Is this a router Issue?

Unanswered Question
Nov 4th, 2009
User Badges:

Hi to all,


Forgive me if this is the wrong section, but I am just practically clueless where I will place my question.


I am puzzled on an issue which I've just stumbled upon recently. I have this client, a university here in the Philippines and they are having some trouble regarding their website. They have a cisco 1841 router with 12.4(3i) IOS


You see, from their intranet, they can go anywhere from browsing sites all over the internet and of course accessing their own internal servers. The problem is when they are accessing the server, their website over the internet.


They have a 4mbps connection, and they claim it is 4mbps on both the upload and the download. I've looked into their router's running config, yes they have NAT-ed port 80, 81 and 443 of the said server so that users over the internet can browse through their website. I also noticed a QoS Mapping for the server and the protocols required to run it.


This one is for the protocols like dns, http, pop3, shttp, smtp and ssh

class Priority_protocol1

bandwidth percent 20

police cir 2000000


and this one's for the server itself


class high

police cir 3000000

exceed-action drop


Our problem here is that, many users on the internet are complaining that they cannot access the webpage, worse their browser pops up the "Page Cannot be displayed" message. But they can access the webpage on their intranet. I have also checked the CPU and memory utilization, and it is nowhere near 25%.


I have also tried to ping the server's public address for one whole day and fair enough, it generated just about 7% loss. But on that same day, I'm trying to access their website but there are times when I can view their webpage and sometimes I can't. It's just so random...


I don't know where to look. I am not even sure if it is the router's fault, the configuration, the server itself, the number of users, or are they exceeding the 3mbps limit that the router drops exceeding traffic? Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
Loading.
Giuseppe Larosa Thu, 11/05/2009 - 06:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Paul,

post the whole policy-map config.


be aware that order of operations counts like in an ACL

if class Priority_protocol1 is invoked first also packets to/from the server can be matched here and not on the other class-map.


I would consider to remove police commands and to use hierarchical QoS with a parent policy-map that shapes at 4 Mbps all traffic and invokes the child policy where the classes with bandwidth commands are placed.


Hope to help

Giuseppe


jfraasch Thu, 11/05/2009 - 06:14
User Badges:

I'd also check any utilization on the internet connection to the server itself. If there is serious congestion then you might see this kind of behaviour as well.


Is the internet connection shared with others?


Good luck.


James

Joseph W. Doherty Thu, 11/05/2009 - 06:18
User Badges:
  • Super Bronze, 10000 points or more

Could be lots of causes, however, I'm not too keen on their QoS configuration. They might try something simple like:


policy-map simple


class class-default

fair-queue


interface ?

service-policy output simple


Of course, ideally you want to manage both ends of the WAN link. If they don't manage the WAN ingress direction (ISP egress), often the only effective solution is purchase of additional bandwidth.


[edit]

Giuseppe mention of shaping is good. I forgot to inquire how the 4 Mbps is provided (I assumed somethink like MLPPP dual E1, but if not, shaping can be critically important.)

polofalltrades Thu, 11/05/2009 - 18:18
User Badges:

Hi all,


Thanks for all your replies. They have a 4mbps DSL Connection if I'm not mistaken.


Here is the complete class-map and policy mapping. Actually this was configured before by another person. I'm not really a QoS expert so please bear with me. I am only interpreting the lines based on my understanding and simple knowledge of Cisco QoS


class-map match-any high

description This policy is limited to 2.5mbps connection for server/s that need priority.

match access-group name server14

match access-group name server15

match access-group name server12

match access-group name server20

class-map match-any medium

description This policy is limited to 1mbps for server/s that need isolation.

match access-group name server13

class-map match-any SDM-Transactional-1

match protocol citrix

match protocol finger

match protocol notes

match protocol novadigm

match protocol pcanywhere

match protocol secure-telnet

match protocol sqlnet

match protocol sqlserver

match protocol ssh

match protocol telnet

match protocol xwindows

class-map match-all pol-out

class-map match-any SDM-Signaling-1

match protocol h323

match protocol rtcp

match protocol sip

class-map match-any SDM-Routing-1

match protocol bgp

match protocol egp

match protocol eigrp

match protocol ospf

match protocol rip

match protocol rsvp

class-map match-any SDM-Voice-1

match protocol rtp audio

class-map match-any Priority_protocol1

match protocol dns

match protocol http

match protocol pop3

match protocol secure-http

match protocol smtp

match protocol ssh

class-map match-any SDM-Management-1

match protocol dhcp

match protocol dns

match protocol imap

match protocol kerberos

match protocol ldap

match protocol secure-imap

match protocol secure-ldap

match protocol snmp

match protocol socks

match protocol syslog

class-map match-any low

description This policy is limited to 4kbps for server/s does not need high bandwidth.

match access-group name server10

match access-group name server11

!

!

policy-map SDM-QoS-Policy-1

class SDM-Voice-1

set dscp ef

priority percent 7

class SDM-Signaling-1

set dscp cs3

bandwidth percent 1

class SDM-Routing-1

set dscp cs6

bandwidth percent 5

class SDM-Management-1

set dscp cs2

bandwidth percent 5

class SDM-Transactional-1

set dscp af21

bandwidth percent 5

class Priority_protocol1

bandwidth percent 20

police cir 2000000

conform-action transmit

exceed-action drop

class class-default

fair-queue

random-detect

police cir 1000000

conform-action transmit

exceed-action drop

policy-map for_sdm_discovery_of_shape_limit

class class-default

policy-map pol-out

class low

police cir 400000

exceed-action drop

class medium

police cir 1000000

exceed-action drop

class high

police cir 2500000

exceed-action drop

class class-default

police cir 1000000

exceed-action drop


interface FastEthernet0/0

ip address INTERNAL

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly max-fragments 64

speed 100

full-duplex

service-policy input pol-out

service-policy output SDM-QoS-Policy-1

!

interface FastEthernet0/1

ip address EXTERNAL

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1.2019

encapsulation dot1Q 2019

ip address EXTERNAL

ip ips sdm_ips_rule in

ip nat outside

ip virtual-reassembly

no snmp trap link-status

Joseph W. Doherty Thu, 11/05/2009 - 19:30
User Badges:
  • Super Bronze, 10000 points or more

Ah, looks like a tool (SDM) generated QoS config with some manual changes.


If you have 4 Mbps DSL with a FastEthernet handoff, an outbound shaper might help much. Again, unlikely you need more than FQ.


With DSL if you have PPoE, your MTU might not support the normal default maximum of 1500. If not, using the TCP adjust-mss command might also help improve performance.


Some of the QoS looks like it might be trying to regulate inbound bandwith utilization, but downstream of the bottleneck is often not very effective especially with the QoS features typically found on a Cisco router.

polofalltrades Fri, 11/06/2009 - 15:31
User Badges:

Ah, pardon me but what's an FQ?


I'll try the TCP adjust-mss when I get to our client.


I've studied the QoS script and I don't really see anything critically wrong there except that the police command is a pretty harsh command. They should have put in there a shaping command IMHO.


So, in this issue, is it the router, the router's configurations, or the ISP's fault? I need to justify this.

Joseph W. Doherty Fri, 11/06/2009 - 16:52
User Badges:
  • Super Bronze, 10000 points or more

"Ah, pardon me but what's an FQ?"


Fair-Queue


"So, in this issue, is it the router, the router's configurations, or the ISP's fault"


There's not enough information to be sure, but I consider the QoS configuration less than optimal.

polofalltrades Fri, 11/06/2009 - 22:11
User Badges:

Once again, thank you for your replies and patience on me.


What could be your suggestion for me/us to avoid or fix this issue?


Would it be alright if I erase the whole QoS policy and observe the whole traffic patterns from square 1 and then rewrite it again based on the traffic patterns?


As I understand from your previous posts, you mentioned about a bandwidth manager on our WAN or internet interface? Please correct me if I'm wrong but is that a separate appliance?


I also noticed that the QoS policies for this instance are applied on the LAN interface. Is this correct?


I contradict my ideas because from my simple understanding of QoS, One shouldn't place QoS policies on the WAN/Internet Interface because we are at the mercy of our ISPs. But at the same time, I am also debating within myself that I'm limiting myself to receive only at the most, 4mbps from the outside rather than using the 100mbps speed on the router's physical interface.

Joseph W. Doherty Sat, 11/07/2009 - 05:00
User Badges:
  • Super Bronze, 10000 points or more

"What could be your suggestion for me/us to avoid or fix this issue? "


For outbound, suggest you shape egress rate at 4 Mbps and use FQ. This might be done with just a traffic-shape command (which I believe also implements FQ) or with a CBWFQ policy that uses both a 4 Mbps shaper and FQ within the class-default.


Inbound is best managed on the other side of the link's outbound. Assuming this is the ISP side and they won't implement QoS, your effective options are very limited in managing bandwidth. Certainly you can implement policers that limit bandwidth, but for TCP traffic, it often bursts above the rate limit (and congests the link) before it gets to the policer. Non-TCP traffic often doesn't slow its rate when it's being policed.


"Would it be alright if I erase the whole QoS policy and observe the whole traffic patterns from square 1 and then rewrite it again based on the traffic patterns? "


I believe the existing policy is overly complex and offers little benefit. Erase it and next try what I suggest.


"As I understand from your previous posts, you mentioned about a bandwidth manager on our WAN or internet interface? Please correct me if I'm wrong but is that a separate appliance? "


For outbound, no, your router's QoS features should be sufficient.


For inbound, there are some 3rd party packet shaping devices that can spoof TCP traffic and better regulate their inbound bandwidth usage. Cisco routers don't have this capability. They (the 3rd party devices) sit instream, they don't need to sit on the WAN link, but since yours is an Ethernet interface, it could (I believe). (Such devices, of course, can also provide outbound features negating much or all the need of QoS on the router.)


"I also noticed that the QoS policies for this instance are applied on the LAN interface. Is this correct? "


Is it correct that it's applied to the LAN interface or do you mean is this the correct place to implement the QoS policies? To the former, that what it appears to me too. To the latter, depends on what you're trying to accomplish. Policer's can often been placed on ingress or egress although if often makes sense to police on ingress (to keep traffic you're going to discard from transiting the device). Queuing features, though, need to be placed on egress.


"I contradict my ideas because from my simple understanding of QoS, One shouldn't place QoS policies on the WAN/Internet Interface because we are at the mercy of our ISPs. But at the same time, I am also debating within myself that I'm limiting myself to receive only at the most, 4mbps from the outside rather than using the 100mbps speed on the router's physical interface."


As you note, perhaps your understanding is simple. You usually very much want to place QoS policies on WAN interfaces since that's often a major point of congestion. The problem is ISP and Internet are: for the former, often lack of providing any QoS, for the latter, the Internet generally doesn't honor QoS (although also usually the primary congested links are the connections to/from the Internet). If your provider is only going to provide 4 Mbps, 100 Mbps hand-off interfaces can cause more harm than benefit.

polofalltrades Sat, 11/07/2009 - 08:50
User Badges:

Wow, thanks joseph. This is by far, the most detailed explanation I've ever seen.


Damn, I wish I was as good as you...


This would really be of great help. I'll keep those in mind. I will be in a technical meeting come monday and the information that you've given me will really help me in one way or another. Hopefully, I'll be able to digest the stuff above by tomorrow.


And maybe next week, I'm going to rewrite a new QoS policy for them with the things you mentioned.


Hopefully too that I'd be able to close this discussion maybe soon as this is very informative.


Once again, you have my utmost appreciation joseph. Maybe I should really start studying about QoS too lol.

Actions

This Discussion