Cisco 877 VPNworking, but only 2 laptops can use tunnel at a time

Unanswered Question
Oct 11th, 2007
User Badges:

Hi, I have a Cisco 877 router in VPN mode to a Cisco 3015. The VPN is up and my first laptop is working fine over it. I have added a second and that seems fine, the 3rd however takes forever to logon and when it does it can ping everything (IP, DNS) over the VPN, but can't open Emails, Citrix eventhough they can ping them. I have tried 3 more PC and they are the same.


I had this error on the console is it related? And what debug commands can I run to see if the VNP is doing something?


Oct 11 14:06:49.748: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

Router-877>

Oct 11 14:52:36.618: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

Oct 11 14:52:36.666: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3775764964 1500 bytes is out-of-order; expected seq:3775744524. Reason: TCP reassembly queue overflow - session 172.19.15.14:2182 to 192.168.21.20:80

Router-877>

Router-877>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Thu, 10/11/2007 - 08:10
User Badges:
  • Red, 2250 points or more

Not if all PC's were configured identical.

My guess is that some of them have a fixed MTU or the MTU on your VPN is too small.

The latter is something that your ISP should know more about.

It can do no harm to configure tcp-mss on the router as described in the URL.


Leo


whiteford Thu, 10/11/2007 - 08:53
User Badges:

Leo thanks for your help here. I'm not sure it can be the ISP as my Cisco 837s and 1841 work fine. I don't remember setting this on the others. Interesting thing is though, I do have access lists working with denying stuff, I will post the config when I get home.


I take from the example I would have add a ip TCP adjust-mss to the global config?



lgijssel Thu, 10/11/2007 - 09:27
User Badges:
  • Red, 2250 points or more

Fragmentation occurs when a datagram is larger than the link can transport. This can severly affect the performance of a connection.

Considering the log messages you guys received, I did not initially thought it likely that this was acl-related. The fact that two PC's are working may be pointing in this direction though.

After giving it a second thought, my hunch is that you could have two issues at the same time:

1: An incorrectly set MTU that is causing the fragment-messages.

2: A bad acl that is blocking all hosts but two.


Let us know how it develops!


Leo

whiteford Thu, 10/11/2007 - 10:11
User Badges:

Hello,


Interestingly enough I can't see that I have set the mtu (ip tcp adjust-mss) on any config. Is this bad? Would this be set on the ATM 0 or Dialer 1, or not?


On one of the pages of your link it says a problem could be having:


access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny icmp any any

access-list 101 permit ip any any


Look at my 877 config and at the top of my "ip access-list extended inbound_acl"


I'm very new to this could this be anything to do with it?


Thanks






Attachment: 
lgijssel Thu, 10/11/2007 - 11:53
User Badges:
  • Red, 2250 points or more

This seems like a fairly complicated acl indeed for someone who is new to this.;-) Just for a test, try the following:

conf t

interface Vlan1

no ip inspect outbound in


interface Dialer1

no ip access-group inbound_acl in

end


Then try again. At least you will know whether the cause is in your acl or not.


Leo

whiteford Thu, 10/11/2007 - 12:22
User Badges:

He he, a guy who left did a lot of this.


Without the access lists will this allow everthing or the opposite though the tunnel?


Do you think I should add an mtu setting too?


Can't wait to try this, will do it when I get to work.

whiteford Fri, 10/12/2007 - 00:58
User Badges:

Update:


I did what you asked:


conf t

interface Vlan1

no ip inspect outbound in


interface Dialer1

no ip access-group inbound_acl in

end


And still get the same issues. Even stranger I put 3 laptops into the hub that comes off (FE0/0) the Cisco 837, the 2 that worked yesterday still do, if I put a third in then that does work and that's any laptop ot pc.


I notice that one of the 2 that had worked had problems connecting when I put the 3 one in too, when I tok the 3rd one off it was ok.


I added tried the 1841 and 837 routers again and they are fine and use the same config almost.


Not sure what debug commands I could run?

Looks like the 3rd laptop can access the internet via the VPN though.

Danilo Dy Fri, 10/12/2007 - 01:07
User Badges:
  • Blue, 1500 points or more

Hi,


It seems that the number of datagrams being reassembled at one time has reached its maximum limit.


1. Try increasing the maximum number of datagrams that it can reassembled at one time by this command;

ip virtual-reassembly max-reassemblies

2. Check also your laptops, maybe one of them is infected with Virus and sending DDOS.


Regards,

Dandy

whiteford Fri, 10/12/2007 - 01:29
User Badges:

What interface do I put that on Dandy, and it says 1-1024?


I have tried so many different laptops.

whiteford Fri, 10/12/2007 - 02:02
User Badges:

I'll add it to ATM 0, dialer 1 and VLAN 1.


I'll try ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5


Just tried the 1841, all is good on the same ADSL line and very similar config.

whiteford Fri, 10/12/2007 - 02:33
User Badges:

I turned the debug ip virtual-reassembly on see file attached, hope it helps. I will go through the doc now.


172.19.15.12 is having issues it shows up in the attachment.


This might help:


Router-877#sh ip virtual-reassembly

ATM0:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF


Current reassembly count:0

Current fragment count:0

Total reassembly count:0

Total reassembly timeout count:0


Vlan1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF


Current reassembly count:0

Current fragment count:0

Total reassembly count:3

Total reassembly timeout count:0


Dialer1:

Virtual Fragment Reassembly (VFR) is ENABLED...

Concurrent reassemblies (max-reassemblies): 16

Fragments per reassembly (max-fragments): 32

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF


Current reassembly count:0

Current fragment count:0

Total reassembly count:4

Total reassembly timeout count:0





whiteford Fri, 10/12/2007 - 05:06
User Badges:

I think I have solved it. Under the interface Vlan 1 I had a "no ip unreachables" I added "ip unreachables" and bang everything started to work on the laptops.


For my understanding does this make sense why this would cause these problems?

Danilo Dy Fri, 10/12/2007 - 06:40
User Badges:
  • Blue, 1500 points or more

Hi,


Looks like an MTU problem then.


The "no ip unreachables" switch off ICMP "packet too big" and/or "fragmentation needed and DF bit set" message for an interface. It will also disables IP Path MTU discovery because path discovery is created/provided by "unreachable messages".


But this is the first I see that enabling "ip unreachables" fix a certain problem about MTU because all host send packets with DF bit and most systems has a fix MTU of 1500 or in case of tunneling theres a workaround like tcp mss.


On top of that, IOS hardening recommends applying "no ip unreachables" in the interface.


But hey, you fix the problem :)


Regards,

Dandy

whiteford Fri, 10/12/2007 - 06:46
User Badges:

I added the ip unreachable to vlan 1 and dialer 1, so it might of been the dialer 1 too. I left the ip virtual-unassembly on the interfaces, to tidy things shoul I be adding the Max rate or setting the mtu rate.



Just wondered what your thoughts were.


Thanks

Actions

This Discussion