I'm trying to work out why enabling CEF on our 1712 causes web browsing to stop. I want to enable CEF so I can prioritise SIP and other traffic on our WAN connection and from google I understand that cef is the first step towards doing this. however when I enable CEF I get problems with normal browser traffic. The simplest way to prove the problem is to try to watch the BBC live news channel, after exactly and repeatably 29sec the stream stops. Perhaps there is something wrong with the config , I don't know , it has been working fine until I turned cef on and works fine if I turn it off again (which I do quickly when my users start complaining).. thanks for any pointers Mike
Software version is 12.3(7)T1 and the config is:
Current configuration : 10818 bytes ! ! Last configuration change at 11:55:18 UTC Fri Nov 6 2009 ! NVRAM config last updated at 12:13:16 UTC Thu Nov 5 2009 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxxxxxxxxxxx ! boot-start-marker boot-end-marker ! logging buffered 10000 debugging enable secret xxxxxxxxxxxx ! username xxxxxxxxxxxx mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login userauthen group radius local aaa authentication ppp default local group radius aaa authorization network groupauthor local group radius if- authenticated aaa session-id common ip subnet-zero ! ! ip domain name xxxxxxx ip name-server 192.168.xxx ip name-server 192.168.xxx ! ! no ip bootp server no ip cef ip inspect name fwinspect udp ip inspect name fwinspect smtp ip inspect name fwinspect tcp ip inspect name fwinspect cuseeme ip inspect name fwinspect ftp ip inspect name fwinspect rcmd ip inspect name fwinspect realaudio ip inspect name fwinspect streamworks ip inspect name fwinspect vdolive ip inspect name fwinspect sqlnet ip inspect name fwinspect icmp ip audit po max-events 100 ip ssh authentication-retries 2 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! async-bootp dns-server 192.168.xxx 192.168.xxx async-bootp nbns-server 192.168.xxx no ftp-server write-enable ! ! crypto pki trustpoint xxx revocation-check crl ! ! ! ! ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key xxxxx address xxx no-xauth crypto isakmp key xxx address xxx no-xauth crypto isakmp invalid-spi-recovery ! crypto isakmp client configuration group xxx key xxx dns 192.168.xxx wins 192.168.xxx domain xxx pool dialin acl 111 save-password ! ! crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac ! crypto dynamic-map vpnclient 1 set transform-set cm-transformset-1 ! ! crypto map cm-cryptomap client authentication list userauthen crypto map cm-cryptomap isakmp authorization list groupauthor crypto map cm-cryptomap client configuration address respond crypto map cm-cryptomap 20 ipsec-isakmp description VPN to xxx set peer xxx set transform-set cm-transformset-1 set pfs group2 match address 110 crypto map cm-cryptomap 30 ipsec-isakmp description VPN to xxx set peer xxx set transform-set cm-transformset-1 set pfs group2 match address 120 crypto map cm-cryptomap 50 ipsec-isakmp dynamic vpnclient ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface BRI0 no ip address shutdown ! interface FastEthernet0 description Connection to ISP ip address xxx 255.255.255.240 ip access-group 199 in ip nat outside speed 100 full-duplex crypto map cm-cryptomap ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface FastEthernet4 no ip address shutdown ! interface Virtual-PPP1 no ip address shutdown ! interface Virtual-Template1 ip unnumbered Vlan1 ip nat inside peer default ip address pool pptp ppp encrypt mppe auto passive ppp authentication ms-chap-v2 ms-chap ! interface Vlan1 ip address 192.168.xxx 255.255.255.0 ip access-group 101 in ip nat inside ip inspect fwinspect in ip policy route-map no-static-nat ! interface Virtual-TokenRing1 no ip address shutdown ring-speed 16 ! ip local pool pptp 192.168.xxx 192.168.xxx ip local pool dialin 192.168.xxx 192.168.xxx ip classless ip route 0.0.0.0 0.0.0.0 xxx ip route 172.22.xxx 255.255.0.0 xxx ip route 192.168.xxx 255.255.255.0 xxx ip route 192.168.xxx 255.255.255.0 xxx ip http server no ip http secure-server ip nat inside source route-map nonat interface FastEthernet0 overload ip nat inside source static tcp 192.168.xxx 20 xxx 20 extendable ip nat inside source static tcp 192.168.xxx 21 xxx 21 extendable ip nat inside source static tcp 192.168.xxx 25 xxx 25 extendable ip nat inside source static tcp 192.168.xxx 587 xxx 587 extendable ip nat inside source static tcp 192.168.xxx 993 xxx 993 extendable ip nat inside source static tcp 192.168.xxx 995 xxx 995 extendable ip nat inside source static tcp 192.168.xxx 3389 xxx 3389 extendable ip nat inside source static 192.168.xxx xxx ! ! access-list 101 remark =========Outgoing traffic========= access-list 101 permit tcp any any eq www access-list 101 permit udp any any eq domain access-list 101 permit ip any 172.22.0.0 0.0.255.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit ip any 192.168.xxx 0.0.0.255 access-list 101 permit tcp host 192.168.xxx eq 3389 any established access-list 101 permit tcp any any eq 4125 access-list 101 permit tcp any any eq 3389 access-list 101 permit tcp any any eq pop3 access-list 101 permit tcp host 192.168.xxx any eq smtp access-list 101 permit tcp host 192.168.xxx eq 587 any established access-list 101 permit tcp host 192.168.xxx eq 993 any established access-list 101 permit tcp host 192.168.xxx eq smtp any established access-list 101 permit tcp host 192.168.xxx eq 995 any established access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit tcp host 192.168.xxx any eq ident access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 1863 access-list 101 permit icmp 192.168.xxx 0.0.0.255 any echo access-list 101 permit tcp any any eq 8005 access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq nntp access-list 101 permit tcp any any eq 8080 access-list 101 permit tcp any any eq ftp-data access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq 123 access-list 101 permit tcp any any eq 8443 access-list 101 permit tcp any any eq 143 access-list 101 permit tcp any any eq 5900 access-list 101 permit udp any any eq 80 access-list 101 permit udp any any eq 5050 access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq 995 access-list 101 permit udp host 192.168.xxx any eq ntp access-list 101 permit tcp host 192.168.xxx any eq 2703 access-list 101 permit tcp any any eq 5060 access-list 101 permit udp any any eq 5060 access-list 101 permit udp host 192.168.xxx any access-list 101 permit tcp host 192.168.xxx any access-list 101 permit udp any any range 10000 20000 access-list 101 remark ====ipsec vpn=== access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 105 remark =========Don't NAT VPN Traffic========= access-list 105 deny ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255 access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 105 deny ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 105 permit ip 192.168.xxx 0.0.0.255 any access-list 108 remark =========not used========= access-list 108 permit ip 192.168.xxx 0.0.0.255 any access-list 110 remark ========xxx VPN======== access-list 110 permit ip 192.168.xxx 0.0.0.255 172.22.xxx 0.0.255.255 access-list 110 deny ip 192.168.xxx 0.0.0.255 any access-list 111 remark ========Cisco VPN Client======== access-list 111 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 111 deny ip 192.168.xxx 0.0.0.255 any access-list 112 remark =======VPN traffic not to NAT========== access-list 112 permit ip any 172.22.xxx 0.0.255.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 112 permit ip any 192.168.xxx 0.0.0.255 access-list 120 remark ========xx VPN========== access-list 120 permit ip 192.168.xxx 0.0.0.255 192.168.xxx 0.0.0.255 access-list 120 deny ip 192.168.xxx 0.0.0.255 any access-list 199 remark ========Outside to Inside========== access-list 199 deny icmp any any fragments access-list 199 permit icmp any host xxx echo access-list 199 permit icmp any 192.168.xxx 0.0.0.255 echo-reply access-list 199 permit icmp any any packet-too-big access-list 199 permit icmp any any time-exceeded access-list 199 deny icmp any any access-list 199 remark ====ipsec vpn=== access-list 199 permit esp any any access-list 199 permit udp any any eq isakmp access-list 199 permit udp any any eq non500-isakmp access-list 199 remark ====pptp vpn=== access-list 199 permit gre any any access-list 199 permit tcp any any eq 1723 access-list 199 remark ====Email to server=== access-list 199 permit tcp any host xxx eq 993 access-list 199 permit tcp any host xxx eq smtp access-list 199 permit tcp any host xxx eq 995 access-list 199 permit tcp any host xxx eq 587 access-list 199 remark ====Terminal services from xxx=== access-list 199 permit tcp host xxx host xxx eq 3389 access-list 199 remark ====FTP to internal server=== access-list 199 permit tcp any host xxx eq ftp access-list 199 remark ====VOIP to xxx=== access-list 199 permit udp any host xxx eq 5060 access-list 199 permit udp any host xxx eq 4569 access-list 199 permit udp any host xxx range 10000 20000 access-list 199 remark =====Ports for xxx==== access-list 199 permit udp host xxx any eq 5050 access-list 199 permit udp host xxx any eq 80 access-list 199 permit tcp host xxx any eq 22 access-list 199 permit udp host xxx any eq 5050 access-list 199 permit udp host xxx any eq 80 access-list 199 permit tcp host xxx any eq 22 ! route-map proxy-redirect permit 10 match ip address 112 set ip next-hop 192.168.xxx ! route-map no-static-nat permit 1 match ip address 112 set ip next-hop 1.1.1.2 ! route-map nonat permit 10 match ip address 105 ! radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server host 192.168.xxx auth-port 1645 acct-port 1646 radius-server key 7 xxx ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ntp clock-period x ntp server 192.168.xxx ntp server 192.168.xxx ! end