No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Are the Possible Causes for Slow Service Access, Intermittent Service Access, and Service Interruptions After an IPSec Tunnel Is Established?

What Are the Possible Causes for Slow Service Access, Intermittent Service Access, and Service Interruptions After an IPSec Tunnel Is Established?

Possible Causes

The possible causes include:
  • Features including SA and attack defense have been enabled.

    Features including SA and attack defense consume many CPU resources. Therefore, when features such as IPSec, SA, and attack defense are enabled simultaneously, IPSec service access will become slow. A higher data traffic volume indicates slower IPSec service access.

  • The sequence of the payload in DPD packets is inconsistent on both ends of the IPSec tunnel.

    If the sequence of the payload in DPD packets is inconsistent, DPD detection fails on one end, which causes the flapping of the IPSec tunnel. As a result, IPSec services are intermittently interrupted.

  • Packet loss occurs on the intermediate network.

    An IPSec VPN is a virtual network built on the Internet. Therefore, Internet transmission quality affects IPSec service quality.

  • There are many fragments.

    IPSec encapsulates IP packets. As a result, the IP packet length becomes longer. If the IP packet length exceeds the link MTU during transmission, the IP packets are fragmented and then sent. The receiver needs to reassemble and parse the fragments. Fragmentation and reassembly consume CPU resources, and encryption and decryption of fragments also consume many CPU resources. When there are many fragments, CPU resources may be insufficient. This may cause slow IPSec service access and packet loss.

Handling Suggestion

  1. Run the display cpu-usage command to check whether the CPU usage is high.

    When the CPU usage exceeds 80%, check whether features such as SA and attack defense have been configured. If so, disable these features and then check the CPU usage.

  2. Run the display ike peer command to check whether the sequence of the payload in DPD packets on both ends is consistent.

    If the sequence is inconsistent, change the sequence to be consistent on both ends.

    For example, configure the sequence of the payload in DPD packets to seq-hash-notify, detection mode to periodic, DPD idle time to 20s, DPD packet retransmission interval to 10s, and maximum number of DPD packet retransmissions to 4.

    <Huawei> system-view
    [Huawei] ike peer pp1
    [Huawei-ike-peer-pp1] dpd msg seq-hash-notify
    [Huawei-ike-peer-pp1] dpd type periodic
    [Huawei-ike-peer-pp1] dpd idle-time 20
    [Huawei-ike-peer-pp1] dpd retransmit-interval 10
    [Huawei-ike-peer-pp1] dpd retry-limit 4
    
  3. Run the ping -s packetsize -a source-ip-address host command to check whether packet loss occurs on the public network.

    Run the undo ipsec policy command on interfaces at both ends of the IPSec tunnel to cancel applying the IPSec policy, and then perform a ping operation. If packet loss occurs, the public network quality is poor. Contact the service provider to solve this fault.

  4. Run the ping -s packetsize -a source-ip-address host command to check whether IPSec packets are fragmented.

    Test packets of different sizes, determine whether packet loss occurs or the ping fails, and find the critical value. If packet loss occurs or the ping fails when the packet length exceeds a value, this value is the critical value.

    Based on this critical value, run the mtu mtu command in the interface view to change the MTU.

    After the change, if the access speed of some TCP services is slow or access is intermittently interrupted, run the tcp adjust-mss value command in the interface view to change the maximum segment size (MSS) of TCP packets.

More Information

Packet fragmentation occupies CPU resources, which degrades IPSec service quality. Consider the following factors when deploying IPSec:

  • MTU

    The maximum packet length supported by a link is the MTU, which varies according to the interface type. For example, the default MTU of an Ethernet interface is 1500 bytes. The link MTU is determined by the minimum interface MTU on this link. When the size of the packet to be sent exceeds the interface MTU, the device fragments and then sends encrypted packets. After receiving all fragments of an IP packet, the receiver reassembles these fragments back into the original IP packet and then decrypts the IP packet. Fragmentation and reassembly consume CPU resources.

    IPSec encapsulates the received original IP packet and adds a new payload to the packet each time it encapsulates the packet. The added payload varies according to the encapsulation protocol. For details, see Table 29-64. If the total added payload is 80 bytes during IPSec packet encapsulation, packets longer than 1420 bytes will exceed 1500 bytes after being encapsulated by IPSec and need to be fragmented before being sent out. When the majority of packets in data flows exceed 1420 bytes, the consumption of CPU resources will be increased dramatically, and the IPSec service access speed and quality will also be greatly reduced.

    Table 29-64  Protocol payload bytes

    Protocol

    Added Payload (Bytes)

    ESP

    The default value is 56.

    The payload added to an ESP packet depends on the used encryption algorithm and whether the authentication algorithm is used.

    AH 24
    GRE 24
    NAT-T 8
    L2TP 12
    PPPoE 8
    IPSec tunnel mode 20
    TCP 8
  • TCP MSS

    If the total packet length (TCP MSS+TCP header+IP header+IPSec header) is larger than the link MTU, data packets are fragmented for transmission. Fragmentation will consume a lot of CPU resources, and encryption as well as decryption of fragments will also consume CPU resources of devices on the transmission link. Excessive consumption of CPU resources will result in the loss of data packets.

    Additionally, the Don't Fragment (DF) flag in IP packets of some upper-layer applications (such as application-layer protocols including HTTP) will be set to prevent TCP packets from being fragmented. If the DF flag is set and the interface MTU is smaller than the MSS, the device discards the packets because it cannot forcibly fragment TCP packets.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 444667

Downloads: 4299

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next