6509 CATOS FE Ports Failing

Unanswered Question
Feb 23rd, 2007

I have this 6509 switch loaded with CATOS trunk to 7500 router using ISL - they are interconnected together with another 6509 switch and 7513 router. They've been in production for 4 years.

Have multiple firewalls (multiple vendors) and 1800 routers connected to the problem switch. User complains IPSEC VPN connection is slow. I found out that IPSEC VPN tunnel disconnect and reconnects many times in a day. All connection full-duplex/100BaseT.

Continuous ping of 1k or 10k from 7513 router to these firewalls and 1800 routers interfaces connected to the problem switch have packet drops (99% to 96%). I have to move the firewalls and 1800 routers connections to other ports, sometimes into the secondary switch because moving them to other ports in the same switch even different module doesn't help. This happens one at a time for connected firewalls and 1800 routers and this is the fourth time, it looks like the switch is dying slowly and quietly. Surprisingly, those affected firewalls and 1800 routers are all Cisco products :)

No error in the log, no error in the interfaces, post the "show tech-support" in output interpreter but come out with nothing.

Anyone have any idea or experience the same please let me know, thanks :)

Anyone have any suggestions where to look at for root cause, please let me know, thanks :)

BTW, the packet drops can only be seen using a router to ping the firewalls and 1800 routers, wherever that ping source router is located in the internet. Packet drops will not show in MS-DOS, UNIX, VisualRoute, and Ping Plotter - only from router :)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Fri, 02/23/2007 - 06:42

hmm.. just giving a wild guess thinking about ur scenario try no ip redirects basically cut down on ur icmp redirects on ur svi and router interfaces.

HTH

Hoogen

Danilo Dy Fri, 02/23/2007 - 06:45

Oh, I have all necessary security in place including interface level security like you mentioned. I have the "Hardening Cisco Routers" book :)

FYI, after moving the firewalls and 1800 routers connection to other ports or secondary switch. The user problems disappear :) The packet drops disappear as well :)

Actions

This Discussion