dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4220
share rss forum feed

amais

join:2002-07-31
Randallstown, MD

1 edit

Cisco 2821 ISR w/ Bad Ping, Error Inputs, CRC Errors & FiOS

I have a Cisco 2821 ISR router attached to Verizon FiOS. I am using the zone based firewall and the only issue i've seen with the firewall is a random icmp drop. I've never seen the CPU usage over 2%.

I have been experiencing massive lag when hosting "Ground War" in MW2, in researching my problem I found numerous input errors and CRC errors on g0/0 (outside interface). There are a few input errors on g0/1 (inside interface). I added traffic shaping to my config in hoping that it was just a bandwidth spike issue, but the problem has resurfaced recently. I have made sure that my 2 ethernet cables (from the ONT and to my switch) are as far away from power lines as possible.

In reading a number of FiOS posts, I've noticed ping times 10ms better than mine. For a 50mi ping test I get 17-21ms and 150mi anywhere from 55-100ms. Should I be concerned that I don't have faster ping times? From what i've seen, others are getting 8ms for 50mi.

Just to note, my MI424WR router is not bridged, but sitting as default with the wireless off, ports are forwarded from g0/0 to the MI424WR router. The MI424WR hands out its own DHCP to the STB's... I have had no problems with VoD, PPV or Guide listings with it set up this way.

Here is my config if it helps. I did clear the counters on my 2 interfaces to see if I was getting any input or CRC errors while just working as normal (without mw2) and so far 0 input or CRC errors.

 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname isr01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name xxxxxxxxxx.net
ip name-server xxx.xx.1.5
ip name-server xxx.xx.1.10
ip port-map user-torrent-win port tcp 38896
ip port-map user-torrent-mac port tcp 50481
ip port-map user-xbox port tcp 3074
ip port-map user-xbox port udp 3074
ip port-map user-stb port tcp from 35000 to 35002 
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-666243818
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-666243818
 revocation-check none
 rsakeypair TP-self-signed-666243818
!
!
crypto pki certificate chain TP-self-signed-666243818
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 36363632 34333831 38301E17 0D313030 34323732 31333530 
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3636 36323433 
  38313830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  9341ED5A D2D9E241 08924B98 3DE92481 37FDD101 05A1E346 A669FB06 190CA2FF 
  7D3FB1E5 47355278 14E4A471 48EF5F48 A50EF691 6DD8D9C7 E3E2A836 FB6AFE64 
  81D0E535 A7A65096 91425C62 42544788 18B7ADEA 825215CE 1C02BEE1 EE3999DB 
  8587526D A9759C63 1CFBA4D3 D86648E8 704F8F5D 6BD066D1 56805BCC EAC1EDED 
  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  11041830 16821469 73723031 2E6D6169 7366616D 696C792E 6E657430 1F060355 
  1D230418 30168014 7A44BFF2 B453B74E FF16E8A5 0133F502 12DC4CCB 301D0603 
  551D0E04 1604147A 44BFF2B4 53B74EFF 16E8A501 33F50212 DC4CCB30 0D06092A 
  864886F7 0D010104 05000381 81005DCB 4D91D782 5E2BD5BD F0218272 D53683A6 
  05F0807D 00FC32CA 6ADBD517 37582875 CF83C714 294BAAAA 4C2F5A03 92E1E293 
  0D83C0CB EFC32F07 074A1D3B BD15BCD2 1A376034 59726455 F644F176 298E8561 
  A1E9C83F 961BE80F 4F2C461E F57AC7F2 D34186EB 7D95242E 31FAF94F 517AF7AE 
  330169BD 4B910A2F 98541DE8 FC85
  quit
!
!
username privilege 15 secret 5 
archive
 log config
  hidekeys
! 
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-torrent-mac-1
 match access-group 104
 match protocol user-torrent-mac
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any sdm-cls-bootps
 match protocol bootps
class-map type inspect match-all sdm-nat-user-torrent-win-1
 match access-group 105
 match protocol user-torrent-win
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-user-xbox-1
 match access-group 102
 match protocol user-xbox
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map match-any CLASS_MW2
 match any 
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-all sdm-nat-user-stb-1
 match access-group 103
 match protocol user-stb
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect sdm-cls-bootps
  pass
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-xbox-1
  inspect 
 class type inspect sdm-nat-user-stb-1
  inspect 
 class type inspect sdm-nat-user-torrent-mac-1
  inspect 
 class type inspect sdm-nat-user-torrent-win-1
  inspect 
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_DHCP_CLIENT_PT
  pass
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map POLICY_MW2
 class CLASS_MW2
    shape average 4500000
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/2/0
 switchport access vlan 2
!
interface FastEthernet0/2/1
 switchport access vlan 2
!
interface FastEthernet0/2/2
 switchport access vlan 2
!
interface FastEthernet0/2/3
 switchport access vlan 2
 spanning-tree portfast
!
interface Cable-Modem0/0/0
 description $FW_OUTSIDE$
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id GigabitEthernet0/0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 no mop enabled
 service-policy output POLICY_MW2
!
interface GigabitEthernet0/1
 description $ETH-LAN
 ip address xxx.xx.1.1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
!
interface Vlan2
 description $FW_INSIDE$
 ip address xxx.xx.2.1 255.255.255.224
 ip helper-address xxx.xx.1.10
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns spoofing
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static udp xxx.xx.2.7 3074 interface GigabitEthernet0/0 3074
ip nat inside source static tcp xxx.xx.2.7 3074 interface GigabitEthernet0/0 3074
ip nat inside source static tcp xxx.xx.1.3 35000 interface GigabitEthernet0/0 35000
ip nat inside source static tcp xxx.xx.1.3 35001 interface GigabitEthernet0/0 35001
ip nat inside source static tcp xxx.xx.1.3 35002 interface GigabitEthernet0/0 35002
ip nat inside source static tcp xxx.xx.1.2 50481 interface GigabitEthernet0/0 50481
ip nat inside source static tcp xxx.xx.1.16 38896 interface GigabitEthernet0/0 38896
!
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any any eq bootpc
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
logging trap debugging
access-list 1 permit xxx.xx.1.0 0.0.0.31
access-list 1 permit xxx.xx.2.0 0.0.0.31
access-list 2 permit xxx.xx.1.0 0.0.0.31
access-list 2 deny   any
access-list 100 permit ip xxx.xx.1.0 0.0.0.31 any
access-list 100 permit ip xxx.xx.2.0 0.0.0.31 any
access-list 100 deny   ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host xxx.xx.2.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host xxx.xx.1.3
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host xxx.xx.1.2
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host xxx.xx.1.16
no cdp run
 
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
gatekeeper
 shutdown
!
banner login 
*************************************
*-This network is for test purposes-*
*-Unauthorized access is prohibited-*
*-Please logout now if you are not--*
*--------an authorized user---------*
*************************************
 

!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
 

EDIT ADDITION:
Well, i've been reading and just found this little nugget of information.

Symptoms: Cisco IOS Release 12.4T causes 15% performance degradation.
Conditions: Occurred on a Cisco 2800 series router. Issue affects data features such as IP, NAT, firewall, QoS, and ACL.
Workaround: There is no workaround.

I just ordered more memory, and will try the new IOS 15.1. If anyone has any insite, I would really appreciate it.

cooldude9919

join:2000-05-29
kudos:5

check for duplex issues? Do a show int gi0/0 and what speed is it linking up at? Should be 100 full.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to amais

Another thing you can try is fire up a game of MW2 on one computer
and console into the router on another, see if it increments while
you play.

You also may want to look into something like MRTG or similar to
get some longterm data about the device's performance, like interface
util, and especially error rates. You've identified _A_ problem,
the trick now is to correlate it...

In reading a number of FiOS posts, I've noticed ping times 10ms better than mine. For a 50mi ping test I get 17-21ms and 150mi anywhere from 55-100ms. Should I be concerned that I don't have faster ping times? From what i've seen, others are getting 8ms for 50mi.
ICMP's great as a general troubleshooting tool but not the end all to
all. You may want to look into a tool like Iperf a try and connect to
another iperf endpoint like here »www.noc.ucf.edu/Tools/Iperf/
to see how your connection speed is like.

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to amais

Errors would suggest a cable problem or hardware problem (either or both ends.) Replace the cables. Try other interfaces. Unfortunately, (unless you're the cable company) you cannot see the interface stats on the cable modem/ONT -- is it seeing errors too. Try using the fastether switch ports.


amais

join:2002-07-31
Randallstown, MD

1 edit
reply to cooldude9919

@cooldude9919 - I was actually curious about that and ran it at 100 Full, but the errors returned. Its usually connected at 1000 Full.

@HELLFIRE - I actually pulled it, and installed a ASA I had here. So far it seems the problem is the router, my ping time has dropped to 8ms. (i know, i know)

@cramer - This ASA has had 0 Input and CRC errors. So it appears it is my router. Hopefully more memory and the 15.1 IOS will fix my issues.

Thanks for the replies guys!


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to amais

Fluke the port you used for the WAN port, or try using the WAN
port as your LAN and vice versa. See if the problem follows or not.

Regards


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to amais

said by amais:

Hopefully more memory and the 15.1 IOS will fix my issues.
Memory and software won't fix broken hardware.

amais

join:2002-07-31
Randallstown, MD

Well, its been a week with new memory and IOS 15.1; here are the results...

GigabitEthernet0/0 is up, line protocol is up 
  Hardware is MV96340 Ethernet, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
  Description: $ETH-WAN$
  Internet address is xx.xx.xx.xx/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is T
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:25, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 161000 bits/sec, 9 packets/sec
  5 minute output rate 7000 bits/sec, 7 packets/sec
     27827091 packets input, 3910727098 bytes, 0 no buffer
     Received 12946 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     13406340 packets output, 2967050726 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
 

I have to say that with more memory IOS 15.x, and no errors or crc's everything feels much much faster.

Thanks for the assistance guys!