you are correct This is a single 256k frame relay link
>>> "Marty Adkins" 04/17/01 12:51PM >>>
"Howard C. Berkowitz" wrote:
>
> Only a suggestion, but the fact that there are pairs of !A suggest
> that there might be per-packet load balancing going on, and the ACL
> applies only to one of the paths in the load-shared bundle. That
> could be why you get through on half the attempts (ignoring the *
> timeout which I'll assume is a random error).
>
> If I were being truly perverse, though, I might think the load
> balancing is across five paths, two of which have ACLs, two of which
> don't, and one of which has a reachability problem.
>
> >You're right. !A is "administratively unreachable" which is generally an
> >ACL...
This almost certainly occurred on a single path. All three iterations
were blocked by an ACL, which caused the router that did so to generate
an ICMP administratively prohibited unreachable to the source. The
generation of all ICMP unreachables is rate-limited by IOS to no more
than one per second to the same source. Hence the packet was silently
dropped on #2 which produced a three-second timeout at the source.
To see the pattern, perform an extended trace and set the probe count
to 5 or 7 -- notice that every other iteration is a timeout.
This self-protection mechanism slows down a persistent sender, and
aims to limit the potential impact on all other traffic flows.
Generating ICMP messages takes extra CPU time, beyond just the ACL
check, because all message generation must be performed by an IOS
process, rather than in interrupt mode (fast-switching, etc.)
Marty Adkins Email: [EMAIL PROTECTED]
Mentor Technologies Phone: 240-568-6526
133 National Business Pkwy WWW: http://www.mentortech.com
Annapolis Junction, MD 20701 Cisco CCIE #1289
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
you are correct This is a single 256k frame relay link
>>> "Marty Adkins" 04/17/01 12:51PM >>>
"Howard C. Berkowitz" wrote:
>
> Only a suggestion, but the fact that there are pairs of !A suggest
> that there might be per-packet load balancing going on, and the ACL
> applies only to one of the paths in the load-shared bundle. That
> could be why you get through on half the attempts (ignoring the *
> timeout which I'll assume is a random error).
>
> If I were being truly perverse, though, I might think the load
> balancing is across five paths, two of which have ACLs, two of which
> don't, and one of which has a reachability problem.
>
> >You're right. !A is "administratively unreachable" which is generally
an
> >ACL...
This almost certainly occurred on a single path. All three iterations
were blocked by an ACL, which caused the router that did so to generate
an ICMP administratively prohibited unreachable to the source. The
generation of all ICMP unreachables is rate-limited by IOS to no more
than one per second to the same source. Hence the packet was silently
dropped on #2 which produced a three-second timeout at the source.
To see the pattern, perform an extended trace and set the probe count
to 5 or 7 -- notice that every other iteration is a timeout.
This self-protection mechanism slows down a persistent sender, and
aims to limit the potential impact on all other traffic flows.
Generating ICMP messages takes extra CPU time, beyond just the ACL
check, because all message generation must be performed by an IOS
process, rather than in interrupt mode (fast-switching, etc.)
Marty Adkins Email: [EMAIL PROTECTED]
Mentor Technologies Phone: 240-568-6526
133 National Business Pkwy WWW: http://www.mentortech.com
Annapolis Junction, MD 20701 Cisco CCIE #1289
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=968&t=915
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
