04-29-2019 09:40 AM
Hi everybody!
For the past weeks, I´ve been trying to figure out what´s happening at one customer´s network. It has 2 fiber connection with the same ISP, one connection with pseudo-fix IP and the other with dynamic IP.
The Cisco3945E is behing both ISP´s routers, and is in charge of both Dialers. Speed tests on ISP routers (configured as dialers) are 600Mbps, but through Cisco router is quite unstable. We could see sometimes 600Mbps download, and 150Mbps upload. CPU Load is also a big concern, as we stress the router with minimal config it goes beyond 85% CPU Load during speed tests.
I did try with several ACL types, no luck. Last config, is with permit any any, to try not overload CPU, no luck.
Is there anything wrong or anything you can advice in order to make this connection stable?
Enclosed is show running and show ver
Thanks all for your time!
P.S.: VPN not working, but not my focus at this stage.
Solved! Go to Solution.
04-30-2019 07:30 AM
Hello,
I have made some adjustments (marked in bold) to your config, try and implement those and check if it makes a difference:
C3945E-ECYL#show running-config | begin interface
interface Loopback0
ip address X.X.X.X X.X.X.X
!
interface GigabitEthernet0/0
description Link_ISP1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description Link_ISP2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/3
ip address X.X.X.X 255.255.0.0 secondary
ip address X.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport mode access
no ip address
!
interface GigabitEthernet0/0/1
switchport mode access
no ip address
!
interface GigabitEthernet0/0/2
switchport mode access
no ip address
!
interface GigabitEthernet0/0/3
switchport mode access
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
no ip address
no ip unreachables
ip virtual-reassembly in
ip tcp adjust-mss 1420
hold-queue 100 out
!
interface Dialer1
mtu 1492
ip address negotiated
--> ip mtu 1492
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXXXX password 7 XXXXXX
hold-queue 224 in
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXX password 7 XXXXXX
hold-queue 224 in
!
ip local pool vpn-pool X.X.10.230 X.X.10.234
ip local pool SSLVPN_POOL X.X.11.90 X.X.11.95
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp X.X.X.X 8002 interface Dialer1 8002
ip nat inside source static tcp X.X.X.X 81 interface Dialer1 81
ip nat inside source static tcp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 82 interface Dialer1 82
ip nat inside source static udp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static tcp X.X.X.X 10001 interface Dialer1 10001
ip nat inside source static tcp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static tcp X.X.X.X 10004 interface Dialer1 10004
ip nat inside source static tcp X.X.X.X 10005 interface Dialer1 10005
ip nat inside source static udp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static udp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static udp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static tcp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static udp X.X.X.X 65532 interface Dialer1 65532
ip nat inside source static tcp X.X.X.X 65532 interface Dialer1 65532
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> no ip access-list extended nat-rule
permit ip any any
--> no ip access-list extended nat-test
permit ip any any
!
access-list 1 permit X.X.X.X 0.0.255.255
access-list 1 permit X.X.X.X 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 100 permit ip any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
vstack
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway Cisco-VPN-Gateway
ip interface Dialer2 port 443
no inservice
!
webvpn gateway SSLVPN_GATEWAY
ip address X.X.X.X port XXX
http-redirect port XX
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context Cisco-VPN
title "WebVPN - Designed by Innercomm"
!
acl "ssl-acl"
permit ip X.X.X.X X.X.X.X X.X.X.X X.X.X.X
login-message "Cisco Secure WebVPN"
!
ssl authenticate verify all
no inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.0.0
svc rekey method new-tunnel
svc split include X.X.X.X 255.255.255.0
!
!
webvpn context Cisco-WebVPN
aaa authentication list sslvpn
gateway Cisco-VPN-Gateway
max-users 3
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
default-group-policy webvpnpolicy
!
!
webvpn context SSL_contect
!
ssl authenticate verify all
no inservice
!
!
webvpn context Cisco-WEBVPN
!
ssl authenticate verify all
no inservice
!
!
webvpn context SSL_context
virtual-template 1
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!
end
04-29-2019 02:11 PM
show processes cpu sorted 5sec.
Consider below document for reference :
04-30-2019 03:16 PM
@balaji.bandi wrote:show processes cpu sorted 5sec.
Consider below document for reference :
Thanks for this link. I did most of the troubleshooting already and the recommended actions. None of them took a significant difference.
04-30-2019 07:13 AM
04-30-2019 03:19 PM
05-02-2019 05:49 AM
04-30-2019 07:30 AM
Hello,
I have made some adjustments (marked in bold) to your config, try and implement those and check if it makes a difference:
C3945E-ECYL#show running-config | begin interface
interface Loopback0
ip address X.X.X.X X.X.X.X
!
interface GigabitEthernet0/0
description Link_ISP1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description Link_ISP2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/3
ip address X.X.X.X 255.255.0.0 secondary
ip address X.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport mode access
no ip address
!
interface GigabitEthernet0/0/1
switchport mode access
no ip address
!
interface GigabitEthernet0/0/2
switchport mode access
no ip address
!
interface GigabitEthernet0/0/3
switchport mode access
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
no ip address
no ip unreachables
ip virtual-reassembly in
ip tcp adjust-mss 1420
hold-queue 100 out
!
interface Dialer1
mtu 1492
ip address negotiated
--> ip mtu 1492
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXXXX password 7 XXXXXX
hold-queue 224 in
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXX password 7 XXXXXX
hold-queue 224 in
!
ip local pool vpn-pool X.X.10.230 X.X.10.234
ip local pool SSLVPN_POOL X.X.11.90 X.X.11.95
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp X.X.X.X 8002 interface Dialer1 8002
ip nat inside source static tcp X.X.X.X 81 interface Dialer1 81
ip nat inside source static tcp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 82 interface Dialer1 82
ip nat inside source static udp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static tcp X.X.X.X 10001 interface Dialer1 10001
ip nat inside source static tcp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static tcp X.X.X.X 10004 interface Dialer1 10004
ip nat inside source static tcp X.X.X.X 10005 interface Dialer1 10005
ip nat inside source static udp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static udp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static udp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static tcp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static udp X.X.X.X 65532 interface Dialer1 65532
ip nat inside source static tcp X.X.X.X 65532 interface Dialer1 65532
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> no ip access-list extended nat-rule
permit ip any any
--> no ip access-list extended nat-test
permit ip any any
!
access-list 1 permit X.X.X.X 0.0.255.255
access-list 1 permit X.X.X.X 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 100 permit ip any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
vstack
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway Cisco-VPN-Gateway
ip interface Dialer2 port 443
no inservice
!
webvpn gateway SSLVPN_GATEWAY
ip address X.X.X.X port XXX
http-redirect port XX
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context Cisco-VPN
title "WebVPN - Designed by Innercomm"
!
acl "ssl-acl"
permit ip X.X.X.X X.X.X.X X.X.X.X X.X.X.X
login-message "Cisco Secure WebVPN"
!
ssl authenticate verify all
no inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.0.0
svc rekey method new-tunnel
svc split include X.X.X.X 255.255.255.0
!
!
webvpn context Cisco-WebVPN
aaa authentication list sslvpn
gateway Cisco-VPN-Gateway
max-users 3
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
default-group-policy webvpnpolicy
!
!
webvpn context SSL_contect
!
ssl authenticate verify all
no inservice
!
!
webvpn context Cisco-WEBVPN
!
ssl authenticate verify all
no inservice
!
!
webvpn context SSL_context
virtual-template 1
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!
end
04-30-2019 03:32 PM
05-01-2019 12:19 AM
Hello,
the (static) NAT entries you have are very few actually, and NAT does not use up very much memory or CPU resources. To be sure there is nothing else left, can you post the configuration you have now again ?
350MB up/down, if that is what the data sheet says, is what you would get under ideal circumstances, with a minimal configuration.
05-02-2019 08:11 AM
Hi Georg,
Thanks again for your message, I appreciate you dedicate time on this.
Well, 350Mb/350Mb would be something stable, and at this stage I even think that would be even accepted, the thing is now is doing 150Mb download and almost 200Mb upload, doesn´t make big sense, and can´t see anything twisted on the config right now.
the 350/350 was achieved with initial config, and LAN port was connected to an EHWIC that the 3945E has installed. We thought that EHWIC was doing bottle neck on the bandwith, so we decided to place LAN port in one of the gigabitethernet routing port from the 3945E. There we could see the 600Mb download and 150Mb upload.
Right now, LAN port is on GigabitEthernet0/3 and WAN/Dialer port is GigabitEthernet0/0.
I thought the same about all the NAT rules, there aren´t many, shouldn´t collapse CPU up to 90%.
Maybe better to clean config, and start all over... What are your suggestions?
05-02-2019 08:12 AM
05-20-2019 01:08 AM - edited 05-20-2019 01:09 AM
A quick feedback on this. We continued with more tests, including a new router directly provided by the ISP.
We could reach higher stable speeds with the modifications recommended above and the new router. The dialer was changed to Gi0/0 (the one with the SFP port shared) instead of using gi0/3 (no port shared).
All these changes made the speedtest stable, reaching 500Mb/s on download and higher values on upload. CPU load while download speed is ongoing reaches 30%, while upload less than 5%. During normal operation with users, CPU load is always less than 5% :)
I much appreciate the advice received here. Thumbs up!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide