Исходное сообщение
"проблема с прохождением больших пакетов" Отправлено meps, 16-Фев-07 10:28
>привет всем >есть циска 1841 к ней на один из интерфейсов подключено несколько удаленных >точек (IPSEc) >так вот: переодически то с одним то сдругим узлами возникает проблема прохождения >трафика больших (нормальных) размеров - не проходят даже пакеты 50 байт > >Решается все пока перезагрузкой роутера 1841.После этого на некоторое время все нормально >работает - потом повторяется старая картина. Что это может быть..... подскажите >плиз. >На ужаленных точках Cisco 851 > >ниже кусок конфига 1841 > >crypto isakmp policy 1 > encr 3des > hash md5 > authentication pre-share > group 2 >! >crypto isakmp policy 2 > authentication rsa-encr >! >crypto isakmp policy 3 > encr 3des > authentication pre-share > group 2 >crypto isakmp key 111111 address 10.0.7.7 >crypto isakmp key 111111 address 10.0.7.8 >crypto isakmp key 111111 address 10.0.7.9 >crypto isakmp key 111111 address 10.0.7.10 >crypto isakmp key 111111 address 10.0.7.11 >crypto isakmp key 111111 address 10.0.7.12 >crypto isakmp key 111111 address 10.0.7.13 >! >crypto ipsec security-association lifetime kilobytes 3000 >crypto ipsec security-association lifetime seconds 1200 >! >crypto ipsec transform-set to_dim esp-3des esp-md5-hmac > mode transport >crypto ipsec transform-set UPC-3DES esp-3des esp-sha-hmac comp-lzs >! >crypto dynamic-map dynmap 10 >! >! >crypto map BRV 1 ipsec-isakmp > set peer 10.0.7.7 > set peer 10.0.7.8 > set peer 10.0.7.9 > set peer 10.0.7.10 > set peer 10.0.7.11 > set peer 10.0.7.12 > set transform-set to_dim > match address 111 >! >crypto map UPC-IPSEC 10 ipsec-isakmp > set peer 3.3.3.3 > set transform-set UPC-3DES > match address 110 >! >bridge irb > >! >interface Tunnel1 > ip address 172.31.1.231 255.255.255.252 > tunnel source Vlan1 > tunnel destination 3.3.3.3 > crypto map UPC-IPSEC >! >interface Tunnel2 > ip address 10.1.6.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.7 > crypto map BRV >! >interface Tunnel3 > > ip address 10.1.7.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.8 > tunnel mode ipip > crypto map BRV >! >interface Tunnel4 >  ip address 10.1.9.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.9 > crypto map BRV >! >interface Tunnel5 > ip address 10.1.11.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.10 > crypto map BRV >! >interface Tunnel6 > ip address 10.1.17.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.11 > crypto map BRV >! >interface Tunnel7 > ip address 10.1.20.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.12 > crypto map BRV >! >interface Tunnel8 > ip address 10.1.23.101 255.255.255.0 > tunnel source FastEthernet0/1 > tunnel destination 10.0.7.13 > tunnel mode ipip > crypto map BRV > >interface FastEthernet0/0 > ip address 172.16.101.210 255.255.254.0 > ip nat inside > ip virtual-reassembly > speed auto > full-duplex > no keepalive > no mop enabled >! >interface FastEthernet0/1 > ip address 10.0.7.4 255.255.255.0 > ip nat outside > ip virtual-reassembly > speed auto > full-duplex > no mop enabled > crypto map BRV >! >interface FastEthernet0/0/0 > no cdp enable >! >interface FastEthernet0/0/1 >! >interface FastEthernet0/0/2 >! >interface FastEthernet0/0/3 >! >interface Vlan1 > ip address 81.71.31.158 255.255.255.252 > ip nat outside > ip virtual-reassembly > crypto map UPC-IPSEC >! >ip local pool ippool 10.0.7.10 >ip route 0.0.0.0 0.0.0.0 81.71.31.157 >ip route 10.0.5.0 255.255.255.0 Tunnel2 >ip route 10.0.11.4 255.255.255.255 172.16.100.159 >ip route 10.1.5.0 255.255.255.0 Tunnel2 >ip route 10.1.8.101 255.255.255.255 Tunnel3 >ip route 10.1.10.0 255.255.255.0 Tunnel4 >ip route 10.1.10.0 255.255.255.0 Tunnel5 >ip route 10.1.19.101 255.255.255.255 Tunnel7 >ip route 10.1.22.0 255.255.255.0 Tunnel8 >ip route 128.26.28.3 255.255.255.255 172.16.100.10 >ip route 128.26.29.3 255.255.255.255 172.16.100.10 >ip route 132.148.2.65 255.255.255.255 Tunnel1 >ip route 172.28.41.21 255.255.255.255 172.16.101.3 >ip route 192.168.1.0 255.255.255.0 172.16.100.6 >ip route 192.168.2.0 255.255.255.0 Tunnel7 >ip route 192.168.3.0 255.255.255.0 Tunnel3 >ip route 192.168.4.0 255.255.255.0 172.16.100.6 >ip route 192.168.5.0 255.255.255.0 172.16.100.6 >ip route 192.168.6.0 255.255.255.0 172.16.100.6 >ip route 192.168.18.0 255.255.255.0 Tunnel6 >ip route 192.168.40.0 255.255.255.0 172.16.101.1 >ip route 192.168.150.0 255.255.255.0 Tunnel5 >ip route 192.168.160.0 255.255.255.0 Tunnel8 >ip route 192.168.170.0 255.255.255.0 172.16.100.6 > >ip nat inside source list 188 interface Vlan1 overload > > > >access-list 111 permit gre host 10.0.7.4 host 10.0.7.7 >access-list 111 permit ip host 10.0.7.4 host 10.0.7.8 >access-list 111 permit gre host 10.0.7.4 host 10.0.7.9 >access-list 111 permit gre host 10.0.7.4 host 10.0.7.10 >access-list 111 permit gre host 10.0.7.4 host 10.0.7.11 >access-list 111 permit gre host 10.0.7.4 host 10.0.7.12 >access-list 188 permit ip 172.16.100.0 0.0.1.255 any Неужели нет никаких вариантов........