1. Home
  2. Cisco Systems
  3. Cisco 870 - VPN - DMZ in four contries : Is it the way to Hell or Heaven ?

Cisco 870 - VPN - DMZ in four contries : Is it the way to Hell or Heaven ?

Hi

One year ago I was so tired of my Novell VPN that I replaced is with 4 cisco Cisco 870 (Copenhagen, Bordeaux, Gotenburg, Helsinki) I choose Cisco becourse I wanted to have some equipment where I could be sure of some proff assistance. I have never used Cisco before, and I have the feeling that now I would experiance how a hi-end solution should be.

It has been a very negative experience to learn how a cisco product like the 870 is handled by both Cisco and the partners. My (high) expectations has not been met a all.

Now I have to reboot the main cisco three times a week (often during the week-end) and the company who help me, seems to have no clues about what is going on.

I really want to get in contact with a Cisco consultant who works in a structured manner. I don't care which country he works in. As long as he have a bank- account I will pay

Does anyone knows a very good cisco-consultant ?

Regards Thorkil Johansen

I have a console connected: %SYS-2-NOTQ: unqueue didn't find 0 in queue 82AB3E00 -Process= "", ipl= 2, pid= 73 -Traceback= 0x8077CCD8 0x803BF92C 0x803C4FBC 0x803CD13C 0x80

3CD51C 0x803D1A6C 0x8016DAA8 0x80162000 0x80164758 0x8016732C 0x80023AA4 0x80105350 0x80105350 0x80023B64 0x80B7A5C4 0x80B7A490

I got this 4 times on the syslog a minute before the crash:

2007-09-06 08:19:03 Local7.Warning 10.45.1.11 65571: 065569: Sep 6 2007 08:19:03: %IP_VFR-4-FRAG_TABLE_OVERFLOW: BVI1: the fragment table has reached its maximum threshold 16
Reply to
thorkil.johansen
Loading thread data ...

0x803C4FBC 0x803CD13C 0x80

Sorry to say it but I have has a rather negative experience with the 870.

In my view it is not a business class product 'yet?' due to software instability under decent load.

We are presently using 2801 as a minumum for business links and have had no trouble at all. I suspect that the 1800 wil be OK but we don't use enough to justify extensive testing of them and our customers are prepared to pay for the 2801 so it's not something that we have tried.

Having said that the more recent software seems to be giving us less trouble (we still use the 8[57]0) for "home" VPNs) so maybe it's fixed now.

The traceback is the result of a software crash and such things simply : -) indicate a bug. You must either work around the bug or get a software upgrade.

The other one (fragment table thing) is the result of insufficient resources for the traffic offered. I think that the limit can be raised to 32. This router is not really I don;t think up to such processing and I would disable that facility if possible.

Getting the right response from TAC is not always straightforward but if you push the right buttons in the right order then I have found that I get the result that I want, however at one time I did a lot of work with them. Clearly if the router has bugs then they cant fix it.

Thing is though; a decent independent consultant is going to want enough to buy a few 870s for a days work. This is where your model falls into trouble. Even if your network is completely straightforward, to upgrade 4 routers remotely study the configs, come up with some suggestions, implement and test is looking at more than a days work I would say. Then there is the potential for liability for subsequent problems up to and not excluding some sort of VPN security problem. hmmmmmm. Interesting.

Reply to
Bod43

Are you having trouble with just the Cisco 870 at the main hub site ?

The word traceback in the output almost always indicates an IOS software bug.

Post the output of "show version" so responders will know what IOS version is being used on the hub site 870.

Short term you should probably find someone locally who can upgrade the IOS version for you assuming you have SmartNet support contract for the Cisco 870. The configuration may also need to be modified based on your current issue.

The traffic being recived by the hub site 870 may have exceeded its capabilities and then you would need to look at a suitable replacement.

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.