Привет.
Заменил 881 на 891, завел двух провайдеров, настроил автоматическое переключение WAN каналов. Настроил dialer 0, vlan 1, vlan 10 остались без изменений.
Пользователи начали жаловаться на проблемы со звонками по Viber и внутренней ip телефонии. Я их слышу хорошо, они меня с пропаданием и искажением.
Так-же обращают внимание на долгую работу одного из гос сайтов (ГИС), отправка форм, выпадающие списки долго открываются.
Локация "в лесу", ехать снимать трафик далеко и долго. Надо попробовать решить проблему удаленно. Пробовал играться и mtu, tсp mss - безуспешно, да и нет понимания вообще где проблема и как её искать. Пинги в wan и ipsec отличные, потерь нет, загрузка на канале 1Мбит/с из 30, процессор загружен на 10%.
Буду признателен за любую помощь.
Код:
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx-gw1
!
boot-start-marker
boot system flash:/c890-universalk9-mz.159-3.M1.bin
boot-end-marker
!
!
enable secret 5 xxxxxx
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone EKT 5 0
!
!
!
ip dhcp excluded-address 192.168.23.1 192.168.23.100
ip dhcp excluded-address 192.168.23.200 192.168.23.255
ip dhcp excluded-address 192.168.10.1 192.168.10.128
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
archive
path tftp://192.168.1.6/location.cfg-
time-period 86400
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
track 1 ip sla 1
delay down 30 up 30
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXX address XXXXXXXXXXXXXXXX
crypto isakmp key XXXXXXXXXXXXXXXX address XXXXXXXXXXXXXXXX
!
!
crypto ipsec transform-set ts esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map vpn_map 10 ipsec-isakmp
set peer XXXXXXXXXXXXXXXX
set transform-set ts
set pfs group2
match address ipsec-conn
!
!
interface FastEthernet0
description MicrotikAP
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
description Lan network
no ip address
!
interface FastEthernet3
description WIFI
switchport mode trunk
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description WAN
ip address XXXXXXXXXXXXXXXX 255.255.255.0
ip access-group outside_acl_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn_map
!
interface GigabitEthernet0
description WAN
no ip address
duplex auto
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description Internal Network
ip address 192.168.23.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
description WI-FI
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group outside_acl_in in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXX
ppp chap password 7XXXXXXXXXXXXXXXXXXXX
crypto map vpn_map
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip tftp source-interface Vlan1
ip nat inside source route-map NAT_ISP1_Main interface Dialer0 overload
ip nat inside source route-map NAT_ISP2_Back-up interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXXXXXX 50
ip route 77.88.8.8 255.255.255.255 Dialer0
ip route XXXXXXXXXXXXXXX 255.255.255.255 XXXXXXXXXXXXXXX
ip ssh version 2
!
ip access-list standard SNMP_ACCESS_RO
permit 192.168.1.3
ip access-list standard SSH
permit XXXXXXXXXXXXXXX
permit XXXXXXXXXXXXXXX
permit XXXXXXXXXXXXXXX
permit 172.19.1.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DOMINATION
deny ip host 192.168.23.205 192.168.0.0 0.0.7.255
permit ip host 192.168.23.205 any
ip access-list extended NAT_LAN
deny ip 192.168.23.0 0.0.0.255 192.168.0.0 0.0.7.255
deny ip host 192.168.23.201 any
deny ip host 192.168.23.202 any
deny ip host 192.168.23.203 any
deny ip host 192.168.23.204 any
deny ip host 192.168.23.205 any
deny ip host 192.168.23.206 any
deny ip host 192.168.23.207 any
permit ip 192.168.23.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended ipsec-conn
permit ip 192.168.23.0 0.0.0.255 192.168.0.0 0.0.7.255
ip access-list extended outside_acl_in
remark --- Add anti-spoofing entries. !--- Deny special-use address sources. !--- Refer to RFC 3330 for add
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
remark --- The deny statement should not be configured !--- on Dynamic Host Configuration Protocol (DHCP) r
deny ip host 0.0.0.0 any
remark --- Filter RFC 1918 space.
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark --- Explicitly permit return traffic. !--- Allow specific ICMP types.
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark --- These are outgoing DNS queries.
permit udp any eq domain any gt 1023
remark --- Permit older DNS queries and replies to primary DNS server.
permit udp any eq domain any eq domain
remark --- Permit legitimate business traffic.
permit tcp any any established
permit udp any range 1 1023 any gt 1023
remark --- Deny all other DNS traffic.
deny udp any any eq domain
deny tcp any any eq domain
permit udp host XXXXXXXXXXXXXXX any eq isakmp
permit udp host XXXXXXXXXXXXXXX any eq isakmp
deny udp any any eq isakmp
permit udp host XXXXXXXXXXXXXXX any eq non500-isakmp
permit udp host XXXXXXXXXXXXXXX any eq non500-isakmp
deny udp any any eq non500-isakmp
permit esp any any
permit ahp any any
permit gre any any
remark --- These are Internet-sourced connections to !--- publicly accessible servers.
permit tcp any any eq 22
permit tcp any any eq 7000
permit ip any any
!
ip sla 1
icmp-echo 77.88.8.8 source-interface Dialer0
frequency 10
ip sla schedule 1 life forever start-time now
ipv6 ioam timestamp
!
route-map NAT_ISP1_Main permit 10
match ip address NAT_LAN
match interface Dialer0
!
route-map DOMINATION permit 10
match ip address DOMINATION
!
route-map NAT_ISP2_Back-up permit 10
match ip address NAT_LAN
match interface FastEthernet8
!
snmp-server community public RO SNMP_ACCESS_RO
!
access-list 46 remark utility ACL to block everything
access-list 46 deny any
access-list 47 remark NTP peers/servers we sync to/with
access-list 47 permit 195.210.189.106
access-list 47 deny any log
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class SSH in
logging synchronous
transport input ssh
!
ntp access-group peer 47
ntp access-group serve 46
ntp access-group serve-only 46
ntp access-group query-only 46
ntp update-calendar
ntp server 195.210.189.106
event manager applet CLEAR_NAT_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
action 3.0 cli command "clear crypto sa"
event manager applet CLEAR_NAT_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
action 3.0 cli command "clear crypto sa"
!
end