Cisco WAN :: ASR1006 / Traffic Drops When BGP Re-converges
May 5, 2011
why I would see packet loss when BGP comes back up.We have 2 ASR1006's both running full tables of BGP to the same upstream ISP. We load balance the 2 links to them. the ASR's have an OSPF connection between them.When one pipe goes down we see not packet loss; however, when that pipe comes back up we see packet loss until the BGP table fully loads in that router again.
When trying to configure ERSPAN on a ASR1006, I'm not getting any traffic on the destination port. ERSPAN flavour is LOCAL SPAN, as described in:
[URL]
Configuration used, is the following:
monitor session 1 type erspan-source no shut source interface GigabitEthernet0/0/2 destination erspan-id 10 ip address 10.10.10.1
[code].....
Apparently everything is configured in the proper way, however I’m not getting any traffic in the destination port. Also I’ve noticed the following in the details from ‘Session 1’:
We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.
MPLS customer with 4 T1s in a multilink. If one of the T1s drops there is a brief delay in traffic picking back up and I actually lose packets from premise back to CO. You can see this loss both with pinging across the circuit and with techs on either end running JPerf. It can take as long as 6 seconds for the reconvergence to actually happen on the multilink and traffic picks back up. In my experience this is normal behavior for Mulitlinks
I'd also like to note that it is indeed much quicker reconvergence when you physically pull the T1, any of the T1s, rather than administratively shutting down one of them and I understand that the hardware is quicker than software and that's a good thing, obviously. I've tried this with and without ppp mulitlink fragment disabled on either end and every other combo between the two. Each of the 4 serial interfaces are on line timing and I tried free-running just on the off chance that it could imrpove the loss, but it gets worse.....back to line timing. I've even tried this on other CPE platforms like two different versions of Adtran CPEs and I get the same thing. Currently I have a new 2821 CPE in place and still get the same thing. Still see a brief amount of traffic loss up to 6-7 seconds or so at times.
7600 side:
interface Multilink592 ip vrf forwarding ****************** ip address ************************* load-interval 30 no peer neighbor-route ppp multilink ppp multilink group 592 ppp multilink fragment disable no cdp enable service-policy output VPN-TEMPLATE-2(code)
We have: ASR1000-RP2 ASR1000-ESP40 ASR1000-SIP40 SPA-10X1GE-V2 SPA-10X1GE-V2 ! Kiwi Syslog Server
ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing. Because of the economic address space subscribers surf the Internet through NAT.
Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
I've tried: ! ip nat log translations syslog ! logging trap debugging logging host xx.xx.xx.xx transport UDP port xxx no logging console (so as not to load the CPU) !
Error stopped publishing but logs do not come. I think of the huge number of translation per second, it can not send them as fast. How can this problem be solved or otherwise obtain and store information about a translations?
In a 6500 or 7600 a 'show module' gives a run down on all the modules in the slots, their HW and SW versions and status. But I can't find a similar command in the ASR1006.
I'm trying to configure and DMVPN architecture with two routers ASR1006 to server a bank remote offices, one ASR in CO building and the other in CA building (CO: Operational Center; CA: Recovery Center).Each ASR have two LAN connections to internal network and two WAN links to remote office. Each WAN links belongs to differents provider.Each remote office has a router with two WAN links connected to that WAN providers.We are configuring the DMVPN considering two primary tunnels in the CO building and two failover tunnels in CA building.We made the configuration (schemas and configuration attached) but we only get two tunnels up at a time. We cannot ping from office router to four tunnels interfaces in both hubs.
We made some test disabling some tunnels and we could get communication only with two tunnels interfaces. We got communication through tunnels when we have just two.We want to have the four tunnels for high availability. We would like to know how to troubleshoot and make a design review because the examples and documentations are very limited.
I want to do something with IP SLA and started by estabilishing a baseline.
I'm trying to check history on an ASR. I tested same config on a 3845 and was forgetting the "history filter all". After this I could see history table on 3845 but still history is empty on the ASR1006. The operation started because I can see information with "show ip sla statistics".
know if i missed something or maybe this is not supported in ASR1006?
re-ld-tcc-02_ASR1006#show vers Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(1)S2, RELEASE SOFTWARE (fc1)
ASR performs the function of ISG. The number of subscribers until 10000. This number is constantly growing.Because of the economic address space subscribers surf the Internet through NAT.Now the task to keep logs of all translations or binds. Need to store the information about what time, certain internal IP address using the external IP.
We have an ASR1006 and I'm just discovering net flow aggregation cache.
I tried prefix aggregation and worked fine. But i cant get any information when checking AS aggregation. All I get is 0 in source and destionation AS. [code]
I have cisco router ASR 1006 .... i need to create PPPOE connection via Ethernet ... and can do that on the management port ???? and what is the type of adapter that use in the Giga Ethernt interface to connect it to fiber ???? hint :- my interface hardware SPA-10X1GE-V2
I have problems in exporting translations of NAT from my router through NetFlow v9 ASR1006, to my server nfdump, any opensource or licensed software (collector) that I recommend.
ip nat log translations flow-export v9 udp destination 10.1.1.15 1181
There is an ASR1006 Router in the network that serves as an Intelligent Service Gateway (ISG). Subscribers are layer 2 connected and subscriber sessions are initiated on a DHCP request. ISG is configured as a DHCP relay agent. Wi-Fi clients connect to the WLAN using Open SSID and are being redirected to a Web Portal where they enter their login info. This info is sent to RADIUS server which checks if the user is allowed to use Internet service. All the APs are connected o WLC using CAPWAP. The question is the following: there is a requirement to track from which AP a particular Wi-Fi clients is connected. In this case ISG needs somehow to obtain AP’s mac address and send it to the Radius server (probably using attribute 30 – Called-station-id). One possible way for ISG to obtain AP’s mac is via WLC. But the thing is that when WLC is configured as DHCP proxy and Option 82 is set, a wireless client does not obtain IP address via DHCP. In this particular case there two DHCP relay/proxy in the network path between client and DHCP server. Is there any other away for ISG to obtain AP’s mac address?
We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
We have a problem with our WS-C3560V2-24TS running IOS c3560-ipservicesk9-mz.122-53.SE2.bin. The equipment keep dropping packets for no apperent reason.
This is what we are seeing: LAN-port Router0#sh interfaces fastEthernet 0/2 | include drops: Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20595 WAN-port
[Code]....
We are shaping the gig uplink to 100Mbps, the equipment is dropping pakets randomly and not because the shaper kicks in and starts to drop pakets.
We have 512 link and observe output drops and application timeouts. Link utilization is not very high.When ping with 1500 bytes, it shows output drops and when ping with default packet size, no output drops observed.
Service policy also in effect and shows some drops.
just found your site poking around for some information. I'm pretty green with routing and firewalling so I'm hoping someone can point me in the right direction.I'm trying to setup a remote access VPN for the off site employees we have. I would eventually like to have this setup to use either the cisco VPN client or the webVPN option, but this question is about my VPN client setup.I'm using a Cisco ASA 5505 at the head end and the Cisco VPN client 5.0.06.0160 on the client side.In the logs the client authenticates, grabs an IP, DNS and domain info and then drops the connection.
I have a 887 setup as a EasyVPN server, and a 861 as an EasyVPN remote - network extension mode with split tunnelling.This works fine - I can ping and connect to machines across the tunnel.However if I setup a VOIP handset to connect across the tunnel it registers and calls work, but drop after 30secs....I know this is normally a firewall or nat problem, are easyvpns firewalled or natted?
I have an RV042 connected via VPN to the office (to a LinkSys DFL-700). Sometimes the VPN is dropped and never activates again. In this state, if I try to connect to the WEB interface, I can log in, but the router hangs at the login screen. I have to power recycle the router to make it work again.
Updated to latest firmware 4.2.1.02 for V3 hardware. The funny thing is that services from the WEB routed through to local IP adresses on the lan is still accessible. I have setup PPPT VPN on the router, and that also fails to work.
Is there, as a workaround, any possibility to access the routers reset page or access via TELNET to reset the router? This migth be useful, when I'm out. (I have a backup solution to access the local network at home).
We have a fairly major problem with some of our Cisco 877 units (5 in all). All are running 15.2(2)T2 in order to make use of zone-based firewalls and virtual reassembly, and all are exhibiting the same problem. When our ADSL line drops this si shown in syslog
2010-11-09 01:03:06 Local7.Info 192.168.7.1 4733: Nov 9 01:03:05.707: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:25 109.224.142.52:41799 on zone-pair OutsideToInside class cm-MainServerServices due to RST inside current window with ip ident 02010-11-09 01:04:06 Local7.Info 192.168.7.1 4734: Nov 9 01:04:05.946: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:25 109.224.142.52:41809 on zone-pair OutsideToInside class cm-MainServerServices due to RST inside current window with ip ident [code]...
The "no retrain. sleep 20 seconds" messages continue forever more until somebody power-cycles the router - which is a bit inconvenient as two are 300 miles away. Surprisingly, our event manager applet isn't triggering the reload either, which defeats the object.
My computer is on a direct connection with a docsis 3 modem - with service provided by Comcast. I had no problems with the internet for about a month after signing up with Comcast at 6Mbps. Then out of no where the internet began to drop out whenever in use. When the computer is connected to the internet, and I am not actually using "bandwidth" the connection stays connected, all day with no blips. But when I try to access Youtube or some other site they demands bandwidth it drops out. Comcast has sent out 7-8 Techs to troubleshoot the issue to no avail. They have replaced the modem 3 times, the ethernet cable (is that the right word?) has been replaced, and Comcast cut holes into my walls to re-wire the entire building. I just had a guy leave from Comcast, and when he hooked up his laptop to this modem he had absolutely no problem. Then he hooked up a router, and we both used direct connect to get on the internet, and as long as his computer was connected the signal was strong with no blips. We removed his computer and the connection dropped within a few minutes. Comcast says they have verified the integrity of all their equipment, cables, splitters, main line, ect...I even tried backing up my machine and reformatting it and I still have the same issue. I've always been good about not getting virus or spyware. I have no idea why only my PC won't stay connected to the internet. Oh, also the Comcast tech hooked up a meter to the cable line and he says when the internet drops out on my end that the cable signal is still strong with no blips. When the modem goes out all the lights drop out and it has to re-identify, then it comes back up for a few minutes, only to spiral down and disconnect.
I live in an apartment, and I have a usb adapter that allows me to get on the internet wirelessly. The apartment I am at has a club house that offers free internet to people here who don't have it. If I plug in my adapter I can get a signal from the club house's wireless, and I can connect to that, and I have no problems at all on the apartments club house internet, only on my direct connect form my Comcast modem..
We have an 877 router which usually runs fine, except that twice in the last few months it has defaulted its configuration!
I can't see any obvious faults with the unit, I can reconfigure it and do a write mem and it will hold the configuration through reboot cycles. Config register is 0x2102 as it should be.
I have a 3750X-24T in our production environment that is showing very high number of OQD's in the 'show int sum' output for 4 of the Gigabit interfaces; the interfaces are each in a seperate port channel and there are no OQD's for the relevant port channel and there are no output drops showing in the output for the 'sh int' command for each interface.
The following are the OQD's for the relenvant interfaces Gi1/1/1: 0 Gi1/1/2: 0 Gi1/1/3: 0 Gi1/1/4: 0 Gi2/1/1: 4252879251 Gi2/1/2: 4251090833 Gi2/1/3: 4251754140 Gi2/1/4: 4294942102 Po1: 0 Po2: 0 Po3: 0 P04: 0
Gi1/1/1 and Gi2/1/2 assigned to Po1, and so on. IOS version: C3750E-IPBASEK9-M 12.2(58)SE2