CEF causing http to hang/stop on 1712

Discussion in 'Cisco' started by mikeyb, Nov 9, 2009.

  1. mikeyb

    mikeyb Guest

    I'm trying to work out why enabling CEF on our 1712 causes web
    browsing to stop. I want to enable CEF so I can prioritise SIP and
    other traffic on our WAN connection and from google I understand that
    cef is the first step towards doing this. however when I enable CEF I
    get problems with normal browser traffic. The simplest way to prove
    the problem is to try to watch the BBC live news channel, after
    exactly and repeatably 29sec the stream stops.
    Perhaps there is something wrong with the config , I don't know , it
    has been working fine until I turned cef on and works fine if I turn
    it off again (which I do quickly when my users start complaining)..
    thanks for any pointers
    Mike

    Software version is 12.3(7)T1 and the config is:


    Current configuration : 10818 bytes
    !
    ! Last configuration change at 11:55:18 UTC Fri Nov 6 2009
    ! NVRAM config last updated at 12:13:16 UTC Thu Nov 5 2009
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname xxxxxxxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 10000 debugging
    enable secret xxxxxxxxxxxx
    !
    username xxxxxxxxxxxx
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication login userauthen group radius local
    aaa authentication ppp default local group radius
    aaa authorization network groupauthor local group radius if-
    authenticated
    aaa session-id common
    ip subnet-zero
    !
    !
    ip domain name xxxxxxx
    ip name-server 192.168.xxx
    ip name-server 192.168.xxx
    !
    !
    no ip bootp server
    no ip cef
    ip inspect name fwinspect udp
    ip inspect name fwinspect smtp
    ip inspect name fwinspect tcp
    ip inspect name fwinspect cuseeme
    ip inspect name fwinspect ftp
    ip inspect name fwinspect rcmd
    ip inspect name fwinspect realaudio
    ip inspect name fwinspect streamworks
    ip inspect name fwinspect vdolive
    ip inspect name fwinspect sqlnet
    ip inspect name fwinspect icmp
    ip audit po max-events 100
    ip ssh authentication-retries 2
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    async-bootp dns-server 192.168.xxx 192.168.xxx
    async-bootp nbns-server 192.168.xxx
    no ftp-server write-enable
    !
    !
    crypto pki trustpoint xxx
    revocation-check crl
    !
    !
    !
    !
    !
    crypto isakmp policy 20
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key xxxxx address xxx no-xauth
    crypto isakmp key xxx address xxx no-xauth
    crypto isakmp invalid-spi-recovery
    !
    crypto isakmp client configuration group xxx
    key xxx
    dns 192.168.xxx
    wins 192.168.xxx
    domain xxx
    pool dialin
    acl 111
    save-password
    !
    !
    crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map vpnclient 1
    set transform-set cm-transformset-1
    !
    !
    crypto map cm-cryptomap client authentication list userauthen
    crypto map cm-cryptomap isakmp authorization list groupauthor
    crypto map cm-cryptomap client configuration address respond
    crypto map cm-cryptomap 20 ipsec-isakmp
    description VPN to xxx
    set peer xxx
    set transform-set cm-transformset-1
    set pfs group2
    match address 110
    crypto map cm-cryptomap 30 ipsec-isakmp
    description VPN to xxx
    set peer xxx
    set transform-set cm-transformset-1
    set pfs group2
    match address 120
    crypto map cm-cryptomap 50 ipsec-isakmp dynamic vpnclient
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface BRI0
    no ip address
    shutdown
    !
    interface FastEthernet0
    description Connection to ISP
    ip address xxx 255.255.255.240
    ip access-group 199 in
    ip nat outside
    speed 100
    full-duplex
    crypto map cm-cryptomap
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    shutdown
    !
    interface FastEthernet3
    no ip address
    shutdown
    !
    interface FastEthernet4
    no ip address
    shutdown
    !
    interface Virtual-PPP1
    no ip address
    shutdown
    !
    interface Virtual-Template1
    ip unnumbered Vlan1
    ip nat inside
    peer default ip address pool pptp
    ppp encrypt mppe auto passive
    ppp authentication ms-chap-v2 ms-chap
    !
    interface Vlan1
    ip address 192.168.xxx 255.255.255.0
    ip access-group 101 in
    ip nat inside
    ip inspect fwinspect in
    ip policy route-map no-static-nat
    !
    interface Virtual-TokenRing1
    no ip address
    shutdown
    ring-speed 16
    !
    ip local pool pptp 192.168.xxx 192.168.xxx
    ip local pool dialin 192.168.xxx 192.168.xxx
    ip classless
    ip route 0.0.0.0 0.0.0.0 xxx
    ip route 172.22.xxx 255.255.0.0 xxx
    ip route 192.168.xxx 255.255.255.0 xxx
    ip route 192.168.xxx 255.255.255.0 xxx
    ip http server
    no ip http secure-server
    ip nat inside source route-map nonat interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.xxx 20 xxx 20 extendable
    ip nat inside source static tcp 192.168.xxx 21 xxx 21 extendable
    ip nat inside source static tcp 192.168.xxx 25 xxx 25 extendable
    ip nat inside source static tcp 192.168.xxx 587 xxx 587 extendable
    ip nat inside source static tcp 192.168.xxx 993 xxx 993 extendable
    ip nat inside source static tcp 192.168.xxx 995 xxx 995 extendable
    ip nat inside source static tcp 192.168.xxx 3389 xxx 3389 extendable
    ip nat inside source static 192.168.xxx xxx
    !
    !
    access-list 101 remark =========Outgoing traffic=========
    access-list 101 permit tcp any any eq www
    access-list 101 permit udp any any eq domain
    access-list 101 permit ip any 172.22.0.0 0.0.255.255
    access-list 101 permit ip any 192.168.xxx 0.0.0.255
    access-list 101 permit ip any 192.168.xxx 0.0.0.255
    access-list 101 permit ip any 192.168.xxx 0.0.0.255
    access-list 101 permit tcp host 192.168.xxx eq 3389 any established
    access-list 101 permit tcp any any eq 4125
    access-list 101 permit tcp any any eq 3389
    access-list 101 permit tcp any any eq pop3
    access-list 101 permit tcp host 192.168.xxx any eq smtp
    access-list 101 permit tcp host 192.168.xxx eq 587 any established
    access-list 101 permit tcp host 192.168.xxx eq 993 any established
    access-list 101 permit tcp host 192.168.xxx eq smtp any established
    access-list 101 permit tcp host 192.168.xxx eq 995 any established
    access-list 101 permit udp host 192.168.xxx any eq ntp
    access-list 101 permit udp host 192.168.xxx any eq ntp
    access-list 101 permit tcp host 192.168.xxx any eq ident
    access-list 101 permit tcp any any eq 443
    access-list 101 permit tcp any any eq 1863
    access-list 101 permit icmp 192.168.xxx 0.0.0.255 any echo
    access-list 101 permit tcp any any eq 8005
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq nntp
    access-list 101 permit tcp any any eq 8080
    access-list 101 permit tcp any any eq ftp-data
    access-list 101 permit tcp any any eq telnet
    access-list 101 permit tcp any any eq 123
    access-list 101 permit tcp any any eq 8443
    access-list 101 permit tcp any any eq 143
    access-list 101 permit tcp any any eq 5900
    access-list 101 permit udp any any eq 80
    access-list 101 permit udp any any eq 5050
    access-list 101 permit tcp any any eq 22
    access-list 101 permit tcp any any eq 995
    access-list 101 permit udp host 192.168.xxx any eq ntp
    access-list 101 permit tcp host 192.168.xxx any eq 2703
    access-list 101 permit tcp any any eq 5060
    access-list 101 permit udp any any eq 5060
    access-list 101 permit udp host 192.168.xxx any
    access-list 101 permit tcp host 192.168.xxx any
    access-list 101 permit udp any any range 10000 20000
    access-list 101 remark ====ipsec vpn===
    access-list 101 permit esp any any
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit udp any any eq non500-isakmp
    access-list 105 remark =========Don't NAT VPN Traffic=========
    access-list 105 deny ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255
    access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
    access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
    access-list 105 permit ip 192.168.xxx 0.0.0.255 any
    access-list 108 remark =========not used=========
    access-list 108 permit ip 192.168.xxx 0.0.0.255 any
    access-list 110 remark ========xxx VPN========
    access-list 110 permit ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255
    access-list 110 deny ip 192.168.xxx 0.0.0.255 any
    access-list 111 remark ========Cisco VPN Client========
    access-list 111 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
    access-list 111 deny ip 192.168.xxx 0.0.0.255 any
    access-list 112 remark =======VPN traffic not to NAT==========
    access-list 112 permit ip any 172.22.xxx 0.0.255.255
    access-list 112 permit ip any 192.168.xxx 0.0.0.255
    access-list 112 permit ip any 192.168.xxx 0.0.0.255
    access-list 112 permit ip any 192.168.xxx 0.0.0.255
    access-list 120 remark ========xx VPN==========
    access-list 120 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255
    access-list 120 deny ip 192.168.xxx 0.0.0.255 any
    access-list 199 remark ========Outside to Inside==========
    access-list 199 deny icmp any any fragments
    access-list 199 permit icmp any host xxx echo
    access-list 199 permit icmp any 192.168.xxx 0.0.0.255 echo-reply
    access-list 199 permit icmp any any packet-too-big
    access-list 199 permit icmp any any time-exceeded
    access-list 199 deny icmp any any
    access-list 199 remark ====ipsec vpn===
    access-list 199 permit esp any any
    access-list 199 permit udp any any eq isakmp
    access-list 199 permit udp any any eq non500-isakmp
    access-list 199 remark ====pptp vpn===
    access-list 199 permit gre any any
    access-list 199 permit tcp any any eq 1723
    access-list 199 remark ====Email to server===
    access-list 199 permit tcp any host xxx eq 993
    access-list 199 permit tcp any host xxx eq smtp
    access-list 199 permit tcp any host xxx eq 995
    access-list 199 permit tcp any host xxx eq 587
    access-list 199 remark ====Terminal services from xxx===
    access-list 199 permit tcp host xxx host xxx eq 3389
    access-list 199 remark ====FTP to internal server===
    access-list 199 permit tcp any host xxx eq ftp
    access-list 199 remark ====VOIP to xxx===
    access-list 199 permit udp any host xxx eq 5060
    access-list 199 permit udp any host xxx eq 4569
    access-list 199 permit udp any host xxx range 10000 20000
    access-list 199 remark =====Ports for xxx====
    access-list 199 permit udp host xxx any eq 5050
    access-list 199 permit udp host xxx any eq 80
    access-list 199 permit tcp host xxx any eq 22
    access-list 199 permit udp host xxx any eq 5050
    access-list 199 permit udp host xxx any eq 80
    access-list 199 permit tcp host xxx any eq 22
    !
    route-map proxy-redirect permit 10
    match ip address 112
    set ip next-hop 192.168.xxx
    !
    route-map no-static-nat permit 1
    match ip address 112
    set ip next-hop 1.1.1.2
    !
    route-map nonat permit 10
    match ip address 105
    !
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server host 192.168.xxx auth-port 1645 acct-port 1646
    radius-server key 7 xxx
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    ntp clock-period x
    ntp server 192.168.xxx
    ntp server 192.168.xxx
    !
    end
    mikeyb, Nov 9, 2009
    #1
    1. Advertising

  2. mikeyb

    bod43 Guest

    On 9 Nov, 12:24, mikeyb <> wrote:
    > I'm trying to work out why enabling CEF on our 1712 causes web
    > browsing to stop. I want to enable CEF so I can prioritise SIP and
    > other traffic on our WAN connection and from google I understand that
    > cef is the first step towards doing this. however when I enable CEF I
    > get problems with normal browser traffic. The simplest way to prove
    > the problem is to try to watch the BBC live news channel,  after
    > exactly and repeatably 29sec the stream stops.
    > Perhaps there is something wrong with the config , I don't know , it
    > has been working fine until I turned cef on and works fine if I turn
    > it off again (which I do quickly when my users start complaining)..
    > thanks for any pointers
    > Mike
    >
    > Software version is 12.3(7)T1 and the config is:


    Sounds like a bug.

    A few things might not work with CEF (as I vaguely recall)
    but this is usually implemented by the stuff that does
    not work with CEF, simply not using it even if enabled.

    I do not recall that any QoS does not work with CEF.

    If you point to the documents that recommend CEF
    then perhaps someone may comment on them.

    There has been a tendency to recommend CEF as some
    sort of panacea to fix all ills but mostly there is no
    special advantage to using it. (Certain load balancing
    being one exception where it can pay dividends.)

    What feature set do you have?
    How much DRAM?
    How much flash?
    It's all in the sh ver

    "Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version
    12.4(15)T7, RELEASE SOFTWARE (fc3)
    ....
    Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K
    bytes of memory.
    ....
    24576K bytes of processor board System flash (Intel Strataflash)"

    It's best just to post the whole sh ver, perhaps removing the
    "Processor board ID .............."
    line to avoid possible identification?


    12.3(7)T1 sounds pretty ancient. If you can why not upgrade?
    Avoid T code unless you need to use it.

    www.cisco.com/go/fn

    Image Name c1700-k9o3sy7-mz.124-25b.bin
    DRAM / Min Flash 96 / 32
    Enterprise Product Number S17C7HK9-12425

    Might be appropriate.

    IP/ADSL/FW/IDS PLUS IPSEC 3DES
    bod43, Nov 10, 2009
    #2
    1. Advertising

  3. mikeyb wrote:
    > I'm trying to work out why enabling CEF on our 1712 causes web
    > browsing to stop. I want to enable CEF so I can prioritise SIP and
    > other traffic on our WAN connection and from google I understand that
    > cef is the first step towards doing this. however when I enable CEF I
    > get problems with normal browser traffic. The simplest way to prove
    > the problem is to try to watch the BBC live news channel, after
    > exactly and repeatably 29sec the stream stops.
    > Perhaps there is something wrong with the config , I don't know , it
    > has been working fine until I turned cef on and works fine if I turn
    > it off again (which I do quickly when my users start complaining)..
    > thanks for any pointers
    > Mike
    >
    > Software version is 12.3(7)T1 and the config is:


    In famous words of Cisco TAC - "Upgrade to latest mainline and call us
    back!" :)

    Andrey.
    Andrey Tarasov, Nov 10, 2009
    #3
  4. mikeyb

    Dan Lanciani Guest

    In article <>, (mikeyb) writes:

    | I'm trying to work out why enabling CEF on our 1712 causes web
    | browsing to stop. I want to enable CEF so I can prioritise SIP and
    | other traffic on our WAN connection and from google I understand that
    | cef is the first step towards doing this. however when I enable CEF I
    | get problems with normal browser traffic. The simplest way to prove
    | the problem is to try to watch the BBC live news channel, after
    | exactly and repeatably 29sec the stream stops.
    | Perhaps there is something wrong with the config , I don't know , it
    | has been working fine until I turned cef on and works fine if I turn
    | it off again (which I do quickly when my users start complaining)..
    | thanks for any pointers

    I've had problems with CEF on point-to-point connections:

    http://groups.google.com/group/comp...read/thread/ae30552d34027a4c/1c5f8d2ef417381a

    This particular problem was "fixed" in a later release in the sense that
    IOS now appears to automatically disable CEF on the serial interface.
    You might want to check your CEF adjacencies after the stream stops.

    Dan Lanciani
    ddl@danlan.*com
    Dan Lanciani, Nov 10, 2009
    #4
  5. mikeyb

    mikeyb Guest

    bod43,
    thanks for the reply

    > Sounds like a bug.
    >

    I was wondering this myself.

    >
    > If you point to the documents that recommend CEF
    > then perhaps someone may comment on them.
    >

    If I try:
    ip nbar protocol-discovery on the wan interface
    I get
    CEF or distributed CEF switching is required for NBAR 'protocol
    discovery' command
    >
    > What feature set do you have?
    > How much DRAM?
    > How much flash?
    > It's all in the sh ver
    >

    sho vers
    Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(7)
    T1, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2004 by Cisco Systems, Inc.
    Compiled Thu 22-Apr-04 09:44 by eaarmas

    ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)

    autogard1700 uptime is 4 days, 23 hours, 54 minutes
    System returned to ROM by reload at 08:14:43 UTC Thu Nov 5 2009
    System restarted at 08:17:15 UTC Thu Nov 5 2009
    System image file is "flash:c1700-k9o3sy7-mz.123-7.T1.bin"

    snip

    Cisco 1712 (MPC862P) processor (revision 0x101) with 85243K/13061K
    bytes of memory.
    MPC862P processor: part number 7, mask 0
    1 Ethernet interface
    5 FastEthernet interfaces
    1 ISDN Basic Rate interface
    1 Virtual Private Network (VPN) Module
    32K bytes of NVRAM.
    32768K bytes of processor board System flash (Read/Write)

    Configuration register is 0x2102

    As you suggest I think an upgrade is very much in order.

    Mike
    mikeyb, Nov 10, 2009
    #5
  6. mikeyb

    mikeyb Guest


    >
    > In famous words of Cisco TAC - "Upgrade to latest mainline and call us
    > back!" :)
    >
    > Andrey.


    I suspected this might be needed, I assume this would be more economic
    that getting a new router, but what is the downside to putting new
    software on old kit?

    Mike
    mikeyb, Nov 10, 2009
    #6
  7. mikeyb

    Rob Guest

    mikeyb <> wrote:
    >
    >>
    >> In famous words of Cisco TAC - "Upgrade to latest mainline and call us
    >> back!" :)
    >>
    >> Andrey.

    >
    > I suspected this might be needed, I assume this would be more economic
    > that getting a new router, but what is the downside to putting new
    > software on old kit?


    Usually a new IOS version won't fit in an old router without a memory
    upgrade.

    I have had very strange problems with CEF as well, when combined with
    dialers (unfortunately required for ADSL with PPPoA) and also with
    policy routing.
    Rob, Nov 10, 2009
    #7
  8. mikeyb

    mikeyb Guest

    > You might want to check your CEF adjacencies after the stream stops.
    >
    > Dan Lanciani
    > ddl@danlan.*com

    Thanks Dan, I've checked the adjacencies and they ok (to me) . IPs
    connected to the right interfaces. The only thing I found using debug
    ip cef drops was lots of drops on the loopback interface (in the
    config to stop vpn traffic being static NAT'd). I don't think this is
    my problem though.

    Mike
    mikeyb, Nov 10, 2009
    #8
  9. mikeyb

    bod43 Guest

    On 10 Nov, 09:38, Rob <> wrote:
    > mikeyb <> wrote:
    >
    > >> In famous words of Cisco TAC - "Upgrade to latest mainline and call us
    > >> back!" :)

    >
    > >> Andrey.

    >
    > > I suspected this might be needed, I assume this would be more economic
    > > that getting a new router, but what is the downside to putting new
    > > software on old kit?

    >
    > Usually a new IOS version won't fit in an old router without a memory
    > upgrade.


    Miraculously I seemed to have guessed the correct
    feature set and so you can see above the memory
    requirements.

    Image Name c1700-k9o3sy7-mz.124-25b.bin
    DRAM / Min Flash 96 / 32

    Same as for 12.3T.

    You have enough RAM and Flash.

    Of course 12.4 mainline is basically the last development
    of 12.3T but now with 25 and more rounds of bug
    fixes:) or :-(.

    I can recall doing PBR to a loopback
    to avoid NAT but we stopped years ago and
    did it differently. I did not do much static NAT
    and can't recall the details now. Not seen that for
    years anyway.

    http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
    NAT - Ability to Use Route Maps with Static Translations
    12.2(4)T This feature was introduced.

    So it looks slike you could remove the PBR if you
    preferred. It always seemed like a horrible kludge to
    me anyway.
    bod43, Nov 10, 2009
    #9
  10. mikeyb

    Rob Guest

    bod43 <> wrote:
    > I can recall doing PBR to a loopback
    > to avoid NAT but we stopped years ago and
    > did it differently. I did not do much static NAT
    > and can't recall the details now. Not seen that for
    > years anyway.
    >
    > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
    > NAT - Ability to Use Route Maps with Static Translations
    > 12.2(4)T This feature was introduced.
    >
    > So it looks slike you could remove the PBR if you
    > preferred. It always seemed like a horrible kludge to
    > me anyway.


    We had to use PBR because we had two ADSL interfaces to internet, each
    with source address filtering. As you cannot randomly send traffic out
    to the ADSL in this case, as happens when you set two default routes,
    we used PBR with a loopback interface for all the outbound traffic.
    (selecting the proper ADSL interface based on the source address of
    the traffic)

    This worked OK, but not with CEF.
    Now the ADSL lines are retired and replaced by a single fiber, the
    problem is gone and CEF is now enabled on the router.

    IOS is 12.4(5a), has been updated several times but it never fixed the
    issue.
    Rob, Nov 10, 2009
    #10
  11. mikeyb

    Dan Lanciani Guest

    In article <>, (mikeyb) writes:
    | > You might want to check your CEF adjacencies after the stream stops.
    | >
    | > Dan Lanciani
    | > ddl@danlan.*com
    | Thanks Dan, I've checked the adjacencies and they ok (to me) . IPs
    | connected to the right interfaces. The only thing I found using debug
    | ip cef drops was lots of drops on the loopback interface (in the
    | config to stop vpn traffic being static NAT'd). I don't think this is
    | my problem though.

    Well, drops are bad if you need the packets routed. :) Do the drops
    start as soon as CEF is enabled or after the problem occurs? Did you
    try disabling CEF on the loopback interface (only)?

    Dan Lanciani
    ddl@danlan.*com
    Dan Lanciani, Nov 11, 2009
    #11
  12. mikeyb

    mikeyb Guest

    >
    > Miraculously I seemed to have guessed the correct
    > feature set and so you can see above the memory
    > requirements.
    >
    > Image Name c1700-k9o3sy7-mz.124-25b.bin
    > DRAM / Min Flash 96 / 32
    >
    > Same as for 12.3T.
    >
    > You have enough RAM and Flash.
    >
    > Of course 12.4 mainline is basically the last development
    > of 12.3T but now with 25 and more rounds of bug
    > fixes:) or :-(.


    From my poking around ciscos site I thought I should be able to
    upgrade too. thanks for the info/confirmation.

    >
    > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatr...
    > NAT - Ability to Use Route Maps with Static Translations
    > 12.2(4)T This feature was introduced.
    >
    > So it looks slike you could remove the PBR if you
    > preferred. It always seemed like a horrible kludge to
    > me anyway.


    I tried removing the PBR loopback but couldn't get route maps to work
    with the static PAT's in the config.
    mikeyb, Nov 11, 2009
    #12
  13. mikeyb

    mikeyb Guest

    On Nov 11, 5:06 am, ddl@danlan.*com (Dan Lanciani) wrote:
    > In article <..com>, (mikeyb) writes:
    > | > You might want to check your CEF adjacencies after the stream stops.
    > | >
    > | >                                 Dan Lanciani
    > | >                                 ddl@danlan.*com
    > | Thanks Dan, I've checked the adjacencies and they ok (to me) . IPs
    > | connected to the right interfaces. The only thing I found using debug
    > | ip cef drops was lots of drops on the loopback interface (in the
    > | config to stop vpn traffic being static NAT'd). I don't think this is
    > | my problem though.
    >
    > Well, drops are bad if you need the packets routed. :)  Do the drops
    > start as soon as CEF is enabled or after the problem occurs?  Did you
    > try disabling CEF on the loopback interface (only)?
    >
    >                                 Dan Lanciani
    >                                 ddl@danlan.*com

    The drops start as soon as I enable CEF. I tried - it didn't fix the
    problem.
    mikeyb, Nov 11, 2009
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ETLALAR
    Replies:
    2
    Views:
    799
    Jesper Skriver
    Jan 19, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,073
  3. comp.dcom.sys.cisco

    HARDWARE cef or SOFTWARE cef ?

    comp.dcom.sys.cisco, Mar 22, 2006, in forum: Cisco
    Replies:
    2
    Views:
    3,226
    comp.dcom.sys.cisco
    Mar 23, 2006
  4. Andrew Ahearne
    Replies:
    16
    Views:
    438
    Andrew Ahearne
    Dec 19, 2005
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,052
    milan_9211
    Jan 10, 2011
Loading...

Share This Page