Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

TLS change from 100mb ong g1/2 to 1gig on sup720 g5/1

Hello,

Here is my issue I have a 6509 loaded with the following cards.

1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX

2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX

3 6 Firewall Module WS-SVC-FWM-1

4 6 Firewall Module WS-SVC-FWM-1

5 2 Supervisor Engine 720 (Active) WS-SUP720-3B

6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B

7 8 Intrusion Detection System WS-SVC-IDSM-2

8 8 Intrusion Detection System WS-SVC-IDSM-2

9 2 IPSec VPN Accelerator WS-SVC-IPSEC-1

We changed from a 100mb to a 1gig tls connection between two of our sites. When we did this everything seemed to be working fine going out. Our testers failed to do the outside in tests which we found to be having an issue with only web traffic later in the day.

Quick breakdown of traffic flow. Three Context firewalls Internet connection Network monitoring connection VPN connection and two department connections.

The Primary Context firwall consists of a VPN interface DMZ interface Outside and Inside interfaces. This then gets dropped into the msfc to route to one of the other two contexts depending on which department the traffic is flowing to. Currently the second two contexts are setup to be wide open and they both travel across a trunk port using the TLS.

When we switched from the 100mb tls which was plugged into an rj45 port on the first 48port switch to the 1000gb tls which was plugged into an SFP plugged into 5/1 the primary Sup720 everything seemed to be working. Just some external connections coming in from the web and some connections in from the DMZ interface on the Primary Context.

Steps we took in attempt to resolve this problem was to clear the arp-cache and clear routes thinking it had something to do with cef but neither worked. So we switched back to the 100mb tls and everything came right back up.

If anyone has some suggestions I’d really appreciate it.

Patrick

  • Other Network Infrastructure Subjects
1 REPLY

Re: TLS change from 100mb ong g1/2 to 1gig on sup720 g5/1

Well solved my problem,

After doing some traffic captures we found that the second tls connection was limiting mtu size of our trunk interface not allowing us to get anything through that was larger than 1496. Basically our tls wasn't allowing taged traffic that was above the standard ethernet mtu size.

Our TLS provider will be fixing the issue now that we pinpointed the problem.

Patrick

143
Views
0
Helpful
1
Replies
This widget could not be displayed.