為什麼 Cisco IOS 路由器會在大量下載過程中掛起?
經過幾年的使用。如果您的單個下載量超過 100M,我們已經看到 Cisco 871 和 851 路由器會掛起。它是間歇性的。有時問題會消失,有時會發生在非常小的下載量(只有 10KB 的網頁)上。似乎幾乎所有的下載最終都會完成,但是下載越大,掛起的時間就越長。
有沒有辦法解決這個問題?(缺少路由器更換,這是我們一直在做的)
我們正在使用一年零兩個月大的Cisco 851重新審視這一點。在這一點上,類似的掛起似乎正在發生,但規模要小得多。在這種情況下,客戶購買了30Mbps上行/下行網際網路連接,他們只能獲得5Mbps/20Mbps上行/下行。有時,下載速度會降低到 5Mbps。
下次我去那裡(希望是下週)時,我將嘗試下面已經提出的建議,並編輯我的發現。
我在 Vlan1 和 Fa4 上的 ACL。我也有一些 ACL 已被替換且未使用。ACL 大約有 45 行,其中大約一半是備註。我已經在下面發布了配置。個人資訊被諸如
WAN IP
或hostname HIDDEN
如果您有諸如配置程式碼性能改進之類的建議,或者諸如我是否可以期望 851 上的 30Mbps 等資訊,我們將不勝感激。
Current configuration : 18157 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname HIDDEN ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 --GIBBERISH--- ! aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local ! ! aaa session-id common clock timezone EST -5 ! crypto pki trustpoint TP-self-signed-4140887523 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4140887523 revocation-check none rsakeypair TP-self-signed-4140887523 ! ! dot11 syslog no ip source-route no ip dhcp use vrf connected ip dhcp binding cleanup interval 60 ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 lease 0 2 ! ip dhcp pool sdm-pool1 import all network 192.168.1.0 255.255.255.0 dns-server --DNS Server 1-- --DNS Server 2-- default-router 192.168.1.1 ! ! ip cef ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 https ip inspect name DEFAULT100 dns no ip bootp server no ip domain lookup ip domain name noexist.example.com ip name-server --DNS Server 2-- ip name-server --DNS Server 1-- ! appfw policy-name DEFAULT100 application im aol service default action reset service text-chat action reset server deny name login.oscar.aol.com server deny name toc.oscar.aol.com server deny name oam-d09a.blue.aol.com application im msn service default action reset service text-chat action reset server deny name messenger.hotmail.com server deny name gateway.messenger.hotmail.com server deny name webmessenger.msn.com application http port-misuse im action reset alarm application im yahoo service default action reset service text-chat action reset server deny name scs.msg.yahoo.com server deny name scsa.msg.yahoo.com server deny name scsb.msg.yahoo.com server deny name scsc.msg.yahoo.com server deny name scsd.msg.yahoo.com server deny name messenger.yahoo.com server deny name cs16.msg.dcn.yahoo.com server deny name cs19.msg.dcn.yahoo.com server deny name cs42.msg.dcn.yahoo.com server deny name cs53.msg.dcn.yahoo.com server deny name cs54.msg.dcn.yahoo.com server deny name ads1.vip.scd.yahoo.com server deny name radio1.launch.vip.dal.yahoo.com server deny name in1.msg.vip.re2.yahoo.com server deny name data1.my.vip.sc5.yahoo.com server deny name address1.pim.vip.mud.yahoo.com server deny name edit.messenger.yahoo.com server deny name http.pager.yahoo.com server deny name privacy.yahoo.com server deny name csa.yahoo.com server deny name csb.yahoo.com server deny name csc.yahoo.com ! ! ! username surfn privilege 15 secret 5 $1$1hrm$0yfIN0jK56rOm9cXfm2a21 ! ! archive log config hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ ip address --WAN IP-- 255.255.255.0 ip access-group 123 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 --ISP Gateway-- ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload ! logging trap debugging access-list 1 remark Telnet, SSH access access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 deny any access-list 2 remark HTTP, HTTPS access access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 deny any access-list 101 HIDDEN access-list 102 HIDDEN access-list 121 HIDDEN access-list 122 HIDDEN access-list 123 HIDDEN no cdp run ! control-plane ! banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username <myuser> privilege 15 secret 0 <mypassword> Replace <myuser> and <mypassword> with the username and password you want to use. ----------------------------------------------------------------------- ^C banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 100 in privilege level 15 authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
喬治,我看到以下消息:
%FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3558911335 1500 bytes is out of order; 預期序列:3558888055。原因:TCP 重組隊列溢出 - 會話 192.168.23.38:54435 到 65.199.63.58:801024
通過擴展隊列重組隊列,以下命令似乎對我有用。
ip 檢查 tcp 重組隊列長度 1024
我想這是一個很長的鏡頭,因為我不知道你的配置。希望有幫助!
科林·傑西諾
這些路由器背後有多少使用者?大概您正在對單個外部地址進行 NAT。現代軟體,尤其是 facebook 聊天等 web 服務,會打開很多並發 TCP 連接。我相信 Cisco 有一個靜態大小的 NAT 轉換錶。它可能會溢出並驅逐最舊的連接?恐怕我無法就檢查 NAT 表是否溢出提供任何建議。
我不會傾向於懷疑韌體,特別是如果它在幾年前可以正常工作的話。但是,我建議對界面統計資訊進行快速仔細檢查。如果您在介面上看到丟棄、無效、badrx 校驗和等錯誤,那麼這很可能是您的問題的根源。硬體故障、電氣隔離不足或其他原因。在過去的 3-4 年裡,由於內部電容器膨脹/爆炸,我已經停止計算有多少“便宜”的 5 埠 10/100 或千兆交換機出現半故障並且變得不一致和不穩定。一種
show interfaces counters errors
聲明應該很快辨識出任何麻煩的介面。
祝你好運。