So we have an IPsec tunnel set up with an outside vendor, traffic through all other VPNs moves very quickly, but trickles at about 2Mb/s to them. They claim the same is happening on their end. I've ben trying to set up a log file on the route to see if there are massive packet drops or the like happening somehwere, following the instructions outlined here:
However, everytrime I run the fina 'show log flow-trace' command, I get this error: 'error: could not resolve file: flow-trace'. All the other commands execute without complaint. Am I missing something really obvious?
I agree on the MTU. I had an issue like this in ScreenOS where an outside vendor was using VMware Vshield on their side of the VPN. Performance was similar to yours. Once I hard coded the MTU the performance was fine.
It would be weird if there were not traffic going through it at all, but I supposed it's possible. Being that I'm not the one who configured this, I have several VPNs not currently bound to interfaces. Is it 'safe' to bind an active VPN to an interface (logical interface), to monitor it better, or is there another way to go about that?
set security flow traceoptions file CCP-trace set security flow traceoptions file size 10m set security flow traceoptions file world-readable set security flow traceoptions flag all set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter p1 source-prefix 172.22.10.61/32 set security flow traceoptions packet-filter p2 destination-prefix 172.22.10.61/32 set security flow traceoptions packet-filter f0 destination-prefix 10.192.39.81/16 set security flow traceoptions packet-filter f1 destination-prefix 22.214.171.124/32 deactivate security flow traceoptions
then ran 'activate security flow traceoptions'.
I assume this was correct behavior, to be clear, this will capture data going from 172.22.10.61 to 126.96.36.199 and to 10.192.39.81. Correct? My log file seems to have an awful lot of garbage in it...