Solved: Strange Upload Problem with 831 and 1712

mueller · ‎02-10-2005

Hello,

i have a strange Problem with a 831 and a 1712 router:

data-download (ftp, pop3, www, ssh(scp)) is really fast, but data-upload works only from one workstation in the internal lan. on all other workstations an upload (smtp, ftp, ssh(scp), www) stops after a few kb´s.

i thought it is a cbac problem, but disabling inspection and adding a acl to the dialer interface did not solve the problem.

IOS:

Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(7)XR3, RELEASE SOFTWARE (fc2)

Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(7)T3, RELEASE SOFTWARE (fc2)

the config of the 831 is attached (config of 1712 is nearly the same).

imilavec · ‎02-12-2005

This will probably fix it:

int Dialer0

ip mtu 1492

leave the tcp-adjust as it is though!

Regards, Igor

View solution in original post

Georg Pauwen · ‎02-10-2005

Hello,

I think your configuration was not attached, can you post it again ?

Regards,

GP

mueller · ‎02-11-2005

hello,

here the first part of the config of the 831. sorry

it was not attached to my fist posting.

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service compress-config

service sequence-numbers

!

hostname itlg

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

no logging console

enable secret 5 xxxxxx

!

username admin secret 5 xxxxxx

username sdmadmin privilege 15 secret 5 xxxxxx

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name intertrend.de

ip name-server 195.247.131.34

ip dhcp excluded-address 10.0.1.1 10.0.1.199

ip dhcp excluded-address 10.0.1.221 10.0.1.254

!

ip dhcp pool general

network 10.0.1.0 255.255.255.0

dns-server 195.247.131.34

default-router 10.0.1.1

!

no ip bootp server

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip audit po max-events 100

ip ssh version 2

no ftp-server write-enable

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xxx

crypto isakmp key xxxxxxxxxxxxxxxxxx address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

crypto ipsec profile SDM_Profile2

set transform-set ESP-3DES-SHA1

!

interface Tunnel0

bandwidth 1000

ip address 10.103.0.179 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nhrp authentication xxxxxx

ip nhrp map 10.103.0.1 xxx.xxx.xxx.xxx

ip nhrp map multicast xxx.xxx.xxx.xxx

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.103.0.1

ip nhrp registration no-unique

ip route-cache flow

delay 1000

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile SDM_Profile2

!

interface Null0

no ip unreachables

!

interface Ethernet0

description $ETH-LAN$$FW_INSIDE$

ip address 10.0.1.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect DEFAULT100 in

ip route-cache flow

ip tcp adjust-mss 1452

no cdp enable

hold-queue 32 in

!

interface Ethernet1

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxx

!

router eigrp 1000

network 10.0.0.0

network 192.0.0.0 0.255.255.255

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list natin2out interface Dialer0 overload

second part follows in my next posting.

regards

carsten

mueller · ‎02-11-2005

hello again,

here the second part of my config:

!

ip access-list extended natin2out

remark SDM_ACL Category=2

permit ip 10.0.1.0 0.0.0.255 any

access-list 23 remark SDM_ACL Category=17

access-list 23 permit xxx.xxx.xxx.xxx

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark Auto generated by SDM for NTP (123) ptbtime2.ptb.de

access-list 101 permit udp host 192.53.103.104 eq ntp any eq ntp

access-list 101 remark Auto generated by SDM for NTP (123) ptbtime1.ptb.de

access-list 101 permit udp host 192.53.103.103 eq ntp any eq ntp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit gre any any

access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 22

access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 443

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

line con 0

exec-timeout 120 0

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

transport preferred all

transport input ssh

transport output all

!

scheduler max-task-time 5000

scheduler interval 500

ntp clock-period 17180021

ntp server 192.53.103.103 prefer

ntp server 192.53.103.104

!

end

regards

carsten

imilavec · ‎02-12-2005

This will probably fix it:

int Dialer0

ip mtu 1492

leave the tcp-adjust as it is though!

Regards, Igor

mueller · ‎02-13-2005

Thank you very much.

It seams to work with the 831. I´ll test it tomorow

with the 1712.

I wonder why cisco sets the mtu of the dialer interface to the same value like "ip tcp adjust-mss"

on the lan interface if router is configured with the

newest SDM although the documentation suggests

the value you said...?!?!

Regards

Carsten