What's new

IPSEC and switch

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kingskib

Occasional Visitor
I have a IPSEC VPN between two locations. the remote location has a cisco 2950-12 in front of the router. The switch has a few VLANs configured to assign multiple external IPs provided by that are used for different items at the remote network.

Main location has a 100/100 fibre connection
Remote location has a 30/30 fibre connection

My problem is, when the switch is in front of the router, the IPSEC tunnel is super slow, 350KBps (2.8mbps), but when the switch is removed, traffic between the locations is >10mbps, a more acceptable speed considering the distance between the two locations (3000 miles).

Can anyone offer assistance to how to improve the IPSEC speed between the locations while still keeping the switch active?
 
So if the switch being in the Layer2 path causes performance issues....there are only a couple of items that come to mind.
- MTU
- Bad Cable
- Bad Port
- Link Issues

Have you checked the error rates of the physical port?
 
Did the configuration ever work? My guess is the problem is the VLANs you are using to provide access to multiple public IP addresses, not the switch itself.
 
MTU is set to 1500 on the router and switch. The logs don't suggest any physical errors. There were a bunch of collisions on the one interface because it was set to half duplex, but after changing it to full the problem remained.

I tried switching the cables, and also tried a home 5-port switch with the same results. The fact that the home switch resulted in the same speeds is concerning.
 
I tried switching the cables, and also tried a home 5-port switch with the same results. The fact that the home switch resulted in the same speeds is concerning.
Without a switch, things are good? Are you using the same cables? Since you have swapped the switch out already and the problem remains, the issue is with the cables or ports on the other devices then.
 
Without a switch, things are good? Are you using the same cables? Since you have swapped the switch out already and the problem remains, the issue is with the cables or ports on the other devices then.

Sorry, I should have explained when the switches are removed the IPSPEC tunnel has the expected speed. If I add the managed switch or the home-switch the speed is reduced.

I have tried multiple cables in the switch environment, with no improvement, and those same cables in the no-switch environment.
 
What are the routers at each location? You shouldn't need the switch to assign different IP addresses to separate devices on the LAN.
 
Monkers, both locations have Sophos UTM devices. I want to test different things with the ability to bypass the router, and putting a switch in front was my first thought.

As an update, I wiped the switch and tested again with bare-bones config, still had the issue. I wonder if there is a limitation of the physical switch for IPSEC?
 
I spoke with the ISP at the remote office. I asked them what the duplex on their interface was set to, and it was 100/FULL. After switching it to auto/auto and the interface on the switch to auto/auto I am getting speeds of 990KBps + so around 8mbps. A significant improvement, but still shy of the 30mbps connection, where I have clocked 26mbps through the IPSEC tunnel without the switch.
 
I have seen weird problems on Cisco switches. We had an old 29xx switch years ago when I was working that had a 370 mainframe issue with SNA. I upgraded the firmware to the latest version which fixed it. The error was never listed as an error on Cisco's web site. We had Cisco TAC support. This would not explain why the home switch doesn't work, but if you have access to the latest firmware you might try it.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top