We saw something similar with Global Crossing on and off where any IPSec tunnels we had that transited their network would have loss over the tunnel with the encrypted traffic, but no loss from peer to peer. Removing Global Crossing from the equation solved the issue. I couldn't imagine how they were accomplishing that other than perhaps QoS or rate-limiting involving ESP or UDP 4500 traffic which was very hard to prove. I don't know of an esptraceroute tool. :)
-Vinny -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dustin Schuemann Sent: Wednesday, October 05, 2011 9:22 PM To: Phil Mayers Cc: [email protected] Subject: Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers Today I also noticed that all these connections are going over comcast business. Anyone seen anything like this? On Tue, Sep 27, 2011 at 5:43 PM, Dustin Schuemann <[email protected]>wrote: > Do you have any other suggestions. TAC is kinda going around in circles. > On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote: > > > On 09/27/2011 12:38 AM, Dustin Schuemann wrote: > >> Disabling CEF didn't correct the issue. > >> > > > > I'm not surprised. I'm amazed TAC would even suggest it. > > > > Disabling CEF on modern IOS isn't sensible. The slower code paths don't > get properly tested any more, and whole (large) chunks of functionality only > exist as CEF code. > > _______________________________________________ > > cisco-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
