strange periodic delays through WG -- BGP makes it worse

[jmkelly]

We tried to run BGP through our WG, with our provider's peer on the external side and our peer on the Trusted port. The BGP session came right up, but traffic did not flow smoothly; there would be a 20- to 30-second stall, then it would flow, then another stall, etc. This was visible with ping, traceroute, and websurfing. We rolled back to static routes and the problem went away--but not entirely.

When pinging from a router directly connected to the Trusted interface to either the WG's Trusted interface or a router directly connected to the External interface, we get delays in a consistent pattern: 100 packets get through, 1 is dropped, 100 get through, 1 is dropped, etc.

Pinging from the WG's External interface to the router directly connected to it goes without any loss, even flood-pinging.

The WG is very lightly loaded (CPU utilization ~3%, 10 Mbps peak traffic).

My hunch is that the router interface and WG Trusted interface are suffering from a speed mismatch. The router has a GigE int, the WG a FastE, and both are set to auto speed, auto duplex.

Anyone have a better theory?

 

[jmkelly]

The answer is simple for the 1/100 pattern: the WG has a DDOS policy that gets triggered by flood pings. It deliberately drops every 101th ping from a given source.

That doesn't explain to 20- to 30-second stalls we saw when BGP was running through (not on) the WG.

 

[tpit]

The 1/100 pattern is correct. I have this as well.

But your delay in BGP can also be the problem of interface collissions due to MTU mismatches. Also, BGP becomes unstable when it tries to change dynamic routes to soon. Before something is wrong. This can also be port MTU / speed mismatches... (duplex?)

_________________________________
It works! But how?
VoiceByte System Engineer