Есть cisco 2811, два провайдера ISP1 и ISP2. Внешние ip. конфиг ниже. Пинги в инет улетают махом, резолвится все отлично.Проблема1: на рабочих тачках, подключенных в cisco при загрузке любого сайта таймаут перед тем как начинает отображаться сайт около минуты. Я все грешу на dns, но здесь схема четко работает. Пользователей в компании около 10 человек, два прова по 10mbps с load-balancing - cisco не загружается больше нескольких процентов. В чем еще может быть проблема? В какую сторону копать?
Проблема2: по внешнему ip ISP1 подключаюсь по ssh, telnet без проблем. Но по ip ISP2 пингуется снаружи, но я не могу к нему подклчиться по ssh и telnet. В чем может быть проблема?
Общий вопрос: не до конца понимаю ip cef, может здесь где-то собака зарыта? Возможно стоит подправить конфиг?
#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(19), RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Cisco 2811 (revision 53.50) with 247808K/14336K bytes of memory.
Processor board ID FCZ120271HG
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
#sh run
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CentrOffice_cisco
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-19.bin
boot-end-marker
!
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default none
!
aaa session-id common
!
!
ip cef
!
!
ip domain name ****.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho ***gw ISP1 ip***
timeout 1000
threshold 40
tag -=Monitoring ISP1 GW=-
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho ***gw ISP2 ip***
timeout 1000
threshold 40
tag -=Monitoring ISP2 GW=-
frequency 3
ip sla monitor schedule 2 life forever start-time now
vpdn enable
!
l2tp-class isp1
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-37832336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-37832336
revocation-check none
rsakeypair TP-self-signed-3783237336
!
!
crypto pki certificate chain TP-self-signed-37832336
certificate self-signed 01
[вырезано]
quit
username cisco privilege 15 secret 5 ****
!
!
ip ssh version 2
!
track 1 rtr 1 reachability
delay down 15 up 10
!
track 2 rtr 2 reachability
delay down 15 up 10
pseudowire-class class1
encapsulation l2tpv2
protocol l2tpv2 isp1
ip local interface FastEthernet0/0
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description ISP1_WAN_Ethernet
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description ISP2_WAN_Ethernet
mac-address 0003.210c.20ab
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0/0
description CiscoLan_4ESW_VLAN172
switchport access vlan 172
!
interface FastEthernet0/0/1
description CiscoLan_4ESW_VLAN172
switchport access vlan 172
!
interface FastEthernet0/0/2
description CiscoLan_4ESW_VLAN172
switchport access vlan 172
!
interface FastEthernet0/0/3
description CiscoLan_4ESW_VLAN172
switchport access vlan 172
!
interface Virtual-PPP1
description L2TP-to-ISP1
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
no cdp enable
ppp authentication chap callin
ppp chap hostname ********
ppp chap password 7 **********
pseudowire ***ip isp1 pptp*** 10 pw-class class1
!
interface Vlan1
no ip address
!
interface Vlan172
description -= CiscoLan_4ESW_VLAN172 =-
ip address 172.25.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 500
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 track 1
ip route 83.***.***.*** 255.255.255.255 Virtual-PPP1 track 1
ip route 0.0.0.0 0.0.0.0 10.3.2.1 track 2
ip route 192.168.0.0 255.255.255.0 172.25.20.10
ip route 85.***.***.*** 255.255.255.255 dhcp
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map ISP1 interface Virtual-PPP1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.25.20.10 1723 89.***.***.*** 1723 extendable
ip nat inside source static tcp 172.25.20.10 3389 89.***.***.*** 3389 extendable
ip nat inside source static tcp 172.25.20.10 65535 89.***.***.*** 65535 extendable
!
ip access-list extended NAT_ISP_1
permit ip 172.25.20.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT_ISP_2
permit ip 172.25.20.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
route-map ISP2 permit 10
match ip address NAT_ISP_2
match interface FastEthernet0/1
!
route-map ISP1 permit 10
match ip address NAT_ISP_1
match interface Virtual-PPP1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 *****
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 *****
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
#sh track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
2 changes, last change 2d02h
Delay up 10 secs, down 15 secs
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
Track 2
Response Time Reporter 2 reachability
Reachability is Up
2 changes, last change 2d02h
Delay up 10 secs, down 15 secs
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
#sh proc cpu histor - все ок, загрузка пиковая бывает до 90%, но в среднем ниже 1-3%
CentrOffice_cisco#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
[вырезано]
S* 0.0.0.0/0 is directly connected, Virtual-PPP1
CentrOffice_cisco#sh dhcp ser
DHCP server: ANY (255.255.255.255)
Leases: 30
Offers: 2 Requests: 30 Acks : 30 Naks: 0
Declines: 0 Releases: 0 Query: 0 Bad: 0
DNS0: ***dns isp2 ip ***, DNS1: *** dns2 isp2 ***
Subnet: 255.255.255.0 DNS Domain: isp2.domain
CentrOffice_cisco#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/52 ms
CentrOffice_cisco#ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 213.180.204.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Заранее спасибо!!!