07-16-2014 08:14 AM - edited 03-04-2019 11:21 PM
Community,
I am having issues with a an 1841 router dropping tcp packet segments. The packet profile in question comes in segments of 1348 and 802. The second frame is not being sent out of the egress FastEthernet interface. The packet is then sent incomplete and causing inconsistencies. Clearing the df bit is not providing a solution. I have also ran a ping test and have found that the MTU internet link is 1500 this is connected via Fastethernet 0/0. Here is my run config:
show running-config
Building configuration...
Current configuration : 2027 bytes
!
! Last configuration change at 14:42:58 UTC Wed Jul 16 2014
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1800
!
boot-start-marker
boot-end-marker
!
enable password XXXXXXX
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.55
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool generaldhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
ip dhcp pool VoipDHCP
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.3.1 8.8.8.8
!
!
!
!
!
!
interface FastEthernet0/0
description facing the ISP WAN
ip address dhcp
ip nat outside
ip tcp adjust-mss 1460
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1460
ip policy route-map clear_df
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface Serial0/0/0
no ip address
shutdown
!
!
no ip http server
ip nat inside source route-map natmap interface FastEthernet0/0 overload
!
ip access-list extended Allow-ICMP
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any echo-reply
permit icmp any any parameter-problem
permit icmp any any source-quench
ip access-list extended Internet-out
permit tcp 192.168.2.0 0.0.0.255 any
ip access-list extended natrules
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit tcp any any
permit tcp 192.168.2.0 0.0.0.255 any
!
route-map natmap permit 10
match ip address natrules Allow-ICMP
!
route-map clear_df permit 10
match ip address natrules
set ip df 0
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password XXXXXXX
login
!
scheduler allocate 20000 1000
end
My fear is that the main issue is IP reassembly which is missing from software feature set. Thanks Tito
07-16-2014 11:13 AM
Hello,
Could you please show the logs which the router is generating due to this issue.
Also please provide the software which this router is running on.
Natting router needs to reassemble the TCP fragments and then forward further.
Try configuring "ip virtual-reassesmbly" under the in and out interfaces of the Natting router..
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_reassm.pdf
Regards,
Mohit
07-16-2014 05:52 PM
Mohit,
Thanks for your reply I am currently using version Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)
Which does not include ip virtual-reassembly. I have tried using an 2600 with enterprise 12.4 and I am seeing the same result with IP virtual-reassembly in both ingress and egress interfaces. Can you please provide instruction on how to acquire the necessary logs? I have attached a trace for reference this was captured using a monitor session with a switch mirroring the lan vlan(192.168.2.0) and internet vlan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide