[c-nsp] In your opinions, is this an IOS bug or not?

Ted Mittelstaedt tedm at toybox.placo.com
Fri Mar 4 03:51:05 EST 2005


Hi All,

  OK I have a situation here that looks like an IOS bug, let me
know your opinions, please.  If enough of you think it is, then I'll
go ahead and get it filed.

  We have a customer that was running IOS Firewall Feature set on a
Cisco 3620 no problem.  The 3620 had a single point to point T1 coming
into it from us, a single Ethernet port that went to their inside
network.
The 3620 was running address translation.  There was a inspection access
list in the router, although not very extensive.  This config and
installation
was running fine for several years now and though several IOS revs.

  The customer wanted to go to 2 T1s for higher througput and for some
redundancy.  So we set them up with a second point to point into a second
serial interface into their router.  On our side both T1's from them
terminated into a 7206.  I personally setup both T1s, ran pattern testing
with the telco, etc.  Same model DSUs in use on both ends of each T span.

  So I go and set up their 3620 with 12.2.27 IOS and ip cef, and our 7206
with the same version, except our side is IP only, their side is FW
feature set.
No dynamic routing going on, purely static routes on each side.

  When I turn on the second T1 and start measuring throughput we find the
throughput has now sunk into the toilet.  We are talking no more than a
T1's worth, going from a desktop on their end to a server on ours.
Internet
throughput is awful, they are lucky to get 128 kbps if that.  A lot of
web
sites aren't even coming up.

  I try a few things over the next couple days, switched from
per-destination
to per-packet load balancing, etc.  Finally I notice the CPU utilization
on
their router is around 80-100%.  I am stymied, so I yard over
one of our spare 7206s.  Now we have 2 7206's on each end end of these 2
T1s.  And the same baloney is going on - although CPU utilization on
their
side is only around 25%.  Over the next day or so the 7206 on their end
reboots
itself a few times.

  Eventually I say enough of this it must be ip cef.  So I turn it off on
both
sides and setup multilink PPP.  And the SAME bullshit is going on -
Internet
throughput is awful, web sites aren't even coming up, etc.

  Finally, I notice one thing - FTP transfers seem to be flying along.
HTTP
transfers aren't.  So, I pull the inspection statement covering http from
their router.  voila - instantly they are now getting the 3MB.  This
lasts
for about 8 hours and then its crawling again.  So, I remove every scrap
and
trace of any IOS Firewall inspection statements and reboot the router and
everything is now fine.  CPU utilization is down to 2% or so.  Life is
good.

  So, is there a known problem with IOS Firewall Feature set, Address
Translation,
IP Tunnel, (there's a tunnel interface on this router) and load-balanced
T1s
in IOS?  Has anyone run into anything like this before?  Do you think
this is
a bug?

Ted Mittelstaedt
Internet Partners, Inc.



More information about the cisco-nsp mailing list