TCP segments dropped 1841 series

tcumpenglowpoint · ‎07-16-2014

Community,

I am having issues with a an 1841 router dropping tcp packet segments. The packet profile in question comes in segments of 1348 and 802. The second frame is not being sent out of the egress FastEthernet interface. The packet is then sent incomplete and causing inconsistencies. Clearing the df bit is not providing a solution. I have also ran a ping test and have found that the MTU internet link is 1500 this is connected via Fastethernet 0/0. Here is my run config:

show running-config

Building configuration...

Current configuration : 2027 bytes

!

! Last configuration change at 14:42:58 UTC Wed Jul 16 2014

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router1800

!

boot-start-marker

boot-end-marker

!

enable password XXXXXXX

!

no aaa new-model

!

resource policy

!

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.55

ip dhcp excluded-address 192.168.3.1

!

ip dhcp pool generaldhcp

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 8.8.8.8

!

ip dhcp pool VoipDHCP

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 192.168.3.1 8.8.8.8

!

interface FastEthernet0/0

description facing the ISP WAN

ip address dhcp

ip nat outside

ip tcp adjust-mss 1460

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1460

ip policy route-map clear_df

!

interface FastEthernet0/1.3

encapsulation dot1Q 3

ip address 192.168.3.1 255.255.255.0

ip nat inside

!

interface Serial0/0/0

no ip address

shutdown

!

no ip http server

ip nat inside source route-map natmap interface FastEthernet0/0 overload

!

ip access-list extended Allow-ICMP

permit icmp any any unreachable

permit icmp any any time-exceeded

permit icmp any any echo-reply

permit icmp any any parameter-problem

permit icmp any any source-quench

ip access-list extended Internet-out

permit tcp 192.168.2.0 0.0.0.255 any

ip access-list extended natrules

permit ip 192.168.2.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

permit tcp any any

permit tcp 192.168.2.0 0.0.0.255 any

!

route-map natmap permit 10

match ip address natrules Allow-ICMP

!

route-map clear_df permit 10

match ip address natrules

set ip df 0

!

control-plane

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password XXXXXXX

login

!

scheduler allocate 20000 1000

end

My fear is that the main issue is IP reassembly which is missing from software feature set. Thanks Tito

Mohit Sahai · ‎07-16-2014

Hello,

Could you please show the logs which the router is generating due to this issue.

Also please provide the software which this router is running on.

Natting router needs to reassemble the TCP fragments and then forward further.

Try configuring "ip virtual-reassesmbly" under the in and out interfaces of the Natting router..

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_reassm.pdf

Regards,

Mohit

tcumpenglowpoint · ‎07-16-2014

Mohit,

Thanks for your reply I am currently using version Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)

Which does not include ip virtual-reassembly. I have tried using an 2600 with enterprise 12.4 and I am seeing the same result with IP virtual-reassembly in both ingress and egress interfaces. Can you please provide instruction on how to acquire the necessary logs? I have attached a trace for reference this was captured using a monitor session with a switch mirroring the lan vlan(192.168.2.0) and internet vlan