V
V
vanomel2012-07-20 07:07:24
Cisco
vanomel, 2012-07-20 07:07:24

Why does Cisco nat sometimes lose 50% of packets?

Is Cisco 1841 as nat for release of several vlan in a global network. Sometimes popular sites start to work poorly - some photos are shown only partially, pages are not displayed to the end, online video downloads are interrupted.
I started to figure it out, and this is what I saw:
We ping the server of a popular social network from a PC in the internal network: 50% packet loss in one, we continue to ping. We go to the router and ping the same server from the router - there are no packet losses! At the same moment, the ping from the computer also normalizes. Again, it can start to mow in a day or 2.
The network is used to access the Internet via Wi-Fi on the territory of the sanatorium, a DSLAM is connected to the router, modems in different vlans with different ip pools.
In which direction to dig? Arp?
Here are the important parts of the config:
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname sanatory-IP
!
boot-start-marker
boot system flash c1841-ipbase-mz.124-1b.bin
boot-end-marker
!
logging buffered 12000 informational
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 1
ip cef
!
!
the dhcp database of flash the ip: the dhcp-database the
no the ip vrf the connected the dhcp use the
ip the dhcp excluded-address 192.168.2.245 192.168.2.254 the
ip the dhcp excluded-address 192.168.10.245 192.168.10.254 the
ip the dhcp excluded-address 192.168.11.245 192.168.11.254 the
ip the dhcp excluded 192.168.12.245 192.168.12.254 -address the
ip the dhcp excluded-address 192.168.13.245 192.168.13.254 the
ip the dhcp excluded-address 192.168.14.245 192.168.14.254 the
ip the dhcp excluded-address 192.168.15.245 192.168.15.254 the
ip the dhcp excluded-address 192.168.16.245 192.168 .16.254
!
ip dhcp pool Guests_with_Inet
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
ip dhcp pool Special_VIP_GUESTs_Inet
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1
!
ip dhcp pool GUESTs_zone_11
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 192.168.11.1
!
ip dhcp pool GUESTs_zone_12
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1
!
ip dhcp pool GUESTs_zone_13
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 192.168.13.1
!
ip dhcp pool GUESTs_zone_14
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.14.1
!
ip dhcp pool GUESTs_zone_15
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 192.168.15.1
!
ip dhcp pool GUESTs_zone_16
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
!
!
ip flow-cache entries 65000
ip flow-cache timeout inactive 120
ip flow-cache timeout active 10
no ip bootp server
ip name-server 217.8.235.81
ip name-server 217.8.235.82
!
!
!
controller E1 0/0/0
channel-group 0 timeslots 1-12
description ### to MMX-4, port 3.3
!
!
interface Tunnel0
ip address 192.168.255.1 255.255.255.252
no ip proxy-arp
ip mtu 1400
no ip route-cache cef
no ip route-cache
no snmp trap link-status
tunnel source 10.xxx
tunnel destination 10.xxx
tunnel mode ipip
!
interface FastEthernet0/0
description ### to IES-1000, AAM1212-1, port 1 ###
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.11.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 192.168.13.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.16
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.60.1 255.255.255.0 secondary
ip address 192.168.50.1 255.255.255.0
ip access-group DMZ_in in
ip access-group DMZ_out out
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.254 255.255.255.0
no ip proxy-arp
ip flow ingress
ip flow egress
no snmp trap link-status
arp timeout 100
!
interface FastEthernet0/0.111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip access-group Inside_F0/0.111_in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.244
encapsulation dot1Q 244
ip address 10.132.255.11 255.255.255.224
ip access-group spd-in in
ip access-group spd-out out
no snmp trap link-status
!
interface FastEthernet0/1
ip address 213.87.xx 255.255.255.252
ip access-group Ints_InterNet_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
duplex auto
speed auto
no cdp enable
arp timeout 100
!
interface Serial0/0/0:0
ip address 80.89.xx 255.255.255.252
ip access-group Ints_InterNet_in in
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.0.0 255.0.0.0 10.132.255.1 ip route 83.246.135.100 255.255.255.255 Serial0
/0/0:0 ip flow-export version 5 ! no ip http server ip http authentication local ip nat translation tcp-timeout 300 ip nat translation udp-timeout 45 ip nat translation max-entries all-host 2000 ip nat inside source list 10 interface FastEthernet0/1 overload ip nat inside source static tcp 192.168 .50.x yyy interface FastEthernet0/1 xxx
ip nat inside source static tcp 192.168.50.y yyy interface FastEthernet0/1 xxx
ip nat inside source static tcp 192.168.50.z yyy interface FastEthernet0/1 xxx
9
!
ip access-list standard R0
!
ip access-list extended DMZ_in
permit ip any host 8.8.8.8
permit ip any host 8.8.4.4
permit icmp any host 192.168.50.1
permit udp any host 192.168.50.1 eq ntp
permit ip any host 192.168.111.xx
permit ip any host 192.168 .10.xxx
deny ip any 192.168.0.0 0.0.255.255
permit icmp any any echo
permit tcp host 192.168.50.xxx eq www host 80.89.xxx.xxx log
permit tcp host 192.168.50.xxx eq 554 host 80.89.xxx. xxx
permit udp host 192.168.50.xx any eq xxx
permit tcp host 192.168.50.xxx eq xxx any
deny ip any any
ip access-list extended DMZ_out
permit ip host 8.8.8.8 any
permit ip host 8.8.4.4 any
permit icmp host 192.168 .50.xxx any
permit udp host 192.168.50.xxx eq ntp any
permit ip host 192.168.111.xxx any
permit ip host 192.168.10.xxx any
deny ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit tcp host 80.89.xxx.xxx host 192.168.50.xxx eq xxx
permit tcp host 80.89.xxx.xxx host 192.168.50.xxx eq xxx
permit udp any eq xxx host 192.168.50.xxx
permit tcp any host 192.168.50 .xxx eq xxx
deny ip any any log
permit ip any host 192.168.111.xxx
ip access-list extended GUESTS-in
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit ip host 192.168.10.xxx any
permit ip host 192.168.12.xxx any
permit ip host 192.168.13.xxx any
permit ip host 192.168.14.xxx any permit
ip host 192.168.15.xxx any
permit telnet deny tcp any any eq 4899 deny tcp any any eq 310 deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny udp any range 135 netbios-ss any deny ip any 192.168.111.0 0.0.0.255
deny ip any 192.168.100.0 0.0.0.255 permit
ip any 192.168.0.0 0.0.255.255 deny ip any
10.0.0.0 0.255.255.255 udp any any eq echo permit tcp any any eq domain permit udp any any eq domain permit tcp any any eq www permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3 permit tcp any any eq nntp permit tcp any any eq 443 permit tcp any any eq 5222 permit tcp any any eq daytime permit tcp any any eq 465
permit tcp any any eq 995
permit tcp any any eq 9000
permit tcp any host 80.89.131.170 eq 1935
permit ip host 192.168.11.xxx any
permit ip host 192.168.111.xxx any
deny ip any any
ip access-list extended Inside_F0/ 0.111_in deny ip any 10.0.0.0
0.255.255.255 deny
ip any 172.16.0.0 0.15.255.255
deny ip any 127.0.0.0 0.255.255.255
permit ip any any any
ip access-list extended 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip
permit udp any any eq ntp
permit tcp any any eq domain
permit udp any any eq domain
permit icmp host 213.87.xxx.xxx host 213.87.xx.xxx
permit icmp host 80.89.xxx.xxx host 80.89.xxx.xxx
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any traceroute
permit icmp any any reassembly-timeout
deny icmp any any
permit tcp host 80.89.140.xxx host 213.87.116.xxx eq telnet
permit tcp host 80.89.140.xxx host 80.89.140.xxx eq telnet
deny tcp any any lt 1024
deny udp any any lt 1024
permit ip any any
ip access-list extended spd-in
Permit IP 0.0.0.0 255.255.255.128 HOST 10.132.255.11 Permit
IP Host 10.132.232.50 Host 10.132.255.11 Permit
IP Host 10.132.79.205 Host 10.132.255.11 Permit TCP
Host 10.132.207.7 Host 10.132.255.11 EQ Telnet
Permit IP Host 10.132.227.251 any
permit tcp host 10.132.227.7 host 10.132.255.11 eq telnet
deny ip any any
ip access-list extended spd-out
deny ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community public RO
disable-eadi
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
line vty 5 10
exec-timeout 0 0
login local
!
scheduler allocate 20000 1000
ntp clock-period 17178295
ntp server 194.25.115.122
ntp server 89.108.81.77 prefer
end

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question