Skip to main content

CISCO 2801 dropping packets

More
15 years 11 months ago #28316 by michel
I'm new to CISCO networking and have been given the task to
setup a VPN to one of our business partners. The VPN tunnel is working but all traffic over the tunnel seems to lose packets. When I do a ping to an IP at the other end from a workstation in our network I typically see about 50% dropped packets. When I do the same ping from the 2801 I do not get a single dropped packet.

The workstation has IP 10.147.93.2 and i'm trying to ping 10.135.172.49. Below is the current running-config.

Any idea what might be causing this?

Thanks,

Michel

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name XXXXXXXX.XXX
ip name-server 194.109.104.104
ip multicast-routing
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-1819100445
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1819100445
revocation-check none
rsakeypair TP-self-signed-1819100445
!
!
crypto pki certificate chain TP-self-signed-1819100445
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383139 31303034 3435301E 170D3036 30363234 30393338
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38313931
30303434 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC64 727CA48A 553637F7 AC4817F9 4548CD2F B311878E 3B672CA1 819D586E
39A9F084 D3F4D2B0 8E183E5A CE863D26 B7E47708 40A50D65 FC7C2EB4 0D6B1530
72B8188C 579A9051 CF3F1B96 F082787D 00A1C691 DB76FEB9 4974ED63 D1804522
B6FE9C90 10A4ED23 52EC82D5 81F08BA1 D0C6020C DEA69759 EF7A450B 380EFFEE
0DE10203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A515541 4C495459 49544657 2E717561 6C697479 2D69742E
636F6D30 1F060355 1D230418 30168014 EAC1687E CB3CA7FB 2BBE288F 983B4345
1ACA7B9F 301D0603 551D0E04 160414EA C1687ECB 3CA7FB2B BE288F98 3B43451A
CA7B9F30 0D06092A 864886F7 0D010104 05000381 8100BBE7 2C5DA329 29E6B3E4
2D9B2132 DAAC920B C85E09D2 7EDE84AA 029348FB 5E55A53A FF68D84F 29D9C4FF
B4D88BF4 1C56F117 8CDCFCB6 153EF723 64E070D4 054479AF C62DD7EF 6C28963B
2E4DBEAA 636B27E7 28946287 3B077291 4DC8913D F1525BB4 B8DFF4CE FE4FECFC
0EE49108 1D133209 EF235A09 8AA6078E E757E69F C759
quit
username michel privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set xxxvpn esp-3des esp-md5-hmac
!
crypto map xxxvpn 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set xxxvpn
match address 103
!
!
!
interface Tunnel0
ip address 10.147.2.78 255.255.255.252
ip pim sparse-mode
tunnel source 10.147.0.93
tunnel destination 10.147.254.1
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 10.147.0.93 255.255.255.255
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 10.147.93.1 255.255.255.0
ip address 192.168.0.10 255.255.255.0 secondary
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map xxxvpn
!
ip classless
ip route 0.0.0.0 0.0.0.0 195.190.249.3
ip route 10.1.16.0 255.255.255.0 FastEthernet0/1
ip route 10.1.63.0 255.255.255.0 FastEthernet0/1
ip route 10.132.19.0 255.255.255.0 Tunnel0
ip route 10.135.70.0 255.255.255.0 FastEthernet0/1
ip route 10.135.71.0 255.255.255.0 FastEthernet0/1
ip route 10.135.172.0 255.255.255.0 FastEthernet0/1
ip route 10.135.173.0 255.255.255.0 FastEthernet0/1
ip route 10.140.18.0 255.255.255.0 FastEthernet0/1
ip route 10.140.120.0 255.255.255.0 FastEthernet0/1
ip route 10.147.254.1 255.255.255.255 FastEthernet0/1
ip route 195.190.249.3 255.255.255.255 FastEthernet0/1
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip pim rp-address 10.132.19.15
ip mroute 10.132.19.0 255.255.255.0 Tunnel0
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.3 9002 interface FastEthernet0/1 9002
ip nat inside source static tcp 192.168.0.3 22 interface FastEthernet0/1 30000
ip nat inside source static tcp 192.168.0.3 31099 interface FastEthernet0/1 31099
ip nat inside source static tcp 192.168.0.20 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.0.20 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.0.35 22 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.0.20 993 interface FastEthernet0/1 993
!
logging trap debugging
access-list 1 remark NAT inside source list
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark HTTP config access
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 100 remark Inside access list
access-list 100 permit ip any any
access-list 101 remark Outside access list
access-list 101 remark Port forwardings
access-list 101 permit tcp any any eq www log
access-list 101 permit tcp any any eq 9002 log
access-list 101 permit tcp any any eq 443 log
access-list 101 permit tcp any any eq 993 log
access-list 101 permit tcp any any eq smtp log
access-list 101 remark Entries for XXXVPN
access-list 101 permit gre host 10.147.254.1 host 10.147.0.93
access-list 101 permit ip 10.135.70.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.135.71.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.135.172.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.135.173.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.140.120.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.140.18.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.1.16.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit ip 10.1.63.0 0.0.0.255 10.147.93.0 0.0.0.255
access-list 101 permit udp any any eq isakmp
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit gre any any
access-list 101 permit udp host 194.109.104.104 eq domain any
access-list 101 permit udp host 194.109.6.66 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark VTY config access
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark XXXVPN access-list
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.135.70.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.135.71.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.135.172.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.135.173.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.140.120.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.140.18.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 103 permit ip 10.147.93.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 103 permit gre host 10.147.0.93 host 10.147.254.1
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp server 194.109.22.18
ntp server 193.67.79.202
ntp server 194.109.20.18
end
More
15 years 11 months ago #28317 by Chojin
50% dropped package sounds like a redundant routing path which doesn't work. (1st package is routed correctly and arrives, 2nd doesn't, 3rd does, 4th doesn't etc)
Do a trace route multiple times and see your next hops.

Also check for duplex mismatches which can cause drops, but this would drop in both ways.

Else check with a packet sniffer where the drops occur (on which side).

CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
More
15 years 11 months ago #28320 by michel
It seems the packets are dropped in our network since the
ping from the CISCO itself works 100% everytime.

I've tried the following setup for testing

[Workstation 10.147.93.2] -> [Switch] -> [CISCO 10.147.93.1]

This gave the same results (50% dropped packets)

The traceroute doesn't give me any information as well.
More
15 years 10 months ago #28582 by Kajitora

50% dropped package sounds like a redundant routing path which doesn't work. (1st package is routed correctly and arrives, 2nd doesn't, 3rd does, 4th doesn't etc)
Do a trace route multiple times and see your next hops.

Also check for duplex mismatches which can cause drops, but this would drop in both ways.

Else check with a packet sniffer where the drops occur (on which side).


That sounds right. Are there any redundent links or load balancing going on between the host and the router? Sry bout sp, coming from my iPhone.

itgamers.blogspot.com
Time to create page: 0.132 seconds