[c-nsp] Crypto and CEF

Rodney Dunn rodunn at cisco.com
Mon Jun 11 08:05:43 EDT 2007


On Mon, Jun 11, 2007 at 01:34:09PM +0300, Dan IOSUB wrote:
> Hi Rikard,
> 
> try to configure on interface:
> 
> no ip route-cache

That's really should not be a suggested action unless it's the
last option available. That forces traffic to be process switched
potentially.


> no ip mroute-cache

That disables multicast fast switching which shouldn't be relevant.

Most likely he has a problem where the CEF FIB entry is pointing
to a CEF adjacency entry that is incomplete. Therefore, we'll rate
limit punt packet to try and resolve the adjacency. That's why
you see the 50/50 probably because it's 1 per 500 msec rate limited.

Capture the following:

sh ip cef <dst>
if the next hop for the route is out a lan capture:
sh ip arp <nexthop>

Then capture 'sh adj' and find the adj for the next hop and let's
see what it says.

Rodney

> 
> BR//Dan
> 
> On 6/11/07, Rikard Stemland Skjelsvik <rskjels at pogostick.net> wrote:
> >
> >
> > Good morning!
> >
> >
> > Last week i had a problem with a router that was used as a vpn backup over
> > internet, since we had a problem with the main link.
> >
> > The problem was that our customers could not access any service and
> > ping probe showed that 50% of all packets were lost. My initial response
> > was check if there was any load balancing or redundant links. There were
> > none. I checked the CEF and could not find anything out of the ordinary.
> > When i looked at the ARP table, i found lot off incomplete mac-addresses
> > on the LAN. An older collegue suggested turning off CEF.
> >
> > When i turned off CEF, everything started to work. I asked my more
> > experienced collegue as to why and he could not give me an answer. He just
> > said that he had experienced problems before with crypto and CEF.
> >
> > I wondered if anyone on this list, could share some insight as to why
> > CEF and crypto can be problematic.
> >
> > Thank you!
> >
> > Regards,
> > Rikard
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list