[c-nsp] Tracking connection resets on a 7500 trunking GEIP+

[Lamar Owen]

Ok, I'm having an odd difficulty, and am trying to determine how to go about 
troubleshooting it.

I have two routers at my border, a 7401ASR and a 7507/RSP8, both running 12.4 
mainline.  The two routers are both running iBGP to each other and eBGP to my 
provider.  The two routers are providing HSRP to a server subnet, an APS-
protected OC3 POS WAN link, and Stateful NAT with several static entries and a 
dynamic pool.  CBAC is in use, and the ACL isn't terribly long.

The two routers connect to both the server farm and the ISP through two Gige 
trunks to a Catalyst 5505 switch, using two SupIIIG's for the GigE-LX trunks 
and a WS-X5225R 24 port 10/100 blade to connect to the ISP through a pair of 
ports on two VLANs, and to the server farm through other VLANs.

While the 7401 (the APS protect) is active on the OC3 and set as active for 
HSRP, everything works as it should.  When the 7507 is doing this duty, some 
websites become deathly slow, to the point of showing 'connection reset by 
peer' errors.

I'm looking for just a pointer or two as to how to trace this issue and narrow 
down to the port on the Cat5505 SupIIIG, the two GBIC's, the fiber path, the 
GEIP+ on the 7507, or maybe even the RSP8 on the 7507.  I do see a very few 
framing errors on the GigE between the GEIP+ and the SupIIIG, but they are 
very few and far between.

So any pointer (except 'upgrade your hardware') is desired.  I would love to 
upgrade, but, in this economy?

The best idea I've had yet is to remove the 7401, replace with another known 
good 7507 that I have, drop to 12.0S, and do my NAT and firewalling on this end 
of the OC3 with a single or dual 7401ASR setup (using hardware I have at my 
disposal).  Then I'll use GRE tunnels to the RSFC's on the two SupIIIG's to 
get to the server farm at that end.