Solved: Re: External packet loss from LAN clients through 857w

ramtech.computing · ‎06-15-2011

Hi,

I have a problem I can't resolve

Description:

Internet usage is very slow when initially opening a site from LAN clients. Once established it is OK. If I ping a site from an LAN client by either host name or IP address it takes about 5 seconds, drops the first packet then is fine after that. if I ping it again immediately afterwards it is fine. But if i wait 2 minutes and try again the problem returns. So I would conclude that seeing it is the same whether I use Host name or IP address it is not a DNS issue.

Pinging from the router produces no fault at all.

ping 4.2.2.1

ping 4.2.2.1 source bvi1

ping yahoo.com

ping yahoo.com source bvi1

ping 192.168.1.10 source Dialer0 (internal server)

All perfect

I can ping the router internal and external interface or any internal ip or hostname from the LAN with no delay or hesitation so it is not a switch interface or network card problem.

Some sort of NAT issue maybe? I really am lost.

Can someone who know more than me (most people) have a look at the config below and tell me if that is where the problem lies.

Any suggestions are greatly appreciated.

Config (sanitised) follows...

__________________________

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

no service dhcp

!

hostname Users857w

!

boot-start-marker

boot-end-marker

!

logging count

logging userinfo

logging buffered 52000

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone ESTime 10

clock save interval 8

!

crypto pki trustpoint TP-self-signed-1114035

---Snip---

!

crypto pki certificate chain TP-self-signed-1114035

----Snip----

quit

dot11 syslog

!

dot11 ssid XXXXgoona

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 xxxx

!

no ip source-route

!

ip cef

ip inspect name Inspect_Out dns

ip inspect name Inspect_Out ftp

ip inspect name Inspect_Out pptp

ip inspect name Inspect_Out https

ip inspect name Inspect_Out imap

ip inspect name Inspect_Out pop3

ip inspect name Inspect_Out rcmd

ip inspect name Inspect_Out realaudio

ip inspect name Inspect_Out esmtp

ip inspect name Inspect_Out tftp

ip inspect name Inspect_Out tcp router-traffic

ip inspect name Inspect_Out udp router-traffic

ip inspect name Inspect_Out icmp router-traffic

no ip bootp server

ip domain name XXXXgoona.local

ip name-server 139.130.4.4

ip name-server 203.50.2.71

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class Allow_Quiet_Mode

login on-failure log

login on-success log

!

username theuser privilege 15 secret 5 $1$cd4O$lA8

!

archive

log config

hidekeys

!

ip ssh version 2

!

bridge irb

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

ssid XXXXgoona

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description Ramtech LAN Interface

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer0

description Ramtech Westnet

ip address negotiated

ip access-group Internet_Inbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect Inspect_Out out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname XXXXgoo10@direct.telstra.net

ppp chap password 7 xxxx

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat source static tcp 192.168.x.x 25 interface Dialer0 25

ip nat source static tcp 192.168.x.x 443 interface Dialer0 443

ip nat source static tcp 192.168.x.x 987 interface Dialer0 987

ip nat source static tcp 192.168.x.x 3389 interface Dialer0 3389

ip nat inside source list Allow_NAT interface Dialer0 overload

!

ip access-list standard Allow_LAN_Access

permit 192.168.1.0 0.0.0.255

ip access-list standard Allow_NAT

permit 192.168.1.0 0.0.0.255

ip access-list standard Allow_Quiet_Mode

remark IPs allowed during quietmode lockdown

permit 192.168.1.0 0.0.0.255

!

ip access-list extended Internet_Inbound

remark --- Anyone is allowed SMTP to the server

permit tcp any host 110.142.x.x eq smtp

permit tcp any host 110.142.x.x eq 443 log

permit tcp any host 110.142.x.x eq 987 log

permit gre any any log

permit tcp host 202.173.x.x host 110.142.x.x eq 22 log

permit tcp host 202.173.x.x host 110.142.x.x eq 3389

!

logging trap debugging

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 route ip

alias exec tl0 terminal length 0

alias exec ps show process cpu

alias exec top show process cpu sort 5m | excl (0.00% 0.00% 0.00%)

alias exec version show version | include image

alias exec uptime show version | include uptime|ROM[^:]|restarted

alias exec hist show process cpu history

!

line con 0

no modem enable

transport preferred none

transport output all

line aux 0

transport output all

line vty 0 2

exec-timeout 20 0

privilege level 15

transport preferred none

transport input telnet

line vty 3 4

exec-timeout 20 0

privilege level 15

transport preferred none

transport input ssh

transport output all

!

scheduler max-task-time 5000

sntp server 202.173.x.x

sntp server 128.250.x.x

sntp server 202.72.x.x

paolo bevilacqua · ‎06-19-2011

No problem.

I see your OP dated 6/17, how it can have been there 3 days? May be you edited later, so the newer date? In any case I had not seen it, otherwise likely would have responded.

I tried entering 12.4(15)T14 in the search box above and the third result is about the bug you've also found. Agree that is with the hindsight of knowing it's a buggy version.

I think if if remove the unnecessary inspect, class map and firewall from you config you will notice a dramatic increase in performances.

View solution in original post

ramtech.computing · ‎06-18-2011

Solved it!!!!

Version 12.4(15)T14 which was supplied with the router has a bug. "Packet stream interruption with NAT". I have back graded to T13 and Hey presto! All good.
The red herring was that the DG834 i tried had a faulty port giving similar symptoms and the other 857w i tried had the same firmware.

I have to say, this was posted on 3 different forums. A general network, a windows, and here. This is the only forum that no one bothered responding on. Interesting it turned out to be a Cisco problem...

paolo bevilacqua · ‎06-18-2011

Actually, if you look at the threads in this forum, most questions are answered satisfactorily.

Moreover the problem you reported is well know and would have turned up with a search.

Maybe next time be a bit more realistic about the reaction time of people that helps your for free when you come here compelled and probably will never be seen again.

ramtech.computing · ‎06-18-2011

Paolo,

Some facts may have been useful to you before your response to my observations.

Yes most posts are answered. It's a good site.
I searched this site extensively prior to posting.
I searched the internet for days before posting
I have been here hundreds of times and will be again as a Cisco Reseller ans support tech (CCNA)
As I am not an expert such as you obviously are, there is little point in me offering help to people when I don't have the necessary experience to solve the problem. Many posts on here I don't even understand. Needless posts have little value, so I don't bother.
I posted the solution for the benifit of others as the problem is obviously not well known. Or if it so well known why did no one here know of it.
Even now a google search for the exact problem (Now it is understood with the benifit of hindsite) reveals no results relating to the same problem. Even using the name of the bug report as the google search.
It only took you an hour to see and respond to my last post. Yet the question was untouched for 3 days prior.
I am not "Complaining about the service" here. It is free and appreciated.

paolo bevilacqua · ‎06-19-2011

No problem.

I see your OP dated 6/17, how it can have been there 3 days? May be you edited later, so the newer date? In any case I had not seen it, otherwise likely would have responded.

I tried entering 12.4(15)T14 in the search box above and the third result is about the bug you've also found. Agree that is with the hindsight of knowing it's a buggy version.

I think if if remove the unnecessary inspect, class map and firewall from you config you will notice a dramatic increase in performances.

ramtech.computing · ‎06-20-2011

Thanks for the consructive critisism Paolo.

It is greatly appreciated.

Now to show my ignorance...

when I take out the "ip inspect Inspect_Out out" from the di0 int I get no NAT traffic flow. Why is that?
do you mean the "ip access-class Internet_Inbound in" class map?
Do you mean the Inspect firewall.

All comments greatfully recieved. And thanks again for the assistance.

ramtech.computing · ‎06-20-2011

Actually I will close this thread and start a new one as it is unrelated really. Thanks for the help Paolo.

paolo bevilacqua · ‎06-21-2011

These commands only slow down the router and do not add any real security, that you have already by virtue of NAT.

Thank you for the nice rating and good luck!