Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
2
Replies

IP cef issues

ryan.bachman
Level 1
Level 1

‎06-19-2006 09:46 AM - edited ‎03-03-2019 03:42 AM

Hello -

I am having issues with cef between my VPN tunnel and my LAN interface, and was hoping someone point me in the correct direction on solving this issue.

Currently, I have been confirming conncectivity to a remote office using ICMP. IP cef by default is enabled on the 1841 router which is the end-point of the VPN tunnel originating on a VPN concentrator at the main office. For some reason, when I ping and IP address on the LAN side at the remote office (which traverses the VPN tunnel) I only get replys when my router perfroms process switching. I discovered this in the troubleshooting stages by creating ACLs that were logging. If I remove those ACLs that cause traffic to be processed switched, my pings fail to reply.

This issues seems to occur between my tunnel 1 and the fa 0/0 interface, since traffic reaches the internet fine. But since the DNS servers that the users at the remote office is our private DNS servers located in the head offfice, the DNS lookups need to traverse the VPN tunnel.

Currently I have an ACL logging all ingress traffic on my ethernet interface since I can't figure out what is going on with CEF. I know the throughput process switching is only about 800Kbps, which is kiiling my network since we have bonded T1s at this site. In addition to the addition latency this is causing, I am also getting logging overflows, which is dropping packets as well.

Any advice on where to start looking for my cef issues. Thank you in advance.

Labels:
0 Helpful
2 Replies 2

roadhouse1387
Level 1
Level 1

‎06-20-2006 08:32 AM

Hi Ryan,

I could be miles out here but will CEF work with a vpn interface (or any virtual interface) as the egress interface ?

I'm not familiar with the 1841 at all but it sounds like its doing CEF in software rather than in an ASIC, is this your understanding as well ?

I just wonder if it is capable of using CEF to forward packets to the VPN tunnel interface because virtual interfaces may not be CEF capable in software ? would the packets not be punted anyway ?

Perhaps someone could clarify this for both of us ?

what does a 'show mls cef' or the equivlent command show?

Cheers

Shaun

0 Helpful

ryan.bachman
Level 1
Level 1
In response to roadhouse1387

‎06-20-2006 11:38 AM

Shaun -

Thanks for your response on my problem.

According to documentation CEF is supported on all tunnel interfaces. While ASICs are not doing the actual CEF fib lookups, CEF switching should still offer greater throughput (even in software with the 1800s routers) than that of process switching.

I am noticing a lot of encap_fail for cef drops. I understand this to be an caused by incomplete adjecency issues, but when I issue a #sh adj command, all routes (including those I have pointed at the tunnel) register as valid CEF adjacencies. I also can run a #sh ip cef, which is basically a lookup of the fib table, and all the routes that I expect to see are there.

I appreciate your feedback, and if there is anything else you can think of for me to check, please let me know.

Thanks

Ryan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents