10-01-2012 12:25 AM - edited 03-01-2019 05:36 PM
Hello Everybody,
I created a test-setup with dual stack on a 1841 Router with IOS
c1841-advipservicesk9-mz.124-3e.bin
Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.
Processor board ID FCZ1033209N
2 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
It works so far - but I detected hi CPU load (up to 80-100%) and all IPv6 is awful slow - I got 32Mbps down and >2Mbps upstream - in v6 I get around only 800kbps throuput.
As IPv6 is prefferred over ipv4 this causes a slowdown of any related conenction to Internet.
Relevant parts of the setup:
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 2001:4860:4860::8888
ip name-server 2001:4860:4860::8844
ip inspect name FWRULES tcp
ip inspect name FWRULES udp
ip inspect name FWRULES ftp
ip inspect name FWRULES icmp
ip inspect name FWRULES rtsp
ip inspect name FWRULES h323
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool LANG-IPV6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
domain-name familie.lang
!
ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp
!
interface Tunnel66
description 6in4 tunnel to SixXS
bandwidth 32000
no ip address
ipv6 address 2001:4DD0:FF00:F3B::2/64
ipv6 enable
ipv6 traffic-filter INBOUND_V6_TRAFFIC in
ipv6 inspect cbac-ipv6 out
tunnel source FastEthernet0/0
tunnel destination 78.35.24.124
tunnel mode ipv6ip
tunnel bandwidth transmit 6000
tunnel bandwidth receive 32000
!
!
interface FastEthernet0/0
description *** Outside Internet-Anschluss***
ip dhcp client update dns server both
ip ddns update hostname lang.dyndns-at-work.com
ip ddns update DynDNS
ip address dhcp
ip access-group INBOUND_TRAFFIC in
ip accounting access-violations
ip nat outside
ip inspect FWRULES out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description *** Inside Interface (LAN) ***
ip address 192.168.1.251 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
!
!
ip access-list extended INBOUND_TRAFFIC
remark Inbound access rule
remark SDM_ACL Category=1
permit tcp any any established
permit udp any eq ntp any eq ntp
permit udp any eq domain any eq domain
permit tcp any any eq 22
permit udp any any
permit 41 host 78.35.24.124 host 188.193.89.173
permit icmp host 78.35.24.124 host 188.193.89.173
deny ip any any
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 tag 666 name Internet_Default
!
ipv6 route ::/0 Tunnel66
!
ipv6 access-list INBOUND_V6_TRAFFIC
remark Inbound access rule for IPV6
permit tcp any any established
sequence 70 permit udp any any
sequence 75 permit icmp any any
sequence 80 permit icmp host 2001:4DD0:FF00:F3B::1 host 2001:4DD0:FF00:F3B::2 echo-request
sequence 100 remark prevent ingress of all addresses except global unicast and multicast
deny ipv6 ::/3 any log
deny ipv6 8000::/2 any log
deny ipv6 C000::/3 any log
deny ipv6 E000::/4 any log
deny ipv6 F000::/5 any log
deny ipv6 F800::/6 any log
deny ipv6 FC00::/7 any log
deny ipv6 FE00::/8 any log
!
My questions are:
1. What causes such a slowdown (or is the problem out of my property)?
2. Anything wrong/to be corrected with the seup?
3. If the anser is yes, what do I need to do?
Thank you for help!
10-01-2012 01:33 PM
Can you see which processes are consuming the CPU (show process CPU)?
Is there a lot of packet fragmentation?
10-02-2012 01:50 AM
Average CPU is low - I just see peeks going up.
Fragmentation is not an issue, my tunnel neighbor is setup to provide 1480 as my own router.
IPv6 does path mtu detection hence end devices should do all fragementation at beginning of transmission.
However, I tried out packet sizes on WAN from 1280 up to 1480 in 50 steps and it made no difference for the troughput at all.
From my point of view it slows down at the tunnel brokers address - I attached a tracepath from a linux system.
LX-NMS-VM:~ # tracepath6 six.heise.de
1?: [LOCALHOST] 0.021ms pmtu 1480
1: 2001:4dd0:ff00:8f3b:8000::1 1.451ms
1: 2001:4dd0:ff00:8f3b:8000::1 1.480ms
2: gw-3900.cgn-01.de.sixxs.net 28.909ms
3: 2001:4dd0:1234:3::42 28.028ms asymm 2
4: core-eup2-ge1-22.netcologne.de 123.901ms asymm 3
5: core-pg1-te4-3.netcologne.de 28.207ms asymm 4
6: rtint3-po5netcologne.de 29.436ms asymm 5
7: gi1-15.c1.d.de.plusline.net 31.308ms asymm 6
8: 2a02:2e0:12:6::1 39.045ms asymm 6
9: te6-1.c13.f.de.plusline.net 30.527ms asymm 7
10: www.six.heise.de 32.974ms reached
Resume: pmtu 1480 hops 10 back 57
10-03-2012 12:34 PM
I don't see an obvious reason for the high CPU usage, but I do know that the free Tunnel Brokers tend to have extraordinarily high load.
You might want to see if there is a local POP for www.tunnelbroker.net (Hurricaine Electric's free IPv6 tunnel broker) and see if that makes a difference.
The proper course of action is to demand that your ISP provide IPv6 service!
10-05-2012 01:16 AM
Hello Phillip,
Seems I found it:
https://supportforums.cisco.com/message/3192800#3192800
This article pointed to a bug in IOS with IPv6 inspect.
I removed ip inspection from my interface now it works with acceptable speed!
Seems I need to cover this network now with a extra firewall or to get a bugfix in IOS
I use currently c1841-advipservicesk9-mz.124-3e.bin, how could I get a newer version, where this bug is fixed?
As of what version is this bug fixed?
Bye, Robert
10-05-2012 06:49 PM
12.4(25b)M1 or later, or the appropriate 15.x release. Watch that you hvae the appropriate amount of memory required for the newer release.
If you followed the bug link on in that article, you'd see the bug is fixed in:
15.1(0.18)T
12.4(25b)M0.13
15.0(1)M1.2
15.1(0.2.7)PIB13
15.1(24.6.25)PIL13
15.1(24.6.26)PIL13
15.1(1.5.1)PIA13
15.1(1)XB1
15.1(0.0.10)PIL14
15.1(1.7.1)PIA14
15.1(0.0.3)PIL15
12.4(24)T6
Which can be a little tricky to understand, but practically speaking: 12.4(25b)M1, 12.4(25)T6, 15.0(1)M2, and most all 15.1 releases.
10-06-2012 04:41 AM
Yeah, you are right if I had access to it :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide