[c-nsp] Crypto and CEF
Rikard Stemland Skjelsvik
rskjels at pogostick.net
Tue Jun 12 04:37:34 EDT 2007
Andrew Yourtchenko wrote
Very very far shot - but I'd check if you have any of the routes
pointing directly to an interface, like:
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
(the default is just an example here, could be some other subnet)
this would be not-so great since it would cause the router to proxyarp
for each destination and could cause similar symptoms.
It's a very very far shot (and is jumping to conclusion to a large
extent), so take it as it is :-)
Actually we route to the LAN in the other end out the WAN interface
ip route x.x.x.x 255.255.255.192 FastEthernet0
Rodney Dunn wrote
sh ip cef <dst>
if the next hop for the route is out a lan capture:
sh ip arp <nexthop>
Then capture 'sh adj' and find the adj for the next hop and let's
see what it says.
This is what i hope to test. Unfortunatly a collegue of mine switched over
from the vpn this morning and our customer switched off the vpn router.
I hope to be able to test this soon.
Most likely he has a problem where the CEF FIB entry is pointing
to a CEF adjacency entry that is incomplete. Therefore, we'll rate
limit punt packet to try and resolve the adjacency. That's why
you see the 50/50 probably because it's 1 per 500 msec rate
limited.
This could explain a lot. Thank you for sharing. I did not know this.
I belive the problem was at the LAN side of the vpn router since i could
ping a host at x.x.x.x from with the LAN interface as source just fine.
The problem was when a client at the LAN tried to ping a host at x.x.x.x
that we lost 50% of the packages.
I will post an update when i get more information.
Thanks to everyone who took their time to reply and help me
Regards,
Rikard
--
Rikard
More information about the cisco-nsp
mailing list