Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2057
Views
3
Helpful
8
Replies

Enabling CEF breaks connection with some sites

Go to solution
EnemaBandit
Level 1
Level 1

‎10-05-2010 07:44 AM - edited ‎03-04-2019 10:00 AM

I have a PPPoE connection to the ISP with Cisco 851.

With default Vlan1 interface parameters (shown below) I'm experiencing a strange troubles with connection to some hosts (eg. login to Steam servers, Blizzard servers), though these hosts are reachable by ping.

interface Vlan1
description Home LAN
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
end

After a few days of experiments (including MTU/MSS checks) I found out that disabling CEF on VLan1 interface (with no ip route-cache cef) solves the problem.

But I consider this as a workaround, not a solution. What can you recommend to check/diagnose further to understand the cause of such behaviour?

config attached.

Labels:
73033-config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-05-2010 01:33 PM

Hello Max,

Problems with CEF usually indicate a software bug. Is it possible for you to download and try using an updated IOS version for your router? What is the current version of IOS you are running?

My suggestions to your config (not necessarily related to your current issue):

  1. The import all command in your DHCP pool Home-LAN is probably not necessary. This imports the DHCP settings acquired through other interface on your router into the DHCP pool. However, you have specified practically any reasonable DHCP setting explicitly so I see no point in maintaining the import all in your DHCP pool anymore.
  2. I believe tha the IP configuration on the FastEthernet4 interface can be removed (ip flow ingress, ip flow egress, ip route-cache flow). This interface is not configured with an IP address, rather it is a PPPoEoE interface, so these IP settings are superfluous. I would personally remove these commands to make sure that no IP-specific functionality is being forced on an interface whose IP processing is essentially disabled.
  3. On the Vlan1 interface, the command ip tcp adjust-mss 1460 shall be corrected to ip tcp adjust-mss 1452.
  4. The command ip tcp adjust-mss 1452 should be removed from the interface Dialer1
  5. It is necessary to exclude all static NAT translations from your ACL 1. In other words, if a static NAT/port forwarding is configured along with dynamic NAT/PAT, the ACL used for the dynamic NAT/PAT should explicitely deny all those translations for which a static translation rule is configured. In your case, this will require changing the ACL 1 to an extended ACL (100-199) and adding a deny statement for each static translation you have (currently, there are 7).

Best regards,

Peter

View solution in original post

0 Helpful
8 Replies 8

Go to solution
tprendergast
Level 3
Level 3

‎10-05-2010 10:57 AM

It is highly recommended to *not* use Vlan1. Vlan1 is used for many Cisco internal protocols to pass information. Try moving this configuration to Vlan2, for example, and see if the problem goes away with CEF on.

0 Helpful

Go to solution
EnemaBandit
Level 1
Level 1
In response to tprendergast

‎10-05-2010 12:34 PM

Actually, Vlan1 on 850 series is the one and only LAN.

0 Helpful

Go to solution
tprendergast
Level 3
Level 3
In response to EnemaBandit

‎10-05-2010 12:43 PM

That's news to me, especially since the datasheet shows it can have 10 vlans (albeit named "Wireless VLANs").

CEF is only valid for inbound traffic on an interface, as that is where the decision to express-forward is made. (see http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_tech_note09186a00801e1e46.shtml)

Turn ip route-cache cef back on, and execute "clear ip cache" and see if the problem resolves itself. Perhaps you had some bogus or erroneous cached data.

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-05-2010 01:33 PM

Hello Max,

Problems with CEF usually indicate a software bug. Is it possible for you to download and try using an updated IOS version for your router? What is the current version of IOS you are running?

My suggestions to your config (not necessarily related to your current issue):

  1. The import all command in your DHCP pool Home-LAN is probably not necessary. This imports the DHCP settings acquired through other interface on your router into the DHCP pool. However, you have specified practically any reasonable DHCP setting explicitly so I see no point in maintaining the import all in your DHCP pool anymore.
  2. I believe tha the IP configuration on the FastEthernet4 interface can be removed (ip flow ingress, ip flow egress, ip route-cache flow). This interface is not configured with an IP address, rather it is a PPPoEoE interface, so these IP settings are superfluous. I would personally remove these commands to make sure that no IP-specific functionality is being forced on an interface whose IP processing is essentially disabled.
  3. On the Vlan1 interface, the command ip tcp adjust-mss 1460 shall be corrected to ip tcp adjust-mss 1452.
  4. The command ip tcp adjust-mss 1452 should be removed from the interface Dialer1
  5. It is necessary to exclude all static NAT translations from your ACL 1. In other words, if a static NAT/port forwarding is configured along with dynamic NAT/PAT, the ACL used for the dynamic NAT/PAT should explicitely deny all those translations for which a static translation rule is configured. In your case, this will require changing the ACL 1 to an extended ACL (100-199) and adding a deny statement for each static translation you have (currently, there are 7).

Best regards,

Peter

0 Helpful

Go to solution
EnemaBandit
Level 1
Level 1
In response to Peter Paluch

‎10-05-2010 03:05 PM

Peter, you was right.

I downgraded IOS from C850-ADVSECURITYK9-MZ Version 12.4(15)T14, RELEASE SOFTWARE (fc2) to

C850-ADVSECURITYK9-MZ Version 12.4(15)T13, RELEASE SOFTWARE (fc3) and problem seems to be gone now. Wow.

MTU/MSS parameters were just transferred as 100% working from other router I used (Zyxel P-334) while debugging this issue.

Thanks for recommendations on config optimization (some parameters on Fe4 were left from a previous provider, I should remove them).

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-05-2010 11:04 PM

Hello Max,

I am glad to have helped. However, let's wait a bit longer to see whether the problem is really solved. I did not expect that a downgrade will solve the problem Of course, moving to any software version that does not have this bug will obviously solve it... What I am still thinking about now is whether the problem is not currently solved simply because you reloaded the router. Have you tried reloading the router with the previous IOS version?

Regarding my MSS/MTU recommendations, these are official (and logical) values and settings as recommended by Cisco in the ISCW training.

Best regards,

Peter

0 Helpful

Go to solution
EnemaBandit
Level 1
Level 1
In response to Peter Paluch

‎10-05-2010 11:24 PM

Well, solving issues with firmware/software downgrade is very often nowadays. I'm not to blame a code quality, but it's a fact.

Concerning reloading the router - sure, I have reloaded it a few times, including power cycling.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to EnemaBandit

‎10-05-2010 11:35 PM

Max,

Thanks for the answer. Yes - I think we all know about the increased occurence of software issues in recent IOS releases...

Nevertheless, I am glad you got it running - hopefully, it will stay that way.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card