Cisco :: Performance Degradation From Using Debug Ip Packet ACL Detail?
Apr 5, 2012
I'm troubleshooting one way audio with our anyconnect phones.I think it is a routing issue.typically I wouldnt run debug ip packet detail on a production router, however I just found out that you can use acl's to specify the traffic to be debugged.
R1(config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1
R1(config)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1
R1(config)#end
R1#debug ip packet 199 detail
IP packet debugging is on (detailed) for access list 199
The use of debug commands requires the allocation of system resources like memory and processing power and in extreme situations can cause a heavily-loaded system to stall. Use debug commands with care. Use an ACL in order to selectively define the traffic that needs to be examined to reduce the impact of the debug command. Such a configuration does not filter any packets.
I have three ESW-540-24 10/100/1000 Switches in a small school environment
1. ESW performs as a server switch for out small cluster of VMWare ESXi Hosts and iSCSI SAN with a link-aggregation/lacp/etherchannel connection to the backbone switch, and a Link-Aggregated Connection to the thrid ESW switch via a multimode optic fibre link to a near-site backup and DR location
2. The second ESW acting as network backbone links back to the server switch and our older LinksysSRW224G4 (four SRW224G4s) switches using Aggregated Links / LACP to reduce bandwidth contention and allow for link redundancy
3. The third ESW as mentioned previously is at the backup DR location linked back to Switch 1
When using Single 1GB links between these three switches I can almost saturate the 1GB link (80-95% utilisation) as soon as link aggregation is configured by bonding 2x 1GB links together to form an etherchannel link utilisation will not exceed 100MB (network monitor graph on a server/ workstation runs flat at 10% utilisation) I have tested this multiple times useing large file transfers accross our SANs (which have high enough throughput to saturate links) and can confirm that performance degradation occurs as soon as an etherchannel is configured on the same ports (regardless of manually setting admin speed and duplex of copper ports etc) all indicators specify that ports are running at 1GB even though throughput REDUCES by 90%.
We are not running the latest firmware yet (2.0.3), however I have read the release notes for newer versions (2.1.16 and 2.1.19) and there is no indication of a fix for etherchannel/lacp performance issues.
I am bridging my NetComm router to the Linksys EA4500 and it is giving me only 8MBps whereas the line speed is 14MBps. I have tried to connect directly to the netcomm by disabling the EA4500 and I am getting 14MBps. Any way to increase my speed?
I have been using "debug ip packet" on a Cisco 2921 running IOS 15.1(4)M1. The problem I have is that, although I am using an ACL to limit the output, I am seeing some output that is distracting from what I am trying to see. Specifically, I am seeing the following:
Mar 19 20:22:36.135: IP: s=192.168.20.253, d=224.0.0.2, pak 30DB6D4C consumed in input feature , packet consumed, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE [ code]...
These would appear to be HSRP messages. But I don't understand why they are appearing when I configure "debug ip packet 101". The ACL is pretty simple:
Using 'debug ip packet acl# det on a 2911. On an older Cisco router you could set up an ACL
access-list 150 permit tcp any any eq 1023 and then run debug ip packet 151 det and this would give a good debug output for any traffic matching a TCP port of 1023.Now when I try this on a 29xx ( Version 15.1(4)M3 ) I get the screen filling with a lot of multicats HSRP communications.
I have tried rewriting the acl to have other deny statements after the permit to limit the source or destination hosts and/or the ports but the HSRP data is still there.
like this access-list 150 permit tcp any any eq 1023 access-list 150 deny udp any any eq 1985(code)
We have a remote site connected to ADSL line with a Cisco 887VA router attached. This has been working fine for the last couple of months. However, recently, the site have started to complain of performance issues (network slow, applications disconnecting, etc)Looking on the router, we can see evidence of packet loss/timeouts from a simple ping to the internet e.g. [code]
However, we have logged the fault with our service provider and they return all line tests as clear but what is particularly strange is that they also report “and the SNR Margins are well within threshold levels (Upstream 11.5 and Downstream 15.0)” which, unless I’m misunderstanding something, seems to be completely different from what the router itself is reporting.Is there a reason why the service provider’s stats for Noise Margin would appear to be so different from what the router is reporting?
I have a problem with a test network configuration i'm trying to set up. I have an SGE2000 G5 switch for LAN traffic, and i have "reserved" 3 ports with a VLAN to obtain two separate internet lines with two different public IPs from my ISP internet cable. Now what i've tried to do is connecting the ISP cable to the port1 of the VLAN, and i've connected the other 2 ports to my routers. The problem is that when doing this, port1 switches to half-duplex mode and the result is a huge performance degradation (0.28Mb DL instead of 16Mb approx.).
I'm having issues with my download speed lately and I need to know whether it's my router that's causing the problem or my ISP.When I leave the router on for a couple of days, without rebooting it, my download speed degrades to about 40-50% of what it usually is and when I reboot it the speed is back to normal.It's a 150Mbps Wireless N router, model SBN WR11N R2. I have no idea what brand it is, my ISP gave it to me a few years ago. Seems to be running some custom firmware installed by the ISP.
Ive got a 494810ge switch, and this parameters are important for me:
sh int gi 1/4 counters detail Port InBytes InUcastPkts InMcastPkts InBcastPkts Gi1/4 252819467437788 173264735013 10827 760 Port OutBytes OutUcastPkts OutMcastPkts OutBcastPkts Gi1/4 36657317030233 280590958051 5248439 5443194 Port InPkts 64 OutPkts 64 InPkts 65-127 OutPkts 65-127 Gi1/4 558420918 205564441592 2627477631 60865368994
[code]....
Some parameters i can get by snmp (InBytes,InUcastPkts,InMcastPkts, and so on from out), but how can i take other parameters? I would like to do it by snmp but i did not find proper oids. Now I making a sheme like this: eem every 90 seconds takes this info and writes it down to file into nvram and then send it by scp to server, where file is processed by monitoring system script. It is not very good, cause cisco system cpu sometimes spikes of this and i dont know a resourse of nvram, how much times can i write to it?
I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?
I am looking a solution to track login detail and visited web site on our public wireless network.We are using Cisco Wireless LAN controller 4400 series.
i have 3 access-list configured IN | Out on my Border router (MARTIAN) ,i have to look which one block some of the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output.
how to debug an ACL I've created on a 4404 WLC, specifically I want to monitor what packets are being denied by the ACL as something that should be working isn't
I've created an explicit deny statement at the end of the ACL and verified that the counter increases each time I try the problem software update.
What I can't work out is how to get the WLC to tell me what packets are being denied by the explicit deny statement, all I can find are 'show acl' commands which just give me the counts.
The equivalent on a router would be debug ip packet acl and adding the log keyword onto an ACE. I suppose I could configure a SPAN session on the WLC uplink to the switch but that seems overkill?
Iam fairly new to Cisco IOS and am having trouble getting an IPSEC tunnel to come up between 2 cisco 881-s. I have entered both debug crypto isakmp and debug crypto verbose but when I try to ping an internal IP at the other location through my VLAN1 interface no debugging info comes up.
Also my ACL-s for the crypto maps show no activity. I have tried many things so my configuration files are starting to get really messy.
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
Debug is not showing up on the console. I have configured logging console. My older switches, if an interface goes down or is brought up, it shows up on the console, but not on the new 4507s.
WS-C4507R-E cat4500e-ipbase-mz.122-53.SG2.bin TG-4507#sh loggingSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator.
Any way of narrowing down a degub for a peer address only? For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 1.1.1.1?I know you can run 'sh crypto ipsec sa peer 1.1.1.1'.We're using an ASA5520 (8.4.2).
I am quite new to wireless side and had a small Q regarding watching debug output while i am ssh to the WLC? I tried the other day and did not see any messages, now this could be for the reason that nothing triggered or perhaps it needs something like terminal monitor?? i couldnt find any such command. my WLC is 5508 running 7.3 version.
I have a 2600 with a PRI card, when I try to do an isdn test call int s1/0:23 ######### the debug constantly comes back with "Cause i = 0x83E020 - Mandatory information element missing" Vendor states he doesn't see the SDN 'flag' coming through. I have both the isdn nsf-service, and the dialer map configured to use a class with the outgoing sdn command.
I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
Extended IP access list 151 10 permit ip host 10.1.1.1 host 91.1.1.1 In the syslog then I got hundred of messages from IPSec: Jan 11 09:43:35.677: IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[code]....
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.
There is a plenty of tunnels ended and it works.But i have one tunnel, which doesn't work.I tried turn on "debug crypto isakmp" and it show this: RECV PACKET from 10.200.79.161 ISAKMP Header. [code]
So there is problem with IPSEC and with no matching SA, but i don't know which one.Then i try to turn on "debug crypto ipsec 255" but it displays nothing. [code]
I have a Cisco 857 which seems to be dropping connection on its public interface.I would like to see the logs of the ppp or something which may identify the problem of why the device has lots its connection.
I know what you can setup logs for a specific IP, but it is possible to setup logs for debug messages?Also what other logs would identify the problem?
What would cause debug output to not show on a remote session via telnet connection where you've enabled terminal monitor?
The reason I ask is I was working with a client and we were debugging WCCP. I ran the debug ip wccp packets and events commands, then entered terminal monitor. After this, we saw nothing. We should have at least seen particular WCCP-related packets because we saw the necessary cluster view was established which can't be done without the exchange of these packets.
Can having syslog (logging) configured cause the issue? Did I use the command incorrectly?
I've created a BVI2 where I bridged dot11 0.2 and vlan2 in order to have wired and wireless clients in the same vlan.Some wired client are not reachable from the lan. Wireless clients have no pbl in reaching each other.Monitoring a MAC address that is supposed to be behind the FA2 I have noticed that it moves to vlan2 when in fact it should be behind the FA2.Of course when "show mac-address-table" says it is behind Fa2 the ping to that MAC address works whereas when the TCAM reports it is behind vlan2 it doesn't. Once the MAC address is behind the vlan2 if I clear the mac-address-table and that mac-address is still put behinf Fa2 then the pings works again, sometime I have to perform twice the clear command before the MAC address goes back to the right location.I'd like to understand why the router moves that MAC address from Fa2 to vlan2 and that's the reason for my question in the subject.I don't have any problems for port Fa0 and Fa1."Show int fa2" doesn't show any problem/errors or the likes.BTW even if I force that MAC address to be statically behind FA2 the ping works fine but then stops and if I do "show mac-add" the static entry for it is still there... so looks like there us something that overrides that static entry. If clear everything and I have the mac-address be behind Fa2 then everything starts to work again. I used Fa3 instead of Fa2 and I get the same results.
I have strange problem with 1800 router , I can't see any debug messaging , the ping from PC to this router is Ok , but no icmp debug appears , even I enable "debug ip icmp " the version of router is : C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(6)T6
