10-11-2007 07:09 AM - edited 03-03-2019 07:07 PM
Hi, I have a Cisco 877 router in VPN mode to a Cisco 3015. The VPN is up and my first laptop is working fine over it. I have added a second and that seems fine, the 3rd however takes forever to logon and when it does it can ping everything (IP, DNS) over the VPN, but can't open Emails, Citrix eventhough they can ping them. I have tried 3 more PC and they are the same.
I had this error on the console is it related? And what debug commands can I run to see if the VNP is doing something?
Oct 11 14:06:49.748: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
Router-877>
Oct 11 14:52:36.618: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
Oct 11 14:52:36.666: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:3775764964 1500 bytes is out-of-order; expected seq:3775744524. Reason: TCP reassembly queue overflow - session 172.19.15.14:2182 to 192.168.21.20:80
Router-877>
Router-877>
10-11-2007 07:34 AM
This appears to me as an MTU-size problem.
The link below describes this situation, and how to resolve it, in more detail:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
regards,
Leo
10-11-2007 07:37 AM
Could this cause the VPN issue I described?
10-11-2007 08:10 AM
Not if all PC's were configured identical.
My guess is that some of them have a fixed MTU or the MTU on your VPN is too small.
The latter is something that your ISP should know more about.
It can do no harm to configure tcp-mss on the router as described in the URL.
Leo
10-11-2007 08:53 AM
Leo thanks for your help here. I'm not sure it can be the ISP as my Cisco 837s and 1841 work fine. I don't remember setting this on the others. Interesting thing is though, I do have access lists working with denying stuff, I will post the config when I get home.
I take from the example I would have add a ip TCP adjust-mss to the global config?
10-11-2007 09:27 AM
Fragmentation occurs when a datagram is larger than the link can transport. This can severly affect the performance of a connection.
Considering the log messages you guys received, I did not initially thought it likely that this was acl-related. The fact that two PC's are working may be pointing in this direction though.
After giving it a second thought, my hunch is that you could have two issues at the same time:
1: An incorrectly set MTU that is causing the fragment-messages.
2: A bad acl that is blocking all hosts but two.
Let us know how it develops!
Leo
10-11-2007 10:11 AM
Hello,
Interestingly enough I can't see that I have set the mtu (ip tcp adjust-mss) on any config. Is this bad? Would this be set on the ATM 0 or Dialer 1, or not?
On one of the pages of your link it says a problem could be having:
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any
access-list 101 permit ip any any
Look at my 877 config and at the top of my "ip access-list extended inbound_acl"
I'm very new to this could this be anything to do with it?
Thanks
10-11-2007 11:53 AM
This seems like a fairly complicated acl indeed for someone who is new to this.;-) Just for a test, try the following:
conf t
interface Vlan1
no ip inspect outbound in
interface Dialer1
no ip access-group inbound_acl in
end
Then try again. At least you will know whether the cause is in your acl or not.
Leo
10-11-2007 12:22 PM
He he, a guy who left did a lot of this.
Without the access lists will this allow everthing or the opposite though the tunnel?
Do you think I should add an mtu setting too?
Can't wait to try this, will do it when I get to work.
10-12-2007 12:58 AM
Update:
I did what you asked:
conf t
interface Vlan1
no ip inspect outbound in
interface Dialer1
no ip access-group inbound_acl in
end
And still get the same issues. Even stranger I put 3 laptops into the hub that comes off (FE0/0) the Cisco 837, the 2 that worked yesterday still do, if I put a third in then that does work and that's any laptop ot pc.
I notice that one of the 2 that had worked had problems connecting when I put the 3 one in too, when I tok the 3rd one off it was ok.
I added tried the 1841 and 837 routers again and they are fine and use the same config almost.
Not sure what debug commands I could run?
Looks like the 3rd laptop can access the internet via the VPN though.
10-12-2007 01:07 AM
Hi,
It seems that the number of datagrams being reassembled at one time has reached its maximum limit.
1. Try increasing the maximum number of datagrams that it can reassembled at one time by this command;
ip virtual-reassembly max-reassemblies
2. Check also your laptops, maybe one of them is infected with Virus and sending DDOS.
Regards,
Dandy
10-12-2007 01:29 AM
What interface do I put that on Dandy, and it says 1-1024?
I have tried so many different laptops.
10-12-2007 01:54 AM
Hi,
In the 877 interfaces;
- Interface connecting to LAN of your laptops
- Interface connecting to remote VPN device
Check this link about VFR http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_vfrag.htm
Regards,
Dandy
10-12-2007 02:02 AM
I'll add it to ATM 0, dialer 1 and VLAN 1.
I'll try ip virtual-reassembly max-reassemblies 64 max-fragments 16 timeout 5
Just tried the 1841, all is good on the same ADSL line and very similar config.
10-12-2007 02:33 AM
I turned the debug ip virtual-reassembly on see file attached, hope it helps. I will go through the doc now.
172.19.15.12 is having issues it shows up in the attachment.
This might help:
Router-877#sh ip virtual-reassembly
ATM0:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:0
Total reassembly timeout count:0
Vlan1:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:3
Total reassembly timeout count:0
Dialer1:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:4
Total reassembly timeout count:0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: