[es] - Problem TCP retransmisije na Frame Relay linku

jogurt
Zoran Milenković
nettverkskonsulent
Norway

Član broj: 13800
Poruke: 472
*.adsl.static.sezampro.yu.

Jabber: jogurt@elitesecurity.org
ICQ: 309530264

+8 Profil

Problem TCP retransmisije na Frame Relay linku

^{10.08.2006. u 12:39 - pre 215 meseci}

Please help!

Na jednom ruralnom sajtu imam lokalnu mrezu povezanu na Internet preko Telekoma FR linkom 128kbps (CIR 64kbps). Cisco ruter 1841 je WIC-1T karicom vezan na telekomov FR modem.

Code:

[ LAN ] ------ [ firewall ] ----- [ cisco1841 ] ---- [ FR modem ] ---------- ( Internet )
                     |
                     |
                     |
               [ DMZ server ]

Iako sve izgleda OK sto se tice FR linka (vidi ispod), nesto ne valja sa konekcijom na TCP sloju - veci deo vremena gotovo da je neupotrebljiva!

Code:

Router1841>sh frame-relay pvc

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

              Active     Inactive      Deleted       Static
  Local          1            0            0            0
  Switched       0            0            0            0
  Unused         0            0            0            0

DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0

  input pkts 226254        output pkts 155531       in bytes 57318479
  out bytes 84563419       dropped pkts 0           in pkts dropped 0
  out pkts dropped 0                out bytes dropped 0
  in FECN pkts 6280        in BECN pkts 0           out FECN pkts 0
  out BECN pkts 0          in DE pkts 0             out DE pkts 0
  out bcast pkts 0         out bcast bytes 0
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 0 bits/sec, 1 packets/sec
  pvc create time 4d19h, last time pvc status changed 4d19h

Router1841>sh frame-relay lmi

LMI Statistics for interface Serial0/0/0 (Frame Relay DTE) LMI TYPE = ANSI
  Invalid Unnumbered info 0             Invalid Prot Disc 0
  Invalid dummy Call Ref 0              Invalid Msg Type 0
  Invalid Status Message 0              Invalid Lock Shift 0
  Invalid Information ID 0              Invalid Report IE Len 0
  Invalid Report Request 0              Invalid Keep IE Len 0
  Num Status Enq. Sent 41553            Num Status msgs Rcvd 41552
  Num Update Status Rcvd 0              Num Status Timeouts 1
  Last Full Status Req 00:00:19         Last Full Status Rcvd 00:00:19

Kada krenem da ucitam web stranu sa DMZ servera, sajt se veoma sporo ucitava (sporije i od najgoreg Dial-up-a), slike se jedva ucitavaju, a kada se ucitaju, onda je to do pola i sl. Slicno se desava i na mail serveru. U logovima se cesto pojavljuje poruka tipa "SMTP connection established but connection died." Kada ukljucim snifer (Ethereal), vidim gomilu TCP retransmisija i izgubljenih paketa. Evo isecka iz jedne Telnet konverzacije direktno sa ruterom...

Code:

Frame 386 (55 bytes on wire, 55 bytes captured)
Ethernet II, Src: 00:14:85:c7:24:e5 (00:14:85:c7:24:e5), Dst: 00:30:6e:11:27:f1 (00:30:6e:11:27:f1)
Internet Protocol, Src: 192.168.ppp.qqq (192.168.ppp.qqq), Dst: 212.200.xxx.xxx (212.200.xxx.xxx)
Transmission Control Protocol, Src Port: 4381 (4381), Dst Port: 23 (23), Seq: 2, Ack: 1, Len: 1
Telnet

No.     Time        Source                Destination           Protocol Info
    410 30.295504   192.168.ppp.qqq          212.200.xxx.xxx       TELNET   [TCP Retransmission] Telnet Data ...

Frame 410 (69 bytes on wire, 69 bytes captured)
Ethernet II, Src: 00:14:85:c7:24:e5 (00:14:85:c7:24:e5), Dst: 00:30:6e:11:27:f1 (00:30:6e:11:27:f1)
Internet Protocol, Src: 192.168.ppp.qqq (192.168.ppp.qqq), Dst: 212.200.xxx.xxx (212.200.xxx.xxx)
Transmission Control Protocol, Src Port: 4381 (4381), Dst Port: 23 (23), Seq: 2, Ack: 1, Len: 15
Telnet

No.     Time        Source                Destination           Protocol Info
    411 30.363398   212.200.xxx.xxx       192.168.ppp.qqq          TELNET   [TCP Previous segment lost] Telnet Data ...

Frame 411 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:30:6e:11:27:f1 (00:30:6e:11:27:f1), Dst: 00:14:85:c7:24:e5 (00:14:85:c7:24:e5)
Internet Protocol, Src: 212.200.xxx.xxx (212.200.xxx.xxx), Dst: 192.168.ppp.qqq (192.168.ppp.qqq)
Transmission Control Protocol, Src Port: 23 (23), Dst Port: 4381 (4381), Seq: 320, Ack: 17, Len: 1
Telnet

No.     Time        Source                Destination           Protocol Info
    412 30.363440   192.168.ppp.qqq          212.200.xxx.xxx       TCP      [TCP Dup ACK 410#1] 4381 > 23 [ACK] Seq=17 Ack=1 Win=64856 Len=0

Frame 412 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:14:85:c7:24:e5 (00:14:85:c7:24:e5), Dst: 00:30:6e:11:27:f1 (00:30:6e:11:27:f1)
Internet Protocol, Src: 192.168.ppp.qqq (192.168.ppp.qqq), Dst: 212.200.xxx.xxx (212.200.xxx.xxx)
Transmission Control Protocol, Src Port: 4381 (4381), Dst Port: 23 (23), Seq: 17, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Info
    413 30.366411   212.200.xxx.xxx       192.168.ppp.qqq          TELNET   [TCP Previous segment lost] Telnet Data ...

Frame 413 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:30:6e:11:27:f1 (00:30:6e:11:27:f1), Dst: 00:14:85:c7:24:e5 (00:14:85:c7:24:e5)
Internet Protocol, Src: 212.200.xxx.xxx (212.200.xxx.xxx), Dst: 192.168.ppp.qqq (192.168.ppp.qqq)
Transmission Control Protocol, Src Port: 23 (23), Dst Port: 4381 (4381), Seq: 322, Ack: 17, Len: 1
Telnet

Menjao sam kablove, WIC karticu, menjao slotove, ali nista nisam uspeo da popravim :-( Da li neko ima ideju gde bi mogao da bude problem!?

U produzetku navodim deo konfiguracije , a potom i stanje interfejsa

Code:

...
!
interface FastEthernet0/1
description unutrasnji LAN interfejs ka Firewall-u
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex full
speed 100
no mop enabled
!
interface Serial0/0/0
description WAN-Link-over-Frame-Relay
bandwidth 128000
ip address 212.200.xxx.xxx 255.255.255.252
ip access-group Traffic-from-Internet in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
encapsulation frame-relay IETF
ip route-cache flow
fair-queue
frame-relay map ip 212.200.xxx.yyy 100
frame-relay lmi-type ansi
frame-relay local-dlci 100
frame-relay qos-autosense
frame-relay congestion-management
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 212.200.xxx.yyy
ip route 10.0.0.0 255.255.255.0 192.168.1.1
ip route 192.168.0.0 255.255.255.0 192.168.1.1
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source list NAT interface Serial0/0/0 overload
ip nat inside source static tcp 192.168.0.2 22 212.200.xxx.xxx 22 extendable
ip nat inside source static tcp 192.168.0.2 25 212.200.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.0.2 80 212.200.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.0.2 443 212.200.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.0.1 443 212.200.xxx.xxx 8000 extendable
ip nat inside source static tcp 192.168.0.1 22 212.200.xxx.xxx 55555 extendable
!
ip access-list extended NAT
permit ip host 192.168.0.1 any
permit ip host 192.168.0.2 any
ip access-list extended Traffic-from-Internet
permit tcp host 212.200.zzz.zzz host 212.200.xxx.xxx eq telnet
deny tcp any host 212.200.xxx.xxx eq telnet
permit tcp any host 212.200.xxx.xxx eq 22
permit tcp any host 212.200.xxx.xxx eq smtp
permit tcp any host 212.200.xxx.xxx eq www
permit tcp any host 212.200.xxx.xxx eq 443
permit tcp any host 212.200.xxx.xxx eq 8000
permit tcp any host 212.200.xxx.xxx eq 55555
permit tcp any host 212.200.xxx.xxx established
permit udp any host 212.200.xxx.xxx
permit icmp any host 212.200.xxx.xxx
deny ip any any log
!
logging trap notifications
logging origin-id hostname
logging facility syslog
logging 192.168.0.2
snmp-server community xxxxxxxx RO
snmp-server location xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
snmp-server chassis-id xxxxxxxxxx
snmp-server host 192.168.0.2 xxxxxxxxxxx
no cdp run
!
...

Code:

Router1841>sh int serial 0/0/0
Serial0/0/0 is up, line protocol is up
  Hardware is GT96K Serial
  Description: WAN-Link-over-Frame-Relay
  Internet address is 212.200.xxx.xxx/30
  MTU 1500 bytes, BW 128000 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation FRAME-RELAY IETF, loopback not set
  Keepalive set (10 sec)
  LMI enq sent  41501, LMI stat recvd 41500, LMI upd recvd 0, DTE LMI up
  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE
  Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 4d19h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/3/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96000 kilobits/sec
  5 minute input rate 0 bits/sec, 1 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     267533 packets input, 57905779 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort
     198237 packets output, 85226119 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Router1841>sh int fa 0/1
FastEthernet0/1 is up, line protocol is up
  Hardware is Gt96k FE, address is 0017.95c0.9763 (bia 0017.95c0.9763)
  Description: unutrasnji LAN interfejs ka Firewall-u
  Internet address is 192.168.1.2/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:11, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 2 packets/sec
  5 minute output rate 0 bits/sec, 1 packets/sec
     578711 packets input, 156479358 bytes
     Received 119 broadcasts, 0 runts, 0 giants, 0 throttles
     55 input errors, 55 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     823792 packets output, 93627005 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Hvala unapred!

Zoran

Odgovor na temu