problems with ping rates thru cisco 3845

Discussion in 'Cisco' started by arraga@gmail.com, Nov 23, 2005.

  1. Guest

    Hello, I have a problem with a cisco 3845, 12.3(11r)T1, which has me
    complety stupefied, and welcome any help or comments.

    When I try to ping a host thru it, it looks like I can't get a ping
    rate of one packet every two seconds, i.e (-i n means to send a packet
    every 'n' seconds):

    ===========================================
    arraga@mauser:~$ ping -i 1 10.67.129.1
    PING 10.67.129.1 (10.67.129.1) 56(84) bytes of data.
    64 bytes from 10.67.129.1: icmp_seq=1 ttl=254 time=964 ms
    64 bytes from 10.67.129.1: icmp_seq=3 ttl=254 time=1.59 ms
    64 bytes from 10.67.129.1: icmp_seq=5 ttl=254 time=1.66 ms
    64 bytes from 10.67.129.1: icmp_seq=7 ttl=254 time=1038 ms
    64 bytes from 10.67.129.1: icmp_seq=9 ttl=254 time=0.982 ms
    64 bytes from 10.67.129.1: icmp_seq=11 ttl=254 time=1.11 ms

    --- 10.67.129.1 ping statistics ---
    11 packets transmitted, 6 received, 45% packet loss, time 10003ms
    rtt min/avg/max/mdev = 0.982/334.663/1038.188/471.871 ms, pipe 2

    arraga@mauser:~$ ping -i 0.5 10.67.129.1
    PING 10.67.129.1 (10.67.129.1) 56(84) bytes of data.
    64 bytes from 10.67.129.1: icmp_seq=1 ttl=254 time=1.74 ms
    64 bytes from 10.67.129.1: icmp_seq=5 ttl=254 time=1.00 ms
    64 bytes from 10.67.129.1: icmp_seq=9 ttl=254 time=1.32 ms
    64 bytes from 10.67.129.1: icmp_seq=12 ttl=254 time=1.98 ms

    --- 10.67.129.1 ping statistics ---
    13 packets transmitted, 4 received, 69% packet loss, time 6035ms
    rtt min/avg/max/mdev = 1.001/1.514/1.984/0.381 ms

    arraga@mauser:~$ ping -i 0.2 10.67.129.1
    PING 10.67.129.1 (10.67.129.1) 56(84) bytes of data.
    64 bytes from 10.67.129.1: icmp_seq=1 ttl=254 time=1.36 ms
    64 bytes from 10.67.129.1: icmp_seq=11 ttl=254 time=0.946 ms
    64 bytes from 10.67.129.1: icmp_seq=21 ttl=254 time=1.00 ms
    64 bytes from 10.67.129.1: icmp_seq=29 ttl=254 time=0.965 ms

    --- 10.67.129.1 ping statistics ---
    30 packets transmitted, 4 received, 86% packet loss, time 5946ms
    rtt min/avg/max/mdev = 0.946/1.068/1.362/0.173 ms

    =========================================

    But if I let more than 2 secs between pings, I have 100% success.

    arraga@mauser:~$ ping -i 2 10.67.129.1
    PING 10.67.129.1 (10.67.129.1) 56(84) bytes of data.
    64 bytes from 10.67.129.1: icmp_seq=1 ttl=254 time=1.13 ms
    64 bytes from 10.67.129.1: icmp_seq=2 ttl=254 time=83.0 ms
    64 bytes from 10.67.129.1: icmp_seq=3 ttl=254 time=1.05 ms
    64 bytes from 10.67.129.1: icmp_seq=4 ttl=254 time=1.01 ms
    64 bytes from 10.67.129.1: icmp_seq=5 ttl=254 time=157 ms
    64 bytes from 10.67.129.1: icmp_seq=6 ttl=254 time=1.03 ms
    64 bytes from 10.67.129.1: icmp_seq=7 ttl=254 time=0.978 ms

    --- 10.67.129.1 ping statistics ---
    7 packets transmitted, 7 received, 0% packet loss, time 12004ms
    rtt min/avg/max/mdev = 0.978/35.074/157.281/57.351 ms
    ============================================

    Now, here comes the strange part.

    The line in the access-list that lets ping to go thru is this:

    fw3800#sh access-list filtrado-inbound-ri
    Extended IP access list filtrado-inbound-ri
    ...
    21 permit icmp 10.0.0.0 0.255.255.255 any echo (2061 matches)
    ... (270 more lines).


    If I change it to:

    21 permit icmp 10.0.0.0 0.255.255.255 any echo log

    The problem automagically goes away, as exemplified by:

    root@mauser:/home/arraga # ping -i 0.1 10.67.129.1
    PING 10.67.129.23 (10.67.129.23) 56(84) bytes of data.
    64 bytes from 10.67.129.1: icmp_seq=1 ttl=126 time=15.3 ms
    64 bytes from 10.67.129.1: icmp_seq=2 ttl=126 time=5.40 ms
    64 bytes from 10.67.129.1: icmp_seq=3 ttl=126 time=5.26 ms
    64 bytes from 10.67.129.1: icmp_seq=4 ttl=126 time=5.96 ms
    64 bytes from 10.67.129.1: icmp_seq=5 ttl=126 time=5.20 ms
    64 bytes from 10.67.129.1: icmp_seq=6 ttl=126 time=5.39 ms
    64 bytes from 10.67.129.1: icmp_seq=7 ttl=126 time=5.32 ms
    64 bytes from 10.67.129.1: icmp_seq=8 ttl=126 time=6.81 ms
    64 bytes from 10.67.129.1: icmp_seq=9 ttl=126 time=5.57 ms
    --- 10.67.129.1 ping statistics ---
    9 packets transmitted, 9 received, 0% packet loss, time 1111ms
    rtt min/avg/max/mdev = 5.176/6.340/15.368/2.757 ms

    Now i'm sending 10 icmps by second, and no one gets lost. Only one
    gets thru when the 'log' is not present in the access-list entry.

    The interface has a double NAT (the origin and source of the echos and
    echo-replys are changed in the 3845), 10.67.129.1 is the nat'd address
    of the output interface.



    Greets!
     
    , Nov 23, 2005
    #1
    1. Advertising

  2. schrieb:
    > Hello, I have a problem with a cisco 3845, 12.3(11r)T1, which has me
    > complety stupefied, and welcome any help or comments.
    >

    [...}
    > arraga@mauser:~$ ping -i 2 10.67.129.1
    > PING 10.67.129.1 (10.67.129.1) 56(84) bytes of data.
    > 64 bytes from 10.67.129.1: icmp_seq=1 ttl=254 time=1.13 ms


    >
    > If I change it to:
    >
    > 21 permit icmp 10.0.0.0 0.255.255.255 any echo log
    >
    > The problem automagically goes away, as exemplified by:
    >
    > root@mauser:/home/arraga # ping -i 0.1 10.67.129.1
    > PING 10.67.129.23 (10.67.129.23) 56(84) bytes of data.
    > 64 bytes from 10.67.129.1: icmp_seq=1 ttl=126 time=15.3 ms


    First thing which makes me wonder is the different TTL in your examples.
    Next: What is IP 10.67.129.23 and what 10.67.129.1?

    Christian
     
    Christian Lox, Nov 23, 2005
    #2
    1. Advertising

  3. Bob Goddard Guest

    wrote:

    > Hello, I have a problem with a cisco 3845, 12.3(11r)T1, which has me
    > complety stupefied, and welcome any help or comments.
    >
    > When I try to ping a host thru it, it looks like I can't get a ping
    > rate of one packet every two seconds, i.e (-i n means to send a packet
    > every 'n' seconds):


    Standard practice. Routers have better thing to do than reply
    to ping packets every second. If they arrive too quickly, they
    will be ignored.


    B
     
    Bob Goddard, Nov 24, 2005
    #3
  4. Guest

    The cut & paste got mixed,

    10.67.129.1 is the router interface to the 10.67.129.0/24 net, and
    10.67.129.23 is one of the machines in that net.

    The same behaviour occurs if I ping the interface, or if I ping any of
    the machines behind. I got confused between the examples.

    The 10.67.129.0/24 net is a nat, the real ip address of that net is in
    the 172.20.25.0/24 range.

    So, it's like

    10.0.0.0/8 <---> | 3845 | <--> 172.20.25.0/24 (which is nated to
    10.67.129.0/24)

    There's an applied access list to the inbound interface. Everything in
    the 10.0.0.0/8 net, when accessing the 10.67.129.0/24 net is nated to
    a single ip (10.66.254.1)

    Best regards, Santiago
     
    , Nov 24, 2005
    #4
  5. Guest

    That would make sense, but the same behaviour occurs when I try to ping
    any of the machines behind the router (10.67.129.23, for example).

    I was pinging the interface in order to discard any possible net
    problem behind it.

    Best regards, Santiago
     
    , Nov 24, 2005
    #5
  6. Hansang Bae Guest

    wrote:

    > Hello, I have a problem with a cisco 3845, 12.3(11r)T1, which has me
    > complety stupefied, and welcome any help or comments.
    >
    > When I try to ping a host thru it, it looks like I can't get a ping
    > rate of one packet every two seconds, i.e (-i n means to send a packet
    > every 'n' seconds):
    >

    [snip]
    >
    > Now, here comes the strange part.
    >
    > The line in the access-list that lets ping to go thru is this:
    >
    > fw3800#sh access-list filtrado-inbound-ri
    > Extended IP access list filtrado-inbound-ri
    > ...
    > 21 permit icmp 10.0.0.0 0.255.255.255 any echo (2061 matches)
    > ... (270 more lines).
    >
    >
    > If I change it to:
    >
    > 21 permit icmp 10.0.0.0 0.255.255.255 any echo log
    >
    > The problem automagically goes away, as exemplified by:
    >
    > Now i'm sending 10 icmps by second, and no one gets lost. Only one
    > gets thru when the 'log' is not present in the access-list entry.
    >
    > The interface has a double NAT (the origin and source of the echos and
    > echo-replys are changed in the 3845), 10.67.129.1 is the nat'd address
    > of the output interface.


    You probably ran into some type of a bug. That would be my first
    guess.

    couple of questions

    1) Do you have redundant routes to your destination?
    2) Are you rate-limiting your ICMPs (ip icmp rate-limit..."
    3) Are you using any control-plane throttling?

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 25, 2005
    #6
  7. Hansang Bae Guest

    Bob Goddard wrote:

    > wrote:
    >
    > > Hello, I have a problem with a cisco 3845, 12.3(11r)T1, which has
    > > me complety stupefied, and welcome any help or comments.
    > >
    > > When I try to ping a host thru it, it looks like I can't get a ping
    > > rate of one packet every two seconds, i.e (-i n means to send a
    > > packet every 'n' seconds):

    >
    > Standard practice. Routers have better thing to do than reply
    > to ping packets every second. If they arrive too quickly, they
    > will be ignored.



    Since he's nat'ing it should be going through the router. Not
    terminating at the router. Cisco's default is (was?) 2 per second per
    interface (last time I checked). Maybe it was two every half a second?



    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 25, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    713
  2. romko
    Replies:
    0
    Views:
    750
    romko
    Jan 27, 2006
  3. romko
    Replies:
    1
    Views:
    616
    Trouble
    Jan 31, 2006
  4. Replies:
    1
    Views:
    6,927
    Walter Roberson
    May 25, 2006
  5. Replies:
    21
    Views:
    1,494
    Shauna
    Aug 26, 2008
Loading...

Share This Page