXLAN ADWAN solution, PC upload/download rate is slow under Access switch, but PC speed test is normal under non-ADWAN solution.
Process Analysis
1. Check the utilization rate of switch ports and router ports is normal, and they are not occupied.
2. PC out of the network needs to go through the HQ2, try to use the PC ping HQ2 there are packet loss, MSR3620 and HQ2 between the establishment of an IPsec tunnel, using the MSR3620 private address ping HQ2 there are also packet losses.
<MSR3620>ping -vpn-instance VPN_Test -a 10.xxx.xxx.129 -c 100 -s 1000 172.xxx.xxx.174
Ping 172 xxx.xxx.174 (172 xxx.xxx.174) from 10 xxx.xxx.129: 1000 data bytes, press CTRL_C to break
1000 bytes from 172 xxx.xxx.174: icmp_seq=0 ttl=255 time=16.792 ms
Request time out
1000 bytes from 172 xxx.xxx.174: icmp_seq=2 ttl=255 time=16.031 ms
1000 bytes from 172 xxx.xxx.174: icmp_seq=3 ttl=255 time=15.847 ms
1000 bytes from 172 xxx.xxx.174: icmp_seq=4 ttl=255 time=15.876 ms
1000 bytes from 172 xxx.xxx.174: icmp_seq=94 ttl=255 time=16.584 ms
Request time out
1000 bytes from 172 xxx.xxx.174: icmp_seq=96 ttl=255 time=16.228 ms
1000 bytes from 172 xxx.xxx.174: icmp_seq=97 ttl=255 time=16.635 ms
Request time out
Request time out
--- Ping statistics for 172 xxx.xxx.174 in VPN instance VPN_Test ---
100 packet(s) transmitted, 90 packet(s) received, 10.0% packet loss
round-trip min/avg/max/std-dev = 13.684/15.882/17.415/0.719 ms
3. Use the MSR3620 ipsec public address to ping the HQ2 public address without packet loss.
4. View the display ipsec statistics of a large number of drop packets and continue to grow
===================================================
===============display ipsec statistics===============
IPsec packet statistics:
Received/sent packets: 99993152767/26960351778
Received/sent bytes: 58036573846880/13606919928688
Dropped packets (received/sent): 417531740/56135
Dropped packets statistics
No available SA: 56379
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 417531496
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
===================================================
5. In the debug ipsec error, it was found that the message was dropped because the anti-replay windows size of the MSR3620 was too small.
6. Because the MSR3620 anti-replay window is too small, solving the problem requires either expanding the window width or disabling the anti-replay feature. According to the ADWAN deployment plan, it is recommended to undo the IPSec anti-replay check function.
7. After disabling the anti-replay function and re-negotiating IPsec, the MSR3620 private network address ping HQ2 no longer loses packets, and the PC speed test is normal.
Solution
Disabling the anti-replay function and re-negotiating IPsec.
Disabling auti-reply requires IPsec tunnel renegotiation before it takes effect.