为什么 Cisco IOS 路由器在大量下载时会挂起?

为什么 Cisco IOS 路由器在大量下载时会挂起?

经过几年的使用。我们发现,如果您下载的单个文件超过 100M,Cisco 871 和 851 路由器就会挂起。这种情况是间歇性的。有时问题会消失,有时下载的文件很小(只有 10KB 的网页)。似乎几乎所有的下载最终都会完成,但下载的文件越大,挂起的时间就越长。

有办法解决这个问题吗?(除了更换路由器,我们一直在这样做)

我们正在重新审视思科 851已经使用一年零两个月了。此时,似乎又出现了类似的挂起,只是规模小得多。在本例中,客户购买了30Mbps互联网连接断开,他们只能获得5Mbps/20Mbps上传/下载。有时,下载速度会降至 5Mbps。

下次我出去时(希望是下周),我将尝试下面已经建议的内容并编辑我的发现。

我在 Vlan1 和 Fa4 上设置了 ACL。我还有几个 ACL 被替换了,没有使用。ACL 大约有 45 行,其中大约一半是注释。我已将配置发布在下面。个人信息被隐藏,例如WAN IPhostname HIDDEN

如果您有任何建议,比如配置代码的性能改进,或者有关是否可以在 851 上实现 30Mbps 的信息,我们将不胜感激。

Current configuration : 18157 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HIDDEN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 --GIBBERISH---
!
aaa new-model
!
!         
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-4140887523
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4140887523
 revocation-check none
 rsakeypair TP-self-signed-4140887523
!
!
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 60
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server --DNS Server 1-- --DNS Server 2-- 
   default-router 192.168.1.1 
!
!
ip cef
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
no ip bootp server
no ip domain lookup
ip domain name noexist.example.com
ip name-server --DNS Server 2--
ip name-server --DNS Server 1--
!
appfw policy-name DEFAULT100
  application im aol
    service default action reset 
    service text-chat action reset 
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
  application im msn
    service default action reset 
    service text-chat action reset 
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
  application http
    port-misuse im action reset alarm
  application im yahoo
    service default action reset 
    service text-chat action reset 
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
!
!
!
username surfn privilege 15 secret 5 $1$1hrm$0yfIN0jK56rOm9cXfm2a21
! 
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!         
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address --WAN IP-- 255.255.255.0
 ip access-group 123 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 --ISP Gateway--
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark Telnet, SSH access
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 2 remark HTTP, HTTPS access
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 101 HIDDEN
access-list 102 HIDDEN
access-list 121 HIDDEN
access-list 122 HIDDEN
access-list 123 HIDDEN
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.

It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you 
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 privilege level 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

答案1

乔治,我看到了以下消息:

%FW-4-TCP_OoO_SEG:丢弃 TCP 段:seq:3558911335 1500 字节乱序;预期 seq:3558888055。原因:TCP 重组队列溢出 - 会话 192.168.23.38:54435 至 65.199.63.58:801024

通过扩展队列重组队列,以下命令似乎对我有用。

ip 检查 tcp 重组队列长度 1024

我想这是不太可能的,因为我不知道你的配置。希望这能有所帮助!

科林·贾奇诺

答案2

这些路由器后面有多少用户?大概您正在对单个外部地址进行 NAT。现代软件,尤其是像 Facebook 聊天等 Web 服务,会打开大量并发 TCP 连接。我相信思科有一个静态大小的 NAT 转换表。它可能溢出并驱逐最旧的连接?恐怕我无法提供任何关于检查 NAT 表是否溢出的建议。

我不会怀疑固件,特别是如果它之前已经运行了好几年。但是,我建议快速检查一下接口统计信息。如果您在接口上看到丢弃、无效、badrx 校验和等错误,那么这很可能就是问题的根源。要么是硬件故障,要么是电气隔离不足,要么是其他原因。我已经停止计算过去 3-4 年里我见过多少台“廉价”5 端口 10/100 或千兆交换机由于内部电容器膨胀/爆炸而半失效、变得不一致和不稳定。

  show interfaces counters errors

语句应该能够非常快速地识别出任何有问题的接口。

祝你好运。

答案3

这听起来很像路径 MTU 问题,其中路径在传输过程中使用不同的 MTU 进行切换,并且由于no ip unreachables已定义,它不会通知需要对数据包进行分段。

使用不同大小的 ping 数据包进行测试相当容易,或者如果问题经常发生,则将命令ip tcp adjust-mss 1360放在出站路径 WAN 接口或在本例中为 Fa4 中。1360 应该安全地低于任何缩小的 MTU,并且不会严重影响吞吐量。

如果使用此命令可以解决此问题,则是 MTU 问题,您可以尝试将其提高到 1440 或 1460 以获得一点吞吐量。

我看不到你的 ACL,但请确保你至少允许 permit icmp any any packet-too-big

相关内容