為什麼 Cisco IOS 路由器會在大量下載過程中掛起？

經過幾年的使用。如果您的單個下載量超過 100M，我們已經看到 Cisco 871 和 851 路由器會掛起。它是間歇性的。有時問題會消失，有時會發生在非常小的下載量（只有 10KB 的網頁）上。似乎幾乎所有的下載最終都會完成，但是下載越大，掛起的時間就越長。

有沒有辦法解決這個問題？（缺少路由器更換，這是我們一直在做的）

我們正在使用一年零兩個月大的Cisco 851重新審視這一點。在這一點上，類似的掛起似乎正在發生，但規模要小得多。在這種情況下，客戶購買了30Mbps上行/下行網際網路連接，他們只能獲得5Mbps/20Mbps上行/下行。有時，下載速度會降低到 5Mbps。

下次我去那裡（希望是下週）時，我將嘗試下面已經提出的建議，並編輯我的發現。

我在 Vlan1 和 Fa4 上的 ACL。我也有一些 ACL 已被替換且未使用。ACL 大約有 45 行，其中大約一半是備註。我已經在下面發布了配置。個人資訊被諸如WAN IP或hostname HIDDEN

如果您有諸如配置程式碼性能改進之類的建議，或者諸如我是否可以期望 851 上的 30Mbps 等資訊，我們將不勝感激。

Current configuration : 18157 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HIDDEN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 --GIBBERISH---
!
aaa new-model
!
!         
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-4140887523
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4140887523
revocation-check none
rsakeypair TP-self-signed-4140887523
!
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 60
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool ccp-pool
  import all
  network 10.10.10.0 255.255.255.248
  default-router 10.10.10.1 
  lease 0 2
!
ip dhcp pool sdm-pool1
  import all
  network 192.168.1.0 255.255.255.0
  dns-server --DNS Server 1-- --DNS Server 2-- 
  default-router 192.168.1.1 
!
!
ip cef
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
no ip bootp server
no ip domain lookup
ip domain name noexist.example.com
ip name-server --DNS Server 2--
ip name-server --DNS Server 1--
!
appfw policy-name DEFAULT100
 application im aol
   service default action reset 
   service text-chat action reset 
   server deny name login.oscar.aol.com
   server deny name toc.oscar.aol.com
   server deny name oam-d09a.blue.aol.com
 application im msn
   service default action reset 
   service text-chat action reset 
   server deny name messenger.hotmail.com
   server deny name gateway.messenger.hotmail.com
   server deny name webmessenger.msn.com
 application http
   port-misuse im action reset alarm
 application im yahoo
   service default action reset 
   service text-chat action reset 
   server deny name scs.msg.yahoo.com
   server deny name scsa.msg.yahoo.com
   server deny name scsb.msg.yahoo.com
   server deny name scsc.msg.yahoo.com
   server deny name scsd.msg.yahoo.com
   server deny name messenger.yahoo.com
   server deny name cs16.msg.dcn.yahoo.com
   server deny name cs19.msg.dcn.yahoo.com
   server deny name cs42.msg.dcn.yahoo.com
   server deny name cs53.msg.dcn.yahoo.com
   server deny name cs54.msg.dcn.yahoo.com
   server deny name ads1.vip.scd.yahoo.com
   server deny name radio1.launch.vip.dal.yahoo.com
   server deny name in1.msg.vip.re2.yahoo.com
   server deny name data1.my.vip.sc5.yahoo.com
   server deny name address1.pim.vip.mud.yahoo.com
   server deny name edit.messenger.yahoo.com
   server deny name http.pager.yahoo.com
   server deny name privacy.yahoo.com
   server deny name csa.yahoo.com
   server deny name csb.yahoo.com
   server deny name csc.yahoo.com
!
!
!
username surfn privilege 15 secret 5 $1$1hrm$0yfIN0jK56rOm9cXfm2a21
! 
!
archive
log config
 hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!         
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address --WAN IP-- 255.255.255.0
ip access-group 123 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 --ISP Gateway--
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark Telnet, SSH access
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 2 remark HTTP, HTTPS access
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 HIDDEN
access-list 102 HIDDEN
access-list 121 HIDDEN
access-list 122 HIDDEN
access-list 123 HIDDEN
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.

It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you 
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

喬治，我看到以下消息：

%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out of order; 預期序列：3558888055。原因：TCP 重組隊列溢出 - 會話 192.168.23.38:54435 到 65.199.63.58:801024

通過擴展隊列重組隊列，以下命令似乎對我有用。

ip 檢查 tcp 重組隊列長度 1024

我想這是一個很長的鏡頭，因為我不知道你的配置。希望有幫助！

科林·傑西諾

這些路由器背後有多少使用者？大概您正在對單個外部地址進行 NAT。現代軟體，尤其是 facebook 聊天等 web 服務，會打開很多並發 TCP 連接。我相信 Cisco 有一個靜態大小的 NAT 轉換錶。它可能會溢出並驅逐最舊的連接？恐怕我無法就檢查 NAT 表是否溢出提供任何建議。

我不會傾向於懷疑韌體，特別是如果它在幾年前可以正常工作的話。但是，我建議對界面統計資訊進行快速仔細檢查。如果您在介面上看到丟棄、無效、badrx 校驗和等錯誤，那麼這很可能是您的問題的根源。硬體故障、電氣隔離不足或其他原因。在過去的 3-4 年裡，由於內部電容器膨脹/爆炸，我已經停止計算有多少“便宜”的 5 埠 10/100 或千兆交換機出現半故障並且變得不一致和不穩定。一種

 show interfaces counters errors

聲明應該很快辨識出任何麻煩的介面。

祝你好運。

引用自：https://serverfault.com/questions/215443