[c-nsp] 2611xm slowed to crawl, ip based filter...

Church, Chuck cchurch at netcogov.com
Wed Sep 8 15:44:24 EDT 2004 

How much traffic are you trying to push through it?  A 2611 probably
can't handle more than 10mbit traffic (total of both directions).  Any
chance you've got PCs infected with a worm on one side or the other?
Next time it slows down to a crawl, grab a 'sh proc cpu', 'sh mem', 'sh
int', 'sh int stat', and 'sh buf'.  Like Bruce mentioned, the next hop
and ARP could be an issue.  If you've got a huge CEF table, the arp
table is probably unnecessarily large as well.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com  <-note new address!
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: Jeff Johnson [mailto:jeff at comfrey.net] 
Sent: Wednesday, September 08, 2004 3:25 PM
To: Church, Chuck
Cc: Cisco-nsp
Subject: Re: [c-nsp] 2611xm slowed to crawl, ip based filter...

Right, Sorry,

here is the full config:

So i cleaned it up a little bit and made it less restrictive.

I ran nessus last night and again things slowed to a crawl.  i think 
nessus created a dos.

i turned on ip cef this morning, but disabled all of the access-lists 
just to be sure things would just work. as things were terribly slow.  
I will probably test this on out later this afternoon.

any comments.  you think cef will improve the speed?

i did a "sh ip cef" and the list it returned was quite very long.  i 
assume this is expected.


-----------------------------------------------
Current configuration : 1407 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname foo.webcoach.com
!
enable secret 5 $XXXXXXXX
enable password 7 XXXXXXXXXXXXXX
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
!
interface Null0
  no ip unreachables
!
interface FastEthernet0/0
  description inside
  ip address X.X.X.190 255.255.255.192
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  no ip mroute-cache
  speed 100
  full-duplex
!
interface FastEthernet0/1
  description outside
  ip address X.X.X.205 255.255.255.252
  speed 100
  full-duplex
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
ip pim bidir-enable
!
!
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip X.X.X.128 0.0.0.63 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit icmp any any
access-list 101 permit tcp any any range ftp-data ftp
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any host X.X.X.129 eq domain
access-list 101 permit tcp any host X.X.X.148 eq smtp
!
line con 0
line aux 0
line vty 0 4
  password 7 141A1D01034507242E2772180D3928
  login
!
!
end
-----------------------------------------------------------------------


On Sep 8, 2004, at 8:02 AM, Church, Chuck wrote:

> Jeff,
>
> 	Something doesn't seem right.  If it's a 2611XM, doesn't it have
> fast ethernet interfaces?  What router do these interface configs 
> belong
> to?
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com  <-note new address!
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Johnson
> Sent: Wednesday, September 08, 2004 2:47 AM
> To: Cisco-nsp
> Subject: [c-nsp] 2611xm slowed to crawl, ip based filter...
>
> Hey all,
>
> Below is an excerpt from my config on a 2611xm.  I set this up last
> friday night and foolishly walked away.  Upon checking in the next day
> i found that the network had slowed to a crawl and i could not even
> connect vi a ssh.  the connections would time out.
>
> Is this acl processor bound or is there some fundamental flaw in its
> design?
>
> i am new to cisco based firewalls, so please go easy on me.
>
> the following section was generated by configmaker.
>
> I appreciate the help,
>
> -Jeff
>



----------------------------------------------------------------------------
 NOTE: As of 8/1/2004 my email address has changed to cchurch at netcogov.com
----------------------------------------------------------------------------

More information about the cisco-nsp mailing list