Am stuck,
will post more details if anyone cares!
point to point vpn across the internet, Cisco 800's using crypto maps.
Was fine working stable, now intermittent, in terms of hours rather than seconds.
Traffic sourced from the routers to each other works fine 100%, traffic source from outside and hence encrypted fails, completely randomly.
Seperate dual ISPs at one site, single at the other, have forced outbund out route that packets return down just for completeness....Ideas please.
I'll ask my little bro' - he's one of them CCIE dudes (you can only snigger at it if you say it with an Ali-G accent)
TL. 8)
Cheers fella, any hel appreciated, my hair is falling out fast
Hiya.
Probably a tough one to troubleshoot remotely, I suspect.
What IOS version is in use? Are you saying packets are lost intermittently, or that the security associations drop and reinitialise? What CPU util are you seeing on the 800s when this is happening? What level of encrypted throughput are you trying to achieve? Are packets dropped randomly, or is it just large packets being dropped through MTU issues?
Sorry - random selection of questions, you've probably been through these yourself already, but I don't know where else to start...
J.
ok...
debugging all the crypto associations, (I have added iskmp keepalives at 10 secs) I can see it establishing the connection setting up the local proxy in debug as the 2 routers.
The packets are dropped for periods anywhere between 5 minutes and 2 hours, completely randomly, then it just comes back again, completely randomly.
Am leaning toward the idea that is to do with internet routing somewhere, but then I get confused as telnet between the two 'always' works. (until I reconfig it and lock myself out - (oh the reload in x is my saviour :))
Going to try and set up GRE today see if that is more stable.
The other thing I noticed was one end seems to recieve a lot of traffic saying recieved packet is not IPSEC packet, etc. Farily normal I think, but according to cisco.com, possible dos. tearing my hair out.
The am monitoring proc util and it is low, caught the memory heaps usage at 27% as highest, but don't think thats relevant.
The only traffic I am testing with at the mo' is ping, so dont' think it is packet size issues.
IOS is 12 something, will check later. Has been stable for about 3 weeks, and is now starting to do this after we introduce a new app. I have ACL'd all traffic out now though so now app traffic is passing.
I don't think it is the SA's but the amount of crap the debug is turning out it could be......sometimmes get the local proxy as 0.0.0.0 thought it may be that...not fuly establishing, but can't seem to get it to.
Also noticed (again prolly unrelated) you can't force a duplex on eth 1 on 800's and it reports the duplex as unknown...bloody crap routers, I knew we shoulda used lightstreams :wink:
Thanks tugs - anymore would be appreciated.. .
I can't do Cisco but I do a passable Pancho. :sombrero: (That's for the over 60's among us)
QuoteHiya.
Probably a tough one to troubleshoot remotely, I suspect.
What IOS version is in use? Are you saying packets are lost intermittently, or that the security associations drop and reinitialise? What CPU util are you seeing on the 800s when this is happening? What level of encrypted throughput are you trying to achieve? Are packets dropped randomly, or is it just large packets being dropped through MTU issues?
Sorry - random selection of questions, you've probably been through these yourself already, but I don't know where else to start...
J.
^^^^^^^^^^^^^^^^ That's my little bro :D
TL. 8)
Quote^^^^^^^^^^^^^^^^ That's my little bro
ehehhe a likkle tealeaf :sunny:
Version 12.2(8)T1,
Looks like I mighta solved it, thanks for the help, mail me if you want the solution, save me boring the rest of you slackers! :lol:
No we are all gaggin' to know?
Was it a PIBCAK?
QuoteI can't do Cisco but I do a passable Pancho. :sombrero: (That's for the over 60's among us)
C'mon, that was worth a 'lol' surely?
QuoteNeutron"]No we are all gaggin' to know?
Twas the thingy. gone got stuck doing the watsit.
Flapping internet routes, diverse internet pipes, differences between tcp/udp/ip ACL's, GRE and tunneling protocols....that about does it.
well at least so far it does.
QuoteTwas the thingy. gone got stuck doing the watsit.
Flapping internet routes, diverse internet pipes, differences between tcp/udp/ip ACL's, GRE and tunneling protocols....that about does it.
well at least so far it does.
I can't argue with that kind of logic ;-) Cool - glad you got it fixed Benny. I blame the new app though...!
J.
QuoteQuoteTwas the thingy. gone got stuck doing the watsit.
Flapping internet routes, diverse internet pipes, differences between tcp/udp/ip ACL's, GRE and tunneling protocols....that about does it.
well at least so far it does.
I can't argue with that kind of logic ;-) Cool - glad you got it fixed Benny. I blame the new app though...!
J.[/b]
So do I, just got figure out how to blame it best!
If you get stuck again pm me the details and I'll get one of the security team here to look at it for ya. Oh by the way I work for the cisco TAC.
Cheers fella, you may end up regretting telling me that though :D