1

I have a misbehaving Cisco 2811. It serves our office of 20 with internet and phones via Call Manager Express. Except that lately the phones aren't working right and internet is choppy. The outside interface attached to our ISP is fine. The inside interface is attached to a 2960 where our internal network is connected. There are obvious issues in the show interface:

    FastEthernet0/1 is up, line protocol is up 
  Hardware is MV96340 Ethernet, address is 001b.d40a.e071 (bia 001b.d40a.e071)
  Internet address is 192.168.1.254/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 13/255, rxload 19/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  1., loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:54:10
  Input queue: 1/150/420/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 7463000 bits/sec, 1038 packets/sec
  5 minute output rate 5244000 bits/sec, 880 packets/sec
     3021883 packets input, 2691686783 bytes
     Received 7649 broadcasts, 0 runts, 0 giants, 95 throttles
     2155 input errors, 0 CRC, 0 frame, 0 overrun, 2155 ignored
     0 watchdog
     0 input packets with dribble condition detected
     2537251 packets output, 1717084791 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     464 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

I have replaced the cable with a brand new one, with no effect. I have set the switchport nonegotiate on the 2960 it is attached to. I have verified that the settings are the same on both interfaces (100M, Auto/Auto). I have ensured CDP is on, and keepalives are off.

I am remote today, but I'm going to put a SPAN port on the 2960 tomorrow to try to get more info. Is there anything else I can do to figure out where these problems are coming from?

I did a sho interface mac-accounting and one person's computer is sending about 80% of the total traffic to the router...2800M bytes out of 3100M bytes total. My assistant checked on her PC and found nothing out of the ordinary.

EDIT:

By request, here's the sh int from the switch port:

GigabitEthernet1/0/48 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is b414.89ba.32b0 (bia b414.89ba.32b0)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 22/255, rxload 4/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:03, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20147
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1883000 bits/sec, 693 packets/sec
  5 minute output rate 8721000 bits/sec, 1020 packets/sec
     64561402 packets input, 46701593519 bytes, 0 no buffer
     Received 109892 broadcasts (102372 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 102372 multicast, 0 pause input
     0 input packets with dribble condition detected
     66138056 packets output, 36914890016 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
atroon
  • 508
  • 3
  • 10
  • 23
  • Can you post the output of "sh int" for the corresponding switch interface? I'm suspecting a duplex mismatch. Both sides need to be set to Auto/Auto or to the same speed/duplex settings. You can't have one side set to Auto/Auto and the other side hard coded, that will always cause problems. – joeqwerty Mar 21 '13 at 19:00
  • Is your switch port configured as an 802.1q trunk? – scottm32768 Mar 21 '13 at 19:42
  • Yes, it is. It carries several VLANs: data, voice, and a few ancillary for other things. (7 altogether) – atroon Mar 21 '13 at 19:46

3 Answers3

1

Try tuning off DTP on the switch's interface. switchport nonegotiate Since the router isn't a switch, it won't understand the Dynamic Trunking Protocol.

scottm32768
  • 449
  • 3
  • 7
  • This I have done, as I said in the original question, but thanks. It looks like at present the unknown protocol drops are occurring about every 5 seconds. – atroon Mar 21 '13 at 20:40
  • Sorry, I missed that in the original question. Do you have VTP enabled on the switch? I'm trying to think of what else could be sending L2 frames the switch wouldn't understand. – scottm32768 Mar 21 '13 at 21:10
  • I do have VTP enabled, and no worries...I'm trying to think of what else it could be as well. Haven't found anything yet. – atroon Mar 22 '13 at 12:39
  • If you ever get around to a packet capture, you could put it up at http://www.cloudshark.org. I'm curious what it is. I'm sure at least part of it is VTP. – scottm32768 Mar 22 '13 at 15:01
  • If the switch's code version is new enough you can add 'no vtp' on the switch interface connected to the router. On switch links to routers we disable DTP, VTP and enable portfast in trunk mode and that seems to cut down on weird counter increments. – cpt_fink Mar 23 '13 at 01:38
1

So, going off a troubleshooting background, I'd look at it this way.

Everything is choppy/slow right? Internet and phones. And you've shown us the interface statistics. I'm looking at this bit here:

   ->3021883 packets input, 2691686783 bytes
->Received 7649 broadcasts, 0 runts, 0 giants, 95 throttles
->2155 input errors, 0 CRC, 0 frame, 0 overrun, 2155 ignored
->464 unknown protocol drops

First, lets eliminate the easy one, protocol drops and input errors. 464 drops accounts for 0.01% of those 3,021,883 packets input, again the input errors are a similar story. These things do happen occasionally, it is a concern that you have any, but I'm willing to bet you would say its worse than 0.01% slower right?

So anyway, the throttles may shed some light on the issues, throttles happen when then the device is overloaded. So that might be something to look into.

Slowness is a pain in the bum to diagnose though, I'd really try to tie it down to a time period, maybe stay late one night when most people have gone and see if its still slow? 90% of the time, I've found all slowness is capacity related.

So a few things to check.

  • Check the CPU usage ("show process cpu history") and see if there have been any peaks at all.
  • Are you using QoS? check for drops on the interface ("show policy-map interface xx/xx)
  • How many VLANs are you running? I assume you'll be using a router-on-a-stick setup if so?

I personally suspect some sort of CPU/Memory bottleneck somewhere, this wont show up on normal interface show commands. From the show command you've pasted, I don't see any "real" problems, nothing that would be causing noticeable issues.

Also, give it a reboot. You never know :)

  • Ignored errors are when your router interface is receiving packets faster than it can buffer, so they just get 'ignored'. Although 2k ignored in 3m packets is generally not a problem. – cpt_fink Mar 23 '13 at 01:25
  • I agree, just thinking if there's slowness, and a small sign pointing to an issue, it might be running very close to its limits. More than the interface stats are suggesting. –  Mar 23 '13 at 09:30
  • Very good steps to take, this is what I ended up doing, as well as configure MAC-accounting. It was a sort of CPU/memory bottleneck, I'm adding an answer to detail what I did. – atroon Mar 25 '13 at 13:03
0

Artanix suggested some great troubleshooting tips, which are a great way to get started on a router issue.

I also used some of the troubleshooting tips here because the CPU usage on the router regularly pegged at 99-100%.

Configuring MAC address accounting via NetFlow (as described here) led me to a single device that was generating 80% of the traffic coming in on the Fa0/1 interface. Tracing that to a single computer, my intern found nothing he could lay blame to, but I checked her outbox in MS Outlook...she had sent an email with attachments over 50MB (our outgoing size limit is 40MB) to a co-worker in our office in another city.

According to my SPAN session, the mail server would dutifully receive all this data, then tell Outlook it was over the size limit, and drop the connection. Outlook, knowing that it had not yet sent the message, continued to attempt to send it over again, and very aggressively. I don't know why the error messages weren't getting back through, but I suspect that it had something to do with Outlook assuming bandwidth to the mail server being cheap.

Once we deleted this mail message from the outbox and had given a small lecture on using the file server to transfer large files rather than email, CPU usage fell back to the normal 40-60% range and phones and network returned to their normal state, and throttles on the interface returned to zero.

So, that fixed the problem and rendered the question relatively moot. I still don't know what the unknown protocols were, but I am sure my SPAN session has them listed.

atroon
  • 508
  • 3
  • 10
  • 23