R
R
Roman Poluckhin2016-01-18 12:58:16
Computer networks
Roman Poluckhin, 2016-01-18 12:58:16

How to determine the cause of IP CEF Punt2Host triggering?

Good afternoon all.
I have the following problem, namely drop parts of the packets when they are NATed, but I will start from the beginning:

System image file is "usbflash0:c1900-universalk9-mz.SPA.154-3.M3.bin"
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.

Total active translations: 50 (0 static, 50 dynamic; 50 extended)
Peak translations: 300, occurred 2d22h ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 2867569 Misses: 0
CEF Translated packets: 2856746, CEF Punted packets : 10825
Expired translations: 11254
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-INSIDE interface GigabitEthernet0/0 refcount 50
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

IPv4 CEF output features:
Feature Drop Consume Punt Punt2Host New i/f
Post-routing NAT 503 0 0 6983 0
Firewall (firewa 48 0 0 0 0
Total


<191>4095: Jan 18 09:23:23.500: CEF-Drop: Packet from 172.16.32.4 (Gi0/1) to 77.88.8.8 (Gi0/0), Output feature Post-routing NAT Outside 172.16.0.2 18/01 14:23:30.031
<191>4096: Jan 18 09:23:23.500: ihl=20, length=61, tos=0, ttl=126, checksum=1837, offset=0 172.16.0.2 18/01 14:23 :30.037
<191>4097: Jan 18 09:23:23.500: UDP src=58556, dst=53, length=41, checksum=43359 172.16.0.2 18/01 14:23:30.042
<191>4098: Jan 18 09 :23:25.512: CEF-Drop: Packet from 172.16.32.4 (Gi0/1) to 77.88.8.1 (Gi0/0), Output feature Post-routing NAT Outside 172.16.0.2 18/01 14:23:32.042
<191> 4099: Jan 18 09:23:25.512: ihl=20, length=60, tos=0, ttl=126, checksum=1841, offset=0 172.16.0.2 18/01 14:23:32.047
<191>4100: Jan 18 09:23:25.512: UDP src=57415, dst=53, length=40, checksum=64075 172.16.0.2 18/01 14:23:32.053

Hence the question, what to do and how to be? I can’t figure out where to dig, exactly the same packets only with the resolution of another domain pass without problems. Tell me what to read or where to pay attention, by itself, I myself continue to look for the reason while I'm waiting for your help.
UPD:
So the situation turned out to be completely different from what it seemed at first glance. After creating the question, I collected many traffic dumps to identify anomalies leading to such consequences. I also got to know much more deeply how CEF works and so on.
As a result, it was revealed that CEF is not directly related to this problem, more precisely, its behavior is natural and correct.
As a result of the analysis, I found that the problem is typical only for frames with a length of 81 bytes. Moreover, if the frames contained an IP payload, with a UDP payload, which in turn contained a DNS payload, which contained a request for a 21-character domain name resolution. More precisely, the size of the resulting frame is a consequence of the fact that the domain name is 21 characters long. Here you need to make a note that if the DNS resolver uses additional fields in the DNS packet, then the packet will be longer and the frame will go beyond the border of 81 bytes, but in the case of Windows DNS it will be just that.
Further more, the ISP uses 802.16 WiMAX as the last mile, as a result, the connection scheme looks like this Edge Router -> ISP Switch -> WiMAX AP -> WiMAX AP -> Some Devices -> CISCO ISG Router.
So, the radio relay path was the reason for this behavior, unfortunately the ISP refused to shed light on the situation, what was the reason for this, but after a week of correspondence with Moscow, now the technical support for Siberia is there, damn the day they did it, the provider could not find anything better than just doing a complete rewiring of their radio relay path.
I won’t name the provider, but it’s a large ISP by the standards of Russia, I don’t think it’s worth saying that I didn’t hear a single NOC engineer, people at the other end, unfortunately, could not even open the dump to make sure that what I'm saying is true.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
R
Roman Poluckhin, 2016-02-11
@zanswer

UPD:
So the situation turned out to be completely different from what it seemed at first glance. After creating the question, I collected many traffic dumps to identify anomalies leading to such consequences. I also got to know much more deeply how CEF works and so on.
As a result, it was revealed that CEF is not directly related to this problem, more precisely, its behavior is natural and correct.
As a result of the analysis, I found that the problem is typical only for frames with a length of 81 bytes. Moreover, if the frames contained an IP payload, with a UDP payload, which in turn contained a DNS payload, which contained a request for a 21-character domain name resolution. More precisely, the size of the resulting frame is a consequence of the fact that the domain name is 21 characters long. Here you need to make a note that if the DNS resolver uses additional fields in the DNS packet, then the packet will be longer and the frame will go beyond the border of 81 bytes, but in the case of Windows DNS it will be just that.
Further more, the ISP uses 802.16 WiMAX as the last mile, as a result, the connection scheme looks like this Edge Router -> ISP Switch -> WiMAX AP -> WiMAX AP -> Some Devices -> CISCO ISG Router.
So, the radio relay path was the reason for this behavior, unfortunately the ISP refused to shed light on the situation, what was the reason for this, but after a week of correspondence with Moscow, now the technical support for Siberia is there, damn the day they did it, the provider could not find anything better than just doing a complete rewiring of their radio relay path.
I won’t name the provider, but it’s a large ISP by the standards of Russia, I don’t think it’s worth saying that I didn’t hear a single NOC engineer, people at the other end, unfortunately, could not even open the dump to make sure that what I'm saying is true.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question