Cisco WAN :: 3750 And 4507 / 1Gbps Link / Sweep Ping Dropping Packets?
Dec 29, 2010
We are testing a new 1Gbps WAN circuit between 2 sites. We have cisco 3750 and 4507 on each end. Every time we run extended ping sweep ranging from 36 to 18024 bytes the packets are being dropped randomly once the size goes above 1500 bytes. Our ISP claims Demark to Demark test are clean and they don't want to acknowledge the problem, they blame our switches. To prove the problem is not on our end we've put different switches at each end, still facing the same issue. Ping success rate is around 98 to 99 percent.
We are running CiscoPrime LMS 4.1 and I have a problem with PingSweep in Device Discovery. Our company's branches connect to the main site through GETVPN. Discovery through CDP, Routing Table and ARP cannot be used based on the document written by Joseph Clarke [URL] and which is extremely useful. So the only available option is PingSweep.
The loopback interfaces of all the remote GETVPN devices are in the same IP range, so this was configured in Module Settings --> Ping Sweep in the Discovery.
Unfortunately none of the devices get discovered, even though there is icmp connectivity from the server to the loopbacks.
I bought a DIR-655 a less than a year ago on amazon, and it was working great up until about 4 weeks ago. Ive noticed that it has been dropping alot of packets while I am gaming on my computer. I would run about 95-98 ping usually and now it jitters every 5-10 mins or so from 95-98 to up to 500. It is really troublesome during games and I dont know what to do. Ive tried disabling QoS and still nothing. I run on wireless G and N with auto 20/40 mhz. Standard WPA(personal) and it was running absolutely great until now. I know its the wireless because I have hardwired it into my laptop, both from the router and just the modem itself with no problems whatsoever. I dont know what to do about it.
Have a Cat 4507 with Supervisor 7-E, setup configuration to send NetFLow information to an external server, everything worked great but after 2 weeks, the exporter is showing zero packets sent and the following error is at the console:
I have one 12-port 3750 switch having one gig connectivity with ASR-9010 router having IOS-XR. I am not able to ping this link with 9000 mtu size. I have enable system mtu jumbo on switch to 9000 and on ASR router interface mtu is set to 9114. At switch side switch interface is configured as a trunk port and one vlan has been passed on that interface. I am not able to ping the ip 172.16.10.2 with 9000 mtu size.
we have a core switch 4507RE at the data center and 2 departments that connect to it via 10Gig fiber using X2-LRM modules. Each department has a 3 switch stack and both locations are identical w.r.t type and setup scenario.the stack comprises of 1 x 3750E and 2 x 3750G . uplink is from X2 port tengig3/0/1 from the 3750E switch.
All of a sudden dept B started facing problem , where the ping would break and throughput comes around 6 - 7 mbps from that dept to the server behind the core switch. we also noted CRC error on both sides preodically.
we replaced the multimode fiber patch cords, re did the splicing , which stopped the CRC errors to appear.now since morning the uplink port on the 3750E (3/0/1) would suddenly be in "down" state with (err-disabled) as the status when i run sh int ten 3/0/1
and i can also see CRC errors and input errors on the same interface.. if i do shut / no shut .. the port is up and active again.. but this has happned 3 times today.the core swith side is still OK and no CRC / input / output errors are seen..
now on the 3750E i have swapped the 10gig module from 3/0/1 to 3/0/2 . the port is still up but i can see 400 CRC and 500 Input errrors.the module is also OK as i had replaced it with dept 1's module.
I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.
I am having an issue where the ASA is dropping packets on the vlan interfaces. I have it as a dedicated router/firewall for a 100mb connection .
Vlan1 is the internal networkVlan2 is the network to cable modem
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full Duplex at each end, this is the inside interface. Eth 0/0 is the connection to the cable modem, this is the outside interface, set at auto at both ends.
Im getting on the vlans eg. 51253 packets dropped however network traffic isnt impacted and everything runs fine, as well as 46532 switch ingress policy drops.
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588
We have a cisco 800 series router between the internal network and the WAN. the problem is we are unable to receive some of our mail due to dropped packets by our router. the conversation between the two servers stops at the point were our server responds with the command 250 2.1.5 firstname.lastname@example.org | 354 Start mail input; end with . i was able to trace the packet, using Packet Export, on the internal interface but not on the external interface. Also i have noticed that the external interface has about 160,000 unknown protocol drops while the internal interface has 0.
Is there anyway to find out way the external interface is dropping the packets.
We have a customer who we sent to Cisco to replace some aging Dell switches. They purchased 5 SG300-52’s for 2 different networks. Their production LAN has 2 “live” switches and 1 spare. The 2nd, a development LAN has 1 switch and 1 spare. Their primary production SG300-52 has GE1-8 VLAN’d off as VLAN2 for public IPs. The untrusted (WAN) interfaces of 2 x ASA-5510’s, 1 x ASA-5505, and 2 x RV082 v2’s are connected to GE2-6. GE1 is the uplink to the co-location center’s Cisco switches. GE7 & 8 are spare ports. Each SG and device port is hard coded for 100/Full.
One of the ASA-5510’s and the ASA-5505 maintain a site-to-site VPN (the development LAN used to be in a different facility hence the VPN). Recently the developers have stated the performance is horrible. I noticed ping traffic loss from PCs on the dev side to servers on the production side in the order of 20-30%. I assumed it was a VPN issue so I opened a ticket with Enterprise TAC (all the ASAs and the SGs have either SmartNet or extended support contracts). TAC determined the problem happened even if you ping from inside the ASA to the untrusted side of the other ASA thus eliminating the VPN as the culprit.
The 2nd ASA-5510 has the AIP module and was not even live until this weekend. Turning it up and giving it a basic config returned the same results. #ping x.x.x.x repeat 100 will drop 20-40 packets. I have no security enabled on the SGs and even tried using the spare SG300-52 this weekend in place of their primary with the same result. I’m to the point of returning one of the Dell switches to production, but this cannot be a good sign. I’m also a bit frustrated that I’ve yet to figure out how to get Cisco Enterprise to speak with Cisco Small Business on this. The customer has over $10k invested in Cisco equipment and Cisco isn’t jumping in to figure this out.
The latest rep wants a packet capture from the SG300’s VLAN2 but there are no PCs there to do this with and the manual doesn’t even talk about doing this. How we can do this as well as get the 2 divisions working together to fix this? BTW, the RV082’s exhibit the SAME exact problem. I can ping from ANY device on VLAN2 to any other device and drop packets. Copying a simple 1MB file over the VPN can take minutes where it should take 1 second. I can reproduce this for 24/7.
We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB. We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:
ASA01-Internet# sh asp drop Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 1 Reverse-path verify failed (rpf-violated) 319 Flow is denied by configured rule (acl-drop) 477077 First TCP packet not SYN (tcp-not-syn) 10212 TCP data send after FIN (tcp-data-past-fin) 41 TCP failed 3 way handshake (tcp-3whs-failed) 824 TCP RST/FIN out of order (tcp-rstfin-ooo) 1419 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6 TCP SYNACK on established conn (tcp-synack-ooo) 1 TCP packet SEQ past window (tcp-seq-past-win) 821 TCP invalid ACK
It appears we might have an issue with our RV082 (v4.2.1.02) dropping packets during the teardown of many TCP conversations. I have attached two packet captures of what I believe is the same conversation. One is from outside the router (Wireshark using an Ethernet Tap) and the other is from the client inside the router (SLES11SP2 running TCPDump). These are both very small captures 9 packets and 18 packets and I'm hoping it will identify the problem.
It appears that the RV082 is prematurely closing the natted port used to communicate with the host outside the network. The host sends a FIN, ACK packet, to which the client responds with an ACK, However, when the client then sends his FIN,ACK sequence, it never makes it outside the router. The client sends a total of 9 FIN,ACKs trying to contact the outside server, but none of those appear to make it through the router.
Is the router slamming the door prematurely? (I've been fighting with this problem for 3 weeks now!)
We have a Cisco ASA and recently purchased a cisco small business srp527 router. It is connected to our ADSL2 connection and is working fine. I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel. However packets are being dropped intermittently, with no cause. The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.
I seem to be having an issue where certain very packets are being dropped/lost by my office router. The reproducible situation is, when I attempt a DNS zone transfer from my linux bind DNS server (A.A.A.A) to any server on my network behind NAT (Y.Y.Y.Y) the first packet (Seq 1) of the response is lost. The client making the query asks for first packet (Seq 1) to be resent, and the DNS server attempts to resend it repeatedly, but those are lost too.
We have a customer who uses about 20 x c2960's switches for access layer and 2 x c3560e for distribution layer. C2960's uses C2960-LANLITEK9-M , Version 12.2(58)SE1. Everything was working fine. Now we got information, that sometimes there are problems with connectivity. Customer tries to reach internet.
SW11#sh int fa0/18 FastEthernet0/18 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is e8ba.806a.4412 (bia e8ba.806a.4412)
I am trying to find a solution using modular QOS when there is congestion in circuit we drop packets with WRED which are marked with a DSCP value of say AF21. I can drop those traffic completely in case of congestion. I was thinking to allocate 100% bandiwth to rest of the traffic.
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Current configuration : 8005 bytes ! version 12.4 no service pad
I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout". What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?
I have a ACE module A2(3.5) installed, I am having a connectivity problem between two servers in my network. I have captured some traffic on different points in my network and from capture it seems like the problem is with this ACE module or somehow it is closing the connection.
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
The company I work have finally decided to enter the 21st century and invest in a new telephone system (Interactive Intelligence) to replace the legacy system which has served us well for the past 10 years. The project has only just started and involves upgrading sections of CAT3 cabling to CAT6, replacing Cisco 3550 switches in one area of the building with Cisco 4507 switches and upgrading our Core switches with Cisco Nexus 7010's. The area that concerns me most is enabling the network for qos as I have very little experience with it. At the moment Im trying to read as much documentation as I can on QOS to bring myself up to speed.
The access layer switches will consist of a mixture of Cisco 3750 & 4507 switches connected to Cisco Nexus 7010 switches which will form a collapsed aggregation & core layer.
Basically, how I should approach this daunting task of making sure the network will support VOIP.
I recently installed DHCP snooping on a 3750v2 switch (Version 12.2(55)SE4) and configured the uplink(Po2) as a trusted port. The problem is that clients cannot receive an IP address. When I disable DHCP snooping it is working properly. DHCP snooping is configured correctly but I don't have an idea how to resolve it. [code]I tested the solution on the same kind of hardware switch and firmware and it worked out fine. What is causing the clients not to receive an IP address from the DHCP server?
We have a remote site that is using 3750X switches as layer 2 switches back to our home site. The uplink port is showing dropped packets but the utilization on the link is never about 10%. We have a 100Mb circuit to this site. Our speed tests and iperf tests are not showing any issues that we can see. However the port is still droping packets. It is not dropping at a high rate but they are dropping.
I am trying to use my WRT120n as access device for an IP Centrex service using SIP protocol. My SIP phone is located right behind the router.My problem is sometimes the router is dropping incoming calls because signalling packets are fragmented at IP level. So I cannot receive those calls.Is there a way to enable the router to accept these packets?
I am connecting a cisco device with huawei device. The issue is when i ping with normal size packets (56 bytes) its ok. But when i increase the packet size above 1500 it doesnot works. MTU on both size is configured as 4096. I have also checked by varying MTU size, but still the same.
a power analyzer in my network is sending some packets that are unexpected and incorrectly recognized as DHCPOFFERS. As a workaround, I would like to filter those packets with my Cisco switch 3750.Suppose IP_POWER_ANALYZER is the ip address, what could be the best choice
1. deny udp any IP_POWER_ANALYZER eq bootpc 2. deny udp any IP_POWER_ANALYZER eq bootpc; deny udp IP_POWER_ANALYZER any eq bootps 3. deny udp any eq bootpc IP_POWER_ANALYZER eq bootps
When we install an HWIC-2FE card in slot 0 or slot 1 of a 3845, the interface fails to pass any ping packet greater in size than 449 bytes. It works fine up until that limit is reached, but then fails completely on a larger size packet. If we move to slot 3 or slot 4 on the 3845, the card works just fine! I have looked through the cisco official bug tracker for HWIC-2FE, but could not find a similar symptom listed. We're running advanced ip services 12.4(24)T7 code on the routers. Any software fix or if this is a platform problem with the 3800 series.
In fact i receive traffic on a one client per vlan basis (traffic is PPPoE), i receive all this traffic on a router, collecting all these vlan on a bridge where the pppoe packets are treated.When I use a transeiver to convert operator fiber arrival to my router copper media interface, i have no problem....
When I use dot1q-tunnel to make the same on my 3750, packets seems to be corrupted.I get PPPoE timeouts and packet loss, not regulary, totally stochastic...
I made dozen of tests and different settings, without success I first thougt of MTU issues. [code] I made tests with system MTU and/or system jumbo MTU above 1500, without success.I didn't found any known caveats on 3750 running Version 12.2(25r)SEE4 related to dot1q-tunnel.
A specific switch port which happens to be part of a 2 switch 3750 Switch Stack is seeing multiple CDP packets from 3 extra switch port interfaces that are not directly connected. Noteworthy is that the far end devices have the correct CDP entries and I physically confirmed at least two of those connections that lead to the switch "upstream to the culprit switch". Tricky part is that its production so room for maneuvering is limited. At some point I disabled all Ports save for the real uplink and the problem momentarily disappeared. Re-enable the interfaces problem resurfaces. Is there an explanation, technique to eliminate the culprit with minimal disruption?