1. Home
  2. Cisco Systems
  3. CEF causing http to hang/stop on 1712

CEF causing http to hang/stop on 1712

I'm trying to work out why enabling CEF on our 1712 causes web browsing to stop. I want to enable CEF so I can prioritise SIP and other traffic on our WAN connection and from google I understand that cef is the first step towards doing this. however when I enable CEF I get problems with normal browser traffic. The simplest way to prove the problem is to try to watch the BBC live news channel, after exactly and repeatably 29sec the stream stops. Perhaps there is something wrong with the config , I don't know , it has been working fine until I turned cef on and works fine if I turn it off again (which I do quickly when my users start complaining).. thanks for any pointers Mike

Software version is 12.3(7)T1 and the config is:

Current configuration : 10818 bytes ! ! Last configuration change at 11:55:18 UTC Fri Nov 6 2009 ! NVRAM config last updated at 12:13:16 UTC Thu Nov 5 2009 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxxxxxxxxxxx ! boot-start-marker boot-end-marker ! logging buffered 10000 debugging enable secret xxxxxxxxxxxx ! username xxxxxxxxxxxx mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login userauthen group radius local aaa authentication ppp default local group radius aaa authorization network groupauthor local group radius if- authenticated aaa session-id common ip subnet-zero ! ! ip domain name xxxxxxx ip name-server 192.168.xxx ip name-server 192.168.xxx ! ! no ip bootp server no ip cef ip inspect name fwinspect udp ip inspect name fwinspect smtp ip inspect name fwinspect tcp ip inspect name fwinspect cuseeme ip inspect name fwinspect ftp ip inspect name fwinspect rcmd ip inspect name fwinspect realaudio ip inspect name fwinspect streamworks ip inspect name fwinspect vdolive ip inspect name fwinspect sqlnet ip inspect name fwinspect icmp ip audit po max-events 100 ip ssh authentication-retries 2 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! async-bootp dns-server 192.168.xxx 192.168.xxx async-bootp nbns-server 192.168.xxx no ftp-server write-enable ! ! crypto pki trustpoint xxx revocation-check crl ! ! ! ! ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key xxxxx address xxx no-xauth crypto isakmp key xxx address xxx no-xauth crypto isakmp invalid-spi-recovery ! crypto isakmp client configuration group xxx key xxx dns 192.168.xxx wins 192.168.xxx domain xxx pool dialin acl 111 save-password ! ! crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac ! crypto dynamic-map vpnclient 1 set transform-set cm-transformset-1 ! ! crypto map cm-cryptomap client authentication list userauthen crypto map cm-cryptomap isakmp authorization list groupauthor crypto map cm-cryptomap client configuration address respond crypto map cm-cryptomap 20 ipsec-isakmp description VPN to xxx set peer xxx set transform-set cm-transformset-1 set pfs group2 match address 110 crypto map cm-cryptomap 30 ipsec-isakmp description VPN to xxx set peer xxx set transform-set cm-transformset-1 set pfs group2 match address 120 crypto map cm-cryptomap 50 ipsec-isakmp dynamic vpnclient ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface BRI0 no ip address shutdown ! interface FastEthernet0 description Connection to ISP ip address xxx 255.255.255.240 ip access-group 199 in ip nat outside speed 100 full-duplex crypto map cm-cryptomap ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface FastEthernet4 no ip address shutdown ! interface Virtual-PPP1 no ip address shutdown ! interface Virtual-Template1 ip unnumbered Vlan1 ip nat inside peer default ip address pool pptp ppp encrypt mppe auto passive ppp authentication ms-chap-v2 ms-chap ! interface Vlan1 ip address 192.168.xxx 255.255.255.0 ip access-group 101 in ip nat inside ip inspect fwinspect in ip policy route-map no-static-nat ! interface Virtual-TokenRing1 no ip address shutdown ring-speed 16 ! ip local pool pptp 192.168.xxx 192.168.xxx ip local pool dialin 192.168.xxx 192.168.xxx ip classless ip route 0.0.0.0 0.0.0.0 xxx ip route 172.22.xxx 255.255.0.0 xxx ip route 192.168.xxx 255.255.255.0 xxx ip route 192.168.xxx 255.255.255.0 xxx ip http server no ip http secure-server ip nat inside source route-map nonat interface FastEthernet0 overload ip nat inside source static tcp 192.168.xxx 20 xxx 20 extendable ip nat inside source static tcp 192.168.xxx 21 xxx 21 extendable ip nat inside source static tcp 192.168.xxx 25 xxx 25 extendable ip nat inside source static tcp 192.168.xxx 587 xxx 587 extendable ip nat inside source static tcp 192.168.xxx 993 xxx 993 extendable ip nat inside source static tcp 192.168.xxx 995 xxx 995 extendable ip nat inside source static tcp 192.168.xxx 3389 xxx 3389 extendable ip nat inside source static 192.168.xxx xxx ! ! access-list 101 remark =========Outgoing traffic========= access-list 101 permit tcp any any eq www access-list 101 permit udp any any eq domain access-list 101 permit ip any 172.22.0.0 0.0.255.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit tcp host 192.168.xxx eq 3389 any established access-list 101 permit tcp any any eq 4125 access-list 101 permit tcp any any eq 3389 access-list 101 permit tcp any any eq pop3 access-list 101 permit tcp host 192.168.xxx any eq smtp access-list 101 permit tcp host 192.168.xxx eq 587 any established access-list 101 permit tcp host 192.168.xxx eq 993 any established access-list 101 permit tcp host 192.168.xxx eq smtp any established access-list 101 permit tcp host 192.168.xxx eq 995 any established access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit tcp host 192.168.xxx any eq ident access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 1863 access-list 101 permit icmp 192.168.xxx 0.0.0.255 any echo access-list 101 permit tcp any any eq 8005 access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq nntp access-list 101 permit tcp any any eq 8080 access-list 101 permit tcp any any eq ftp-data access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq 123 access-list 101 permit tcp any any eq 8443 access-list 101 permit tcp any any eq 143 access-list 101 permit tcp any any eq 5900 access-list 101 permit udp any any eq 80 access-list 101 permit udp any any eq 5050 access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq 995 access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit tcp host 192.168.xxx any eq 2703 access-list 101 permit tcp any any eq 5060 access-list 101 permit udp any any eq 5060 access-list 101 permit udp host 192.168.xxx any access-list 101 permit tcp host 192.168.xxx any access-list 101 permit udp any any range 10000 20000 access-list 101 remark ====ipsec vpn=== access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 105 remark =========Don't NAT VPN Traffic========= access-list 105 deny ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255 access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 105 permit ip 192.168.xxx 0.0.0.255 any access-list 108 remark =========not used========= access-list 108 permit ip 192.168.xxx 0.0.0.255 any access-list 110 remark ========xxx VPN======== access-list 110 permit ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255 access-list 110 deny ip 192.168.xxx 0.0.0.255 any access-list 111 remark ========Cisco VPN Client======== access-list 111 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 111 deny ip 192.168.xxx 0.0.0.255 any access-list 112 remark =======VPN traffic not to NAT========== access-list 112 permit ip any 172.22.xxx 0.0.255.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 120 remark ========xx VPN========== access-list 120 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 120 deny ip 192.168.xxx 0.0.0.255 any access-list 199 remark ========Outside to Inside========== access-list 199 deny icmp any any fragments access-list 199 permit icmp any host xxx echo access-list 199 permit icmp any 192.168.xxx 0.0.0.255 echo-reply access-list 199 permit icmp any any packet-too-big access-list 199 permit icmp any any time-exceeded access-list 199 deny icmp any any access-list 199 remark ====ipsec vpn=== access-list 199 permit esp any any access-list 199 permit udp any any eq isakmp access-list 199 permit udp any any eq non500-isakmp access-list 199 remark ====pptp vpn=== access-list 199 permit gre any any access-list 199 permit tcp any any eq 1723 access-list 199 remark ====Email to server=== access-list 199 permit tcp any host xxx eq 993 access-list 199 permit tcp any host xxx eq smtp access-list 199 permit tcp any host xxx eq 995 access-list 199 permit tcp any host xxx eq 587 access-list 199 remark ====Terminal services from xxx=== access-list 199 permit tcp host xxx host xxx eq 3389 access-list 199 remark ====FTP to internal server=== access-list 199 permit tcp any host xxx eq ftp access-list 199 remark ====VOIP to xxx=== access-list 199 permit udp any host xxx eq 5060 access-list 199 permit udp any host xxx eq 4569 access-list 199 permit udp any host xxx range 10000 20000 access-list 199 remark =====Ports for xxx==== access-list 199 permit udp host xxx any eq 5050 access-list 199 permit udp host xxx any eq 80 access-list 199 permit tcp host xxx any eq 22 access-list 199 permit udp host xxx any eq 5050 access-list 199 permit udp host xxx any eq 80 access-list 199 permit tcp host xxx any eq 22 ! route-map proxy-redirect permit 10 match ip address 112 set ip next-hop 192.168.xxx ! route-map no-static-nat permit 1 match ip address 112 set ip next-hop 1.1.1.2 ! route-map nonat permit 10 match ip address 105 ! radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server host 192.168.xxx auth-port 1645 acct-port 1646 radius-server key 7 xxx ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ntp clock-period x ntp server 192.168.xxx ntp server 192.168.xxx ! end

Reply to
mikeyb
Loading thread data ...

Sounds like a bug.

A few things might not work with CEF (as I vaguely recall) but this is usually implemented by the stuff that does not work with CEF, simply not using it even if enabled.

I do not recall that any QoS does not work with CEF.

If you point to the documents that recommend CEF then perhaps someone may comment on them.

There has been a tendency to recommend CEF as some sort of panacea to fix all ills but mostly there is no special advantage to using it. (Certain load balancing being one exception where it can pay dividends.)

What feature set do you have? How much DRAM? How much flash? It's all in the sh ver

"Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version

12.4(15)T7, RELEASE SOFTWARE (fc3) ... Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory. ... 24576K bytes of processor board System flash (Intel Strataflash)"

It's best just to post the whole sh ver, perhaps removing the "Processor board ID .............." line to avoid possible identification?

12.3(7)T1 sounds pretty ancient. If you can why not upgrade? Avoid T code unless you need to use it.

formatting link

Image Name c1700-k9o3sy7-mz.124-25b.bin DRAM / Min Flash 96 / 32 Enterprise Product Number S17C7HK9-12425

Might be appropriate.

IP/ADSL/FW/IDS PLUS IPSEC 3DES

Reply to
bod43

In famous words of Cisco TAC - "Upgrade to latest mainline and call us back!" :-)

Andrey.

Reply to
Andrey Tarasov

| I'm trying to work out why enabling CEF on our 1712 causes web | browsing to stop. I want to enable CEF so I can prioritise SIP and | other traffic on our WAN connection and from google I understand that | cef is the first step towards doing this. however when I enable CEF I | get problems with normal browser traffic. The simplest way to prove | the problem is to try to watch the BBC live news channel, after | exactly and repeatably 29sec the stream stops. | Perhaps there is something wrong with the config , I don't know , it | has been working fine until I turned cef on and works fine if I turn | it off again (which I do quickly when my users start complaining).. | thanks for any pointers

I've had problems with CEF on point-to-point connections:

formatting link
This particular problem was "fixed" in a later release in the sense that IOS now appears to automatically disable CEF on the serial interface. You might want to check your CEF adjacencies after the stream stops.

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

bod43, thanks for the reply

I was wondering this myself.

If I try: ip nbar protocol-discovery on the wan interface I get CEF or distributed CEF switching is required for NBAR 'protocol discovery' command

sho vers Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(7) T1, RELEASE SOFTWARE (fc2) Technical Support:

formatting link
(c) 1986-2004 by Cisco Systems, Inc. Compiled Thu 22-Apr-04 09:44 by eaarmas

ROM: System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)

autogard1700 uptime is 4 days, 23 hours, 54 minutes System returned to ROM by reload at 08:14:43 UTC Thu Nov 5 2009 System restarted at 08:17:15 UTC Thu Nov 5 2009 System image file is "flash:c1700-k9o3sy7-mz.123-7.T1.bin"

snip

Cisco 1712 (MPC862P) processor (revision 0x101) with 85243K/13061K bytes of memory. MPC862P processor: part number 7, mask 0

1 Ethernet interface 5 FastEthernet interfaces 1 ISDN Basic Rate interface 1 Virtual Private Network (VPN) Module 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

As you suggest I think an upgrade is very much in order.

Mike

Reply to
mikeyb

I suspected this might be needed, I assume this would be more economic that getting a new router, but what is the downside to putting new software on old kit?

Mike

Reply to
mikeyb

Usually a new IOS version won't fit in an old router without a memory upgrade.

I have had very strange problems with CEF as well, when combined with dialers (unfortunately required for ADSL with PPPoA) and also with policy routing.

Reply to
Rob

Thanks Dan, I've checked the adjacencies and they ok (to me) . IPs connected to the right interfaces. The only thing I found using debug ip cef drops was lots of drops on the loopback interface (in the config to stop vpn traffic being static NAT'd). I don't think this is my problem though.

Mike

Reply to
mikeyb

Miraculously I seemed to have guessed the correct feature set and so you can see above the memory requirements.

Image Name c1700-k9o3sy7-mz.124-25b.bin DRAM / Min Flash 96 / 32

Same as for 12.3T.

You have enough RAM and Flash.

Of course 12.4 mainline is basically the last development of 12.3T but now with 25 and more rounds of bug fixes:-) or :-(.

I can recall doing PBR to a loopback to avoid NAT but we stopped years ago and did it differently. I did not do much static NAT and can't recall the details now. Not seen that for years anyway.

formatting link
- Ability to Use Route Maps with Static Translations

12.2(4)T This feature was introduced.

So it looks slike you could remove the PBR if you preferred. It always seemed like a horrible kludge to me anyway.

Reply to
bod43

We had to use PBR because we had two ADSL interfaces to internet, each with source address filtering. As you cannot randomly send traffic out to the ADSL in this case, as happens when you set two default routes, we used PBR with a loopback interface for all the outbound traffic. (selecting the proper ADSL interface based on the source address of the traffic)

This worked OK, but not with CEF. Now the ADSL lines are retired and replaced by a single fiber, the problem is gone and CEF is now enabled on the router.

IOS is 12.4(5a), has been updated several times but it never fixed the issue.

Reply to
Rob

In article , snipped-for-privacy@hotmail.com (mikeyb) writes: | > You might want to check your CEF adjacencies after the stream stops. | >

| > Dan Lanciani | > ddl@danlan.*com | Thanks Dan, I've checked the adjacencies and they ok (to me) . IPs | connected to the right interfaces. The only thing I found using debug | ip cef drops was lots of drops on the loopback interface (in the | config to stop vpn traffic being static NAT'd). I don't think this is | my problem though.

Well, drops are bad if you need the packets routed. :) Do the drops start as soon as CEF is enabled or after the problem occurs? Did you try disabling CEF on the loopback interface (only)?

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

From my poking around ciscos site I thought I should be able to upgrade too. thanks for the info/confirmation.

I tried removing the PBR loopback but couldn't get route maps to work with the static PAT's in the config.

Reply to
mikeyb

The drops start as soon as I enable CEF. I tried - it didn't fix the problem.

Reply to
mikeyb

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.