Anyone do Cisco?

Benny · November 08, 2002, 04:49:08 PM

Am stuck,

will post more details if anyone cares!

point to point vpn across the internet, Cisco 800's using crypto maps.

Was fine working stable, now intermittent, in terms of hours rather than seconds.

Traffic sourced from the routers to each other works fine 100%, traffic source from outside and hence encrypted fails, completely randomly.

Seperate dual ISPs at one site, single at the other, have forced outbund out route that packets return down just for completeness....Ideas please.

TeaLeaf · November 08, 2002, 05:08:46 PM

I'll ask my little bro' - he's one of them CCIE dudes (you can only snigger at it if you say it with an Ali-G accent)

TL.

Benny · November 08, 2002, 07:07:11 PM

Cheers fella, any hel appreciated, my hair is falling out fast

Anonymous · November 10, 2002, 09:20:24 AM

Hiya.

Probably a tough one to troubleshoot remotely, I suspect.

What IOS version is in use? Are you saying packets are lost intermittently, or that the security associations drop and reinitialise? What CPU util are you seeing on the 800s when this is happening? What level of encrypted throughput are you trying to achieve? Are packets dropped randomly, or is it just large packets being dropped through MTU issues?

Sorry - random selection of questions, you've probably been through these yourself already, but I don't know where else to start...

J.

Benny · November 10, 2002, 11:13:40 AM

ok...

debugging all the crypto associations, (I have added iskmp keepalives at 10 secs) I can see it establishing the connection setting up the local proxy in debug as the 2 routers.

The packets are dropped for periods anywhere between 5 minutes and 2 hours, completely randomly, then it just comes back again, completely randomly.

Am leaning toward the idea that is to do with internet routing somewhere, but then I get confused as telnet between the two 'always' works. (until I reconfig it and lock myself out - (oh the reload in x is my saviour

Going to try and set up GRE today see if that is more stable.

The other thing I noticed was one end seems to recieve a lot of traffic saying recieved packet is not IPSEC packet, etc. Farily normal I think, but according to cisco.com, possible dos. tearing my hair out.

The am monitoring proc util and it is low, caught the memory heaps usage at 27% as highest, but don't think thats relevant.

The only traffic I am testing with at the mo' is ping, so dont' think it is packet size issues.

IOS is 12 something, will check later. Has been stable for about 3 weeks, and is now starting to do this after we introduce a new app. I have ACL'd all traffic out now though so now app traffic is passing.

I don't think it is the SA's but the amount of crap the debug is turning out it could be......sometimmes get the local proxy as 0.0.0.0 thought it may be that...not fuly establishing, but can't seem to get it to.

Also noticed (again prolly unrelated) you can't force a duplex on eth 1 on 800's and it reports the duplex as unknown...bloody crap routers, I knew we shoulda used lightstreams :wink:

Thanks tugs - anymore would be appreciated.. .

Doorman · November 10, 2002, 12:16:54 PM

I can't do Cisco but I do a passable Pancho. :sombrero: (That's for the over 60's among us)

TeaLeaf · November 10, 2002, 03:44:45 PM

QuoteHiya.

Probably a tough one to troubleshoot remotely, I suspect.

What IOS version is in use? Are you saying packets are lost intermittently, or that the security associations drop and reinitialise? What CPU util are you seeing on the 800s when this is happening? What level of encrypted throughput are you trying to achieve? Are packets dropped randomly, or is it just large packets being dropped through MTU issues?

Sorry - random selection of questions, you've probably been through these yourself already, but I don't know where else to start...

J.

^^^^^^^^^^^^^^^^ That's my little bro

TL.

Squonk · November 10, 2002, 04:06:23 PM

Quote^^^^^^^^^^^^^^^^ That's my little bro

ehehhe a likkle tealeaf :sunny:

Benny · November 11, 2002, 08:02:20 AM

Version 12.2(8)T1,

Benny · November 11, 2002, 11:51:39 AM

Looks like I mighta solved it, thanks for the help, mail me if you want the solution, save me boring the rest of you slackers! :lol:

smilodon · November 11, 2002, 05:35:08 PM

No we are all gaggin' to know?

OldBloke · November 11, 2002, 05:41:15 PM

Was it a PIBCAK?

Doorman · November 11, 2002, 05:59:02 PM

QuoteI can't do Cisco but I do a passable Pancho. :sombrero: (That's for the over 60's among us)

C'mon, that was worth a 'lol' surely?

Benny · November 11, 2002, 08:08:45 PM

QuoteNeutron"]No we are all gaggin' to know?

Twas the thingy. gone got stuck doing the watsit.

Flapping internet routes, diverse internet pipes, differences between tcp/udp/ip ACL's, GRE and tunneling protocols....that about does it.

well at least so far it does.

Anonymous · November 12, 2002, 09:04:25 PM

QuoteTwas the thingy. gone got stuck doing the watsit.

Flapping internet routes, diverse internet pipes, differences between tcp/udp/ip ACL's, GRE and tunneling protocols....that about does it.

well at least so far it does.

I can't argue with that kind of logic ;-) Cool - glad you got it fixed Benny. I blame the new app though...!

J.

Anyone do Cisco?

Anonymous

Anonymous