Packet loss over site to site IPSEC VPN tunnel causing poor Cisco Telepresence quality
I've got a weird issue that I've been banging my head on a break wall over for the past few weeks. Bit of background first:
We have 2 sites, 1 in UK, 1 in US.
Each site has a 500Mbps leased line Internet connection.
Sites are connected via IPSEC VPN using Fortigate 800D A/P clusters running 5.4.4.
Among everyday file sharing and web app traffic, we run point to point Cisco Telepresence video calls over this tunnel.[/ul]
Recently, the Cisco ix5000 telepresence devices at both end have been reporting packet loss. The web interface for the ix5000 only reports RX packet loss, and the values are usually as follows:
UK RX packet Loss: 0.05%
US RX Packet Loss: 1.5%
Cisco's packet loss threshold is 0.05%, so we are seeing pretty poor quality, artificating and stuttering on the US end, but it seems fine on the UK end.
I've been trying to get to the bottom of this strange packet loss, and why it is worse one way. We've replaced all ethernet cables, and I've checked all interfaces along the route to ensure we don't have a speed/duplex mismatch, or any switch ports or interfaces are reporting errors or collisions - all looks good so I don't think this is a physical issue.
I've run iperf across the IPSEC tunnel to further troubleshoot and here are my results:
Iperf with UK as client and US as server using UDP (18Mbps bandwidth tested as this is predicted telepresence requirement):
iperf3.exe -c 172.16.0.10 -u -b 18M
Connecting to host 172.16.0.10, port 5201
[ 4] local 10.158.6.40 port 64279 connected to 172.16.0.10 port 5201
means the packets are too large. You need to change the MTU size on your gear and you should be good. The Gate adds overhead for the IPSec tunnel so you can't push a true 1500 through. On traffic that traverses the tunnel I usually bump it down to 1366 or so.
Hello Mike I ask your experience. I have a similar problem between two firewall 600D. They talk by using GRE tunnels. If I ping by CLI GRE to GRE all is perfect. If I ping on the firewall interface (client to client (server to server) ping have timeout with some packet lost. MTU is set on interface to 1300. why do you think that fragmentation could impact on packet lost? ping default size packet is small unless we do not change. which function could be the culprit ? bandwidth is low and 99% are multicast packet with FE QoS DSCP, while ping and all the other traffic (SSH, Ping, HTTP) is C0 Best effort.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.