[c-nsp] Crypto and CEF

Rodney Dunn rodunn at cisco.com
Tue Jun 12 09:05:39 EDT 2007 

Some other things to look at would be:

debug adj

and 'sh ip cef events' 

just to see if anything sticks out about the destination
you are trying to reach.

And try pinging with a record route option set.

Rodney

On Tue, Jun 12, 2007 at 10:37:34AM +0200, Rikard Stemland Skjelsvik wrote:
> 
> Andrew Yourtchenko wrote
> 
>         Very very far shot - but I'd check if you have any of the routes
>         pointing directly to an interface, like:
> 
>         ip route 0.0.0.0 0.0.0.0 Ethernet0/0
> 
>         (the default is just an example here, could be some other subnet)
> 
>         this would be not-so great since it would cause the router to proxyarp
>         for each destination and could cause similar symptoms.
> 
>         It's a very very far shot (and is jumping to conclusion to a large
>         extent), so take it as it is :-)
> 
> Actually we route to the LAN in the other end out the WAN interface
> ip route x.x.x.x 255.255.255.192 FastEthernet0
> 
> Rodney Dunn wrote
> 
> 
>         sh ip cef <dst>
>         if the next hop for the route is out a lan capture:
>         sh ip arp <nexthop>
> 
>         Then capture 'sh adj' and find the adj for the next hop and let's
>         see what it says.
> 
> This is what i hope to test. Unfortunatly a collegue of mine switched over
> from the vpn this morning and our customer switched off the vpn router.
> I hope to be able to test this soon.
> 
> 
>         Most likely he has a problem where the CEF FIB entry is pointing
>         to a CEF adjacency entry that is incomplete. Therefore, we'll rate
>         limit punt packet to try and resolve the adjacency. That's why
>         you see the 50/50 probably because it's 1 per 500 msec rate
>  	limited.
> 
> This could explain a lot. Thank you for sharing. I did not know this.
> I belive the problem was at the LAN side of the vpn router since i could
> ping a host at x.x.x.x from with the LAN interface as source just fine.
> The problem was when a client at the LAN tried to ping a host at x.x.x.x
> that we lost 50% of the packages.
> 
> I will post an update when i get more information.
> 
> Thanks to everyone who took their time to reply and help me
> 
> 
> 
> Regards,
> Rikard
> 
> 
> --
> Rikard
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list