From: Eric Phillips (eric@phillips.tc)
Date: Sat Jan 19 2008 - 11:16:18 ARST
Hi Everyone,
Thank you so much for the responses. I'm very sorry for not including all
the necessary details! This is a 2811 running 12.4(3) Advanced IP Services
with 256MB DRAM. I too was concerned about the CPU usage, but I have not
seen CPU usage rise beyond 15%, even during times of heavy usage. This
router is not running any routing protocols, so that could be part of the
reason. This router is serving almost exclusively as a firewall. Paul,
thanks for mentioning the TCP idle time. I had that set because older
Windows Mobile 5.0 devices required a constant, but idle, HTTPS session back
to an Exchange server to maintain it's "push-based" email. But I will
definitely set it to four hours. Great catch!
I do not think I would get much fragmented traffic because the pipe is
pretty big, and I am not connecting to any exotic types of networks. But
that is purely speculation, and I did not think of encryption's impact on
fragmentation. It looks like Cisco recommends "ip virtual-reassembly" be
left enabled on if you are running NAT or CBAC, so it looks like disabling
that is not really an option.
Christian, I definitely appreciate your help too! The CBAC being only on
the outside interface was indeed a paste problem... The router is running
with reflexive access lists only right now, no CBAC, so I forgot to add "ip
inspect CBAC inside" on the FA0/1.1 interface, sorry. I am assuming
connections are being dropped, or more specifically, denied from being
formed, because when users try to browse web sites they sometimes get a 404
page back instantly, then they hit Refresh and the page loads instantly.
Load on the interface is less than 70%, so it is not an issue where someone
is hogging all the bandwidth. I will definitely check out the "debug ip
inspect" and see if that can tell me why things are acting up. Can you
think of any way to troubleshoot a pmtud/mss problem? The policy-map is a
pretty simple QOS policy that gives 80% bandwidth to a certain subnet of
offsite-hosted servers during times of congestion. Those servers and
general web servers on the Internet all have this problem.
Can anyone think of a better test for dropped connections or the inability
to form connections other than browsing to 20 websites, and having 4 give me
a "could not connect" message, and the rest loading immediately?
Thanks again for your assistance!
-Eric
On 1/19/08, Christian Zeng <christian@zengl.net> wrote:
> Hi,
>
> * Eric Phillips wrote:
> > I have having an issue where when CBAC is enabled on the router every
> fifth
> > or sixth connection attempt is dropped. This manifests itself in users
> > complaining that some websites work, and some don't, then they refresh
> the
> > page and it works. I'm guessing the issue is there is a limit on the
> number
> > of active connections, but I have looked through the following DocCD
> page
> > quite a few times and I am not seeing any limits other than the hash
> > table, of which I have tried increasing to 4096.
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/schcbac.htm#wp1001176
>
> You didn't specify the IOS you are using and how you exactly see the
> connections drop on the router. The config you posted doesn't have the
> CBAC inspect rule applied to one of the interfaces (paste problem?).
>
> The pattern you describe could fit a problem CBAC had in pre-12.4
> releases with tcp window scaling, although this is for a single tcp
> session only, not for every n-th, non-tcp flow. The result is that you
> would see packets dropped for a tcp connection that is permitted by the
> ACL/CBAC configuration, when the connection scales the window beyond the
> limits CBAC wants. Result is poor performance for tcp sessions. See
> CSCef65365 for details.
>
> Could be also other issues as well (pmtud/mss problems or the policy map
> you have applied); I guess you would get a better picture when looking
> at other parameters like cpu load, memeory consumption and turning on
> debug ip inspect (tcp) during a not so busy hour.
>
>
>
> Christian
>
-- Eric M. Phillips Senior Network ConsultantLTI Information Technology http://www.ltiit.com 501 Avis Drive Ann Arbor, MI 48108
Phone: (734) 929-1400 Fax: (734) 929-1401
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST