cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6828
Views
0
Helpful
12
Replies

First Ping Fails

nicolas.guyot
Level 1
Level 1

Hello,

we get a problem with a cisco 857 router with embeded ADSL.

It is used to connect à small company to internet and allowing access to internal mail and web server from Internet.

After set up, everything works fine, users can surf internet and email server is reachable from internet. Only one problem makes me headaches : when i ping an internet adress on internet from a computer, first ping fails and the 3 others works fine :

C:\Users\Administrateur>ping 8.8.8.8

Envoi d'une requête 'Ping'  8.8.8.8 avec 32 octets de
Délai d'attente de la demande dépassé.
Réponse de 8.8.8.8 : octets=32 temps=33 ms TTL=53
Réponse de 8.8.8.8 : octets=32 temps=33 ms TTL=53
Réponse de 8.8.8.8 : octets=32 temps=34 ms TTL=53

Statistiques Ping pour 8.8.8.8:
    Paquets : envoyés = 4, reçus = 3, perdus = 1 (pert
Durée approximative des boucles en millisecondes :
    Minimum = 33ms, Maximum = 34ms, Moyenne = 33ms

Stranger, if i ping directly from router :

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/76/188 ms

the most strange is when i delete all Inbound NAT rules for email server or web server, the first ping works fine

Thank you to help me and excuse my froggy english

12 Replies 12

Peter Paluch
Cisco Employee
Cisco Employee

Hello Nicolas,

Don't worry about your English, it is just fine - we understand each other well

A first packet to a destination getting lost is usually normal on Cisco devices, and is caused by that device performing an ARP Request either for the destination (if directly connected) or for a next-hop (if routed). During the ARP resolution process, packets are discarded.

However, this should not be happening for all newly pinged IP addresses in your case. With a properly configured routed, you should lose the very first packet when pinging something on the internet, but afterwards, the router should have resolved its own default gateway and it should not lose packets anymore.

Can you please post the entire configuration of your router, just to make sure there are no obvious configuration problems? Please replace the passwords and other sensitive information with xxx but otherwise, do not abbreviate it. Thank you!

Best regards,

Peter

Thank you for help Peter,

here is the config.


Building configuration...

Current configuration : 4701 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3032259736
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3032259736
revocation-check none
rsakeypair TP-self-signed-3032259736
!
!
crypto pki certificate chain TP-self-signed-3032259736
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303332 32353937 3336301E 170D3131 30393031 30383134
  34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333232
  35393733 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B251 E7D28814 A982E2F3 9B54E48B 3DE1A127 48A3F156 1FA11C9A 44927A9A
  A518141F 5D463E11 4AC11A12 BE236A5B BE334E14 1A468AE2 E1482238 9AF7EE20
  8D87CB59 C80B6317 7CE67EB6 E175FA9C 5DF51646 DEB21DD3 73FCDC40 B8B7A4DD
  76EE9D6C 4221AA43 67B4B1F1 F047D131 501CBB01 CE42230C 942170A1 CD91C214
  C4EB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 1418825E 1F369050 9C1777F3 E7412358 953A9FE0
  71301D06 03551D0E 04160414 18825E1F 3690509C 1777F3E7 41235895 3A9FE071
  300D0609 2A864886 F70D0101 04050003 8181002F 547678F5 EAA4FD4C 34070E72
  F9226364 DA634318 8C2CA21D C37443A8 BFBD0BE6 373CD7D7 26C026C5 F37973A0
  8DA408A2 537D84AC 12174F67 1DBE2266 0FA98778 B56A593C ACAEE202 056CD476
  95A8A082 E6D10393 95C0E928 5CAF37AA 582BA569 17EFF693 37D99F01 71E4C511
  EBA6AAA4 CCC61779 343F64FB BED7FB1D 9C59E2
   quit
dot11 syslog
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
!
username admin privilege 15 secret 5 $1$g6Vi$u/Me/.sFYSEHMRImW5jlo1
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.4 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer3
ip address 193.253.XXX.XXX 255.255.255.0
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname fti/XXXXX@fti
ppp chap password 0 XXXXX
ppp pap sent-username fti/XXXXX@fti password 0 XXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer3 overload
ip nat inside source static tcp 192.168.1.3 25 interface Dialer3 25
ip nat inside source static tcp 192.168.1.3 80 interface Dialer3 80
ip nat inside source static tcp 192.168.1.3 443 interface Dialer3 443
ip nat inside source static tcp 192.168.1.3 987 interface Dialer3 987
ip nat inside source static tcp 192.168.1.250 3389 interface Dialer3 3389
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Nicolas,

Thank you for the configuration. I see no problems with it. Do you experience any other connectivity issues except first pings failing occassionally?

I wonder, were you performing those pings from the 192.168.1.3 or 192.168.1.250 inside machine, or did you use some other PC?

Best regards,

Peter

I test it both on those ip and other pc on lan.

For users internet seems very slow because when you launch a request it takes 10-20 seconds to open web site. After site opened, it works normally every page is opened immediately.

Very frustrating.

That sounds like your DNS might be taking a while to resolve.

Does the web browser wait on "connecting to www.somewebsite.com" or does it go immediately to "connecting to 216.44.123.22" (or whatever IP address)?

Hello Dan,

not a DNS issue, the browser works same with IP or DNS adress.

Do you think i can change firmware version ?

Thank you

hi nicolas,

can try re-configuring your interfaces, add a DNS server and try again?

ip name-server 8.8.8.8

int dialer 3

ip mtu 1492

int vlan1

ip tcp adjust-mss 1452

Hi there,

I would also lower MTU on the ATM interface down a bit.

For rationale please see

https://learningnetwork.cisco.com/message/126897.

It looks like you are doing PPPoA so 1478 or 1470.

Cheers

Fabio

Hello Fabio,

Nicolas is using PPPoE and the MTU is already being lowered. John's suggestion about lowering is most correct - outside MTU 1492, inside TCP MSS clamping to 1452.

The PPPoA does not need the MTU to be changed. The article you referenced is correct in the sense that with ATM, a size of the datagram that is not an integer multiple of 48 bytes will be padded in the last cell. However, because the packet sizes are random, even after splitting them into ATM cells, they will most probably need padding. Hence, limiting the MTU on ATM interfaces does not make sense.

On PPPoE, lowering the MTU is very strongly necessary, as the PPPoE is always about carrying the entire Ethernet frame with PPPoE and PPP headers in its payload, and this operation could therefore produce an oversized Ethernet frame which may not be accepted by all NICs - that is the reason for MTU operations on PPPoE connections.

Note that on the PPPoA, manipulating the MTU is a nuisance with dubious results. On PPPoE, it is strongly necessary to be actually able to carry IP packets between the sizes of 1493-1500 bytes.

Best regards,

Peter

Peter,

you are absolutely right. I have missed the pppoe dialer pool member command in the ATM subinterface and cosequently did not look for the Dialer interface.

So I have also missed the MTU command on that one.

Sorry guys.

Fabio

Fabio,

No problem at all, it's absolutely nothing worth mentioning.

I would actually appreciate if you could post back to the document about the ATM and the MTU you have originally quoted, and explain that their attempts to align the IP MTU with the AAL5+(SNAP)+(Ethernet+PPPoE)+PPP is largely futile, as the IP packets themselves can be of arbitrary length, and hence, limiting the MTU is not useful but merely increases the load on the router because of the possible fragmentation, without having any effect if the IP packet is smaller and with no gained effectivity in ATM encapsulation.

Best regards,

Peter

Thank you John for helping,

i have setup router with your command, applied to startup but still very slow to open a website.

Review Cisco Networking for a $25 gift card