DSL-2500U_BRU_D, RU_1.54 (была и RU_1.56), router mode

При пробросе IPSEC, на виртуальный сервер где есть роутер Dlink-804HV, заметил что линия DSL падает периодически и пишет в лог.

kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries


Запретил правилами доступ с IP роутера Dlink-804HV. Стало лутше.

Что делать с IPSEC ?

У меня есть подозрение что NAT таблица устройства переполнена.
Попробуйте перезагрузить модем и установть IpSec туннель.
Посмотрите как в нем ходит трафик, не используя никаких сторонних закачек из Интернет.

_________________
С уважением, Давыдов Денис.

Так как были падения всех клиентов убрал с этой лини, пока, так что нагрузки не было.

перезагрузки не помогают, у меня модем перегружается по питанию устройство NetPing.

Другими словами даже без наличия клиентов проблема имеет место быть?
Приведите полный лог устройства.

_________________
С уважением, Давыдов Денис.

Jul 9 06:03:10 10.9.0.1 kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries
Jul 9 06:03:10 10.9.0.1 kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries
Jul 9 06:04:44 10.9.0.1 last message repeated 2 times
Jul 9 06:09:22 10.9.0.1 last message repeated 6 times
Jul 9 06:10:40 10.9.0.1 BCM96345 started: BusyBox v1.00 (2010.04.27-07:21+0000)
Jul 9 06:10:40 10.9.0.1 kernel: klogd started: BusyBox v1.00 (2010.04.27-07:21+0000)
Jul 9 06:10:40 10.9.0.1 kernel: Linux version 2.6.8.1 (joan@BB3) (gcc version 3.4.2) #1 Tue Apr 27 15:19:05 CST 2010
Jul 9 06:10:40 10.9.0.1 kernel: Serial flash device: name S25FL016A, id 0x0114, size 2048KB
Jul 9 06:10:40 10.9.0.1 kernel: 96332CG prom init
Jul 9 06:10:40 10.9.0.1 kernel: CPU revision is: 00029010
Jul 9 06:10:40 10.9.0.1 kernel: Determined physical RAM map:
Jul 9 06:10:40 10.9.0.1 kernel: memory: 007a0000 @ 00000000 (usable)
Jul 9 06:10:40 10.9.0.1 kernel: On node 0 totalpages: 1952
Jul 9 06:10:40 10.9.0.1 kernel: DMA zone: 1952 pages, LIFO batch:1
Jul 9 06:10:40 10.9.0.1 kernel: Normal zone: 0 pages, LIFO batch:1
Jul 9 06:10:40 10.9.0.1 kernel: HighMem zone: 0 pages, LIFO batch:1
Jul 9 06:10:40 10.9.0.1 kernel: Built 1 zonelists
Jul 9 06:10:40 10.9.0.1 kernel: Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
Jul 9 06:10:40 10.9.0.1 kernel: brcm mips: enabling icache and dcache...
Jul 9 06:10:40 10.9.0.1 syslog: sntp -s time.nist.gov -s none -t "Athens, Istanbul, Minsk" &
Jul 9 06:10:40 10.9.0.1 kernel: Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Jul 9 06:10:40 10.9.0.1 kernel: Primary data cache 8kB 2-way, linesize 16 bytes.
Jul 9 06:10:40 10.9.0.1 kernel: PID hash table entries: 32 (order 5: 256 bytes)
Jul 9 06:10:40 10.9.0.1 kernel: Using 120.000 MHz high precision timer.
Jul 9 06:10:40 10.9.0.1 kernel: Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Jul 9 06:10:40 10.9.0.1 kernel: Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Jul 9 06:10:40 10.9.0.1 kernel: Memory: 6024k/7808k available (1287k kernel code, 1764k reserved, 184k data, 64k init, 0k highmem)
Jul 9 06:10:40 10.9.0.1 kernel: Calibrating delay loop... 239.20 BogoMIPS
Jul 9 06:10:40 10.9.0.1 kernel: Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Jul 9 06:10:40 10.9.0.1 kernel: Checking for 'wait' instruction... unavailable.
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 16
Jul 9 06:10:40 10.9.0.1 kernel: Total Flash size: 2048K with 32 sectors
Jul 9 06:10:40 10.9.0.1 kernel: File system address: 0xbfc10100
Jul 9 06:10:40 10.9.0.1 kernel: Can't analyze prologue code at 801506c4
Jul 9 06:10:40 10.9.0.1 kernel: PPP generic driver version 2.4.2
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 24
Jul 9 06:10:40 10.9.0.1 kernel: Using noop io scheduler
Jul 9 06:10:40 10.9.0.1 kernel: bcm963xx_mtd driver v1.0
Jul 9 06:10:40 10.9.0.1 kernel: brcmboard: brcm_board_init entry
Jul 9 06:10:40 10.9.0.1 kernel:
Jul 9 06:10:40 10.9.0.1 kernel: ======= GPIO CONFIG_BCM96338 inited ========
Jul 9 06:10:40 10.9.0.1 kernel: Serial: BCM63XX driver $Revision: 3.00 $
Jul 9 06:10:40 10.9.0.1 kernel: ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 2
Jul 9 06:10:40 10.9.0.1 kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Jul 9 06:10:40 10.9.0.1 kernel: TCP: Hash tables configured (established 512 bind 1024)
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 1
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 17
Jul 9 06:10:40 10.9.0.1 kernel: Ebtables v2.0 registered
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 8
Jul 9 06:10:40 10.9.0.1 kernel: NET: Registered protocol family 20
Jul 9 06:10:40 10.9.0.1 kernel: 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
Jul 9 06:10:40 10.9.0.1 kernel: All bugs added by David S. Miller <davem@redhat.com>
Jul 9 06:10:40 10.9.0.1 kernel: VFS: Mounted root (squashfs filesystem) readonly.
Jul 9 06:10:40 10.9.0.1 kernel: Freeing unused kernel memory: 64k freed
Jul 9 06:10:40 10.9.0.1 kernel: Algorithmics/MIPS FPU Emulator v1.5
Jul 9 06:10:40 10.9.0.1 kernel: atmapi: module license 'Proprietary' taints kernel.
Jul 9 06:10:40 10.9.0.1 kernel: adsl: adsl_init entry
Jul 9 06:10:40 10.9.0.1 kernel: blaadd: blaa_detect entry
Jul 9 06:10:40 10.9.0.1 kernel: Broadcom BCMPROCFS v1.0 initialized
Jul 9 06:10:40 10.9.0.1 kernel: Broadcom BCM6338A2 Ethernet Network Device v0.3 Apr 27 2010 15:17:46
Jul 9 06:10:40 10.9.0.1 kernel: Config Internal PHY Through MDIO
Jul 9 06:10:40 10.9.0.1 kernel: BCM63xx_ENET: 100 MB Full-Duplex (auto-neg)
Jul 9 06:10:40 10.9.0.1 kernel: eth0: MAC Address: ************
Jul 9 06:10:40 10.9.0.1 kernel: eth0 Link UP.
Jul 9 06:10:40 10.9.0.1 kernel: BcmAdsl_Initialize=0xC0068A48, g_pFnNotifyCallback=0xC0081784
Jul 9 06:10:40 10.9.0.1 kernel: AnnexCParam=0x7FFF7EB8 AnnexAParam=0x00003987 adsl2=0x00000003
Jul 9 06:10:40 10.9.0.1 kernel: pSdramPHY=0xA07FFFF8, 0x1B77A9 0xDEADBEEF
Jul 9 06:10:40 10.9.0.1 kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA07EF96C
Jul 9 06:10:40 10.9.0.1 kernel: AnnexCParam=0x7FFF7EB8 AnnexAParam=0x00003987 adsl2=0x00000003
Jul 9 06:10:40 10.9.0.1 kernel: DoInitialize: do kerSysRegisterDyingGaspHandler
Jul 9 06:10:40 10.9.0.1 kernel: dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
Jul 9 06:10:40 10.9.0.1 kernel: DoInitialize: do put_user
Jul 9 06:10:40 10.9.0.1 kernel: DoInitialize: do kerSysLedCtrl
Jul 9 06:10:40 10.9.0.1 kernel: ATM proc init !!!
Jul 9 06:10:40 10.9.0.1 kernel: ADSL G.994 training
Jul 9 06:10:40 10.9.0.1 kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jul 9 06:10:40 10.9.0.1 kernel: ip_conntrack version 2.1 (61 buckets, 0 max) - 376 bytes per conntrack
Jul 9 06:10:40 10.9.0.1 kernel: ip_conntrack_pptp version 2.1 loaded
Jul 9 06:10:40 10.9.0.1 kernel: ip_nat_pptp version 2.0 loaded
Jul 9 06:10:40 10.9.0.1 kernel: ip_conntrack_rtsp v0.01 loading
Jul 9 06:10:40 10.9.0.1 kernel: ip_nat_rtsp v0.01 loading
Jul 9 06:10:40 10.9.0.1 kernel: unregistering helper for port 5060
Jul 9 06:10:40 10.9.0.1 kernel: unregistering helper for port 5060
Jul 9 06:10:40 10.9.0.1 kernel: device eth0 entered promiscuous mode
Jul 9 06:10:40 10.9.0.1 kernel: br0: port 1(eth0) entering learning state
Jul 9 06:10:40 10.9.0.1 kernel: br0: topology change detected, propagating
Jul 9 06:10:40 10.9.0.1 kernel: br0: port 1(eth0) entering forwarding state
Jul 9 06:10:40 10.9.0.1 syslog: echo > /var/snmpd.conf
Jul 9 06:10:42 10.9.0.1 syslog: pppd *********: plugin pppoe rp_pppoe_service Ukrtelecom nas_0_1_32 nodetach user **********
Jul 9 06:10:44 10.9.0.1 kernel: ADSL G.992 started
Jul 9 06:10:45 10.9.0.1 pppd[279]: Plugin pppoe loaded.
Jul 9 06:10:45 10.9.0.1 pppd[279]: RP-PPPoE plugin version 3.3 compiled against pppd 2.4.3
Jul 9 06:10:45 10.9.0.1 pppd[279]: Plugin pppoe called.
Jul 9 06:10:45 10.9.0.1 pppd[279]: pppd 2.4.3 started by admin, uid 0
Jul 9 06:10:48 10.9.0.1 kernel: ADSL G.992 channel analysis
Jul 9 06:10:55 10.9.0.1 kernel: ADSL link down
Jul 9 06:10:57 10.9.0.1 kernel: ADSL G.994 training
Jul 9 06:11:12 10.9.0.1 kernel: ADSL G.992 started
Jul 9 06:11:16 10.9.0.1 kernel: ADSL G.992 channel analysis
Jul 9 06:11:22 10.9.0.1 kernel: ADSL G.992 message exchange
Jul 9 06:11:23 10.9.0.1 kernel: ADSL link up, interleaved, us=1556, ds=5911
Jul 9 06:11:23 10.9.0.1 kernel: ADSL2/ADSL2+ connection
Jul 9 06:11:23 10.9.0.1 kernel: ATM Soft SAR: ATM link connected.
Jul 9 06:11:24 10.9.0.1 syslog: iptables -t nat -A PREROUTING -i br0 -d 10.9.0.1 -p udp --dport 53 -j DNAT --to 128.9.0.107
Jul 9 06:11:28 10.9.0.1 pppd[279]: PPP session is 6751
Jul 9 06:11:28 10.9.0.1 pppd[279]: Using interface ppp0_1_32_1
Jul 9 06:11:28 10.9.0.1 pppd[279]: Connect: ppp_0_1_32_1 <--> nas_0_1_32
Jul 9 06:11:28 10.9.0.1 pppd[279]: Couldn't increase MRU to 1500
Jul 9 06:11:28 10.9.0.1 pppd[279]: Remote message: permission denied
Jul 9 06:11:28 10.9.0.1 pppd[279]: PAP authentication failed
Jul 9 06:11:28 10.9.0.1 pppd[279]: Couldn't increase MRU to 1500
Jul 9 06:11:28 10.9.0.1 pppd[279]: Connection terminated....
Jul 9 06:11:32 10.9.0.1 pppd[279]: Sent PADT
Jul 9 06:11:35 10.9.0.1 pppd[279]: PPP session is 6731
Jul 9 06:11:35 10.9.0.1 pppd[279]: Using interface ppp0_1_32_1
Jul 9 06:11:35 10.9.0.1 pppd[279]: Connect: ppp_0_1_32_1 <--> nas_0_1_32
Jul 9 06:11:35 10.9.0.1 pppd[279]: Couldn't increase MRU to 1500
Jul 9 06:11:35 10.9.0.1 pppd[279]: PAP authentication succeeded
Jul 9 06:11:35 10.9.0.1 pppd[279]: peer from calling number 00:90:1A:42:21:41 authorized
Jul 9 06:11:35 10.9.0.1 pppd[279]: local IP address *********
Jul 9 06:11:35 10.9.0.1 pppd[279]: remote IP address 195.5.5.203
Jul 9 06:11:35 10.9.0.1 pppd[279]: primary DNS address 213.179.249.135
Jul 9 06:11:35 10.9.0.1 pppd[279]: secondary DNS address 213.179.249.138
Jul 9 06:11:36 10.9.0.1 syslog: route add default gw 195.5.5.203 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: route add -net 10.250.0.0 netmask 255.255.0.0 metric 1 gw 10.9.0.3 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: echo route add -net 10.250.0.0 netmask 255.255.0.0 metric 1 gw 10.9.0.3 2>/dev/null >> /var/StaticRoute
Jul 9 06:11:37 10.9.0.1 syslog: route add -net 172.16.1.0 netmask 255.255.255.0 metric 1 gw 10.9.0.3 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: iptables -A FORWARD -o ppp_0_1_32_1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Jul 9 06:11:37 10.9.0.1 syslog: iptables -A FORWARD -i ppp_0_1_32_1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Jul 9 06:11:37 10.9.0.1 syslog: echo > /proc/net/ip_conntrack
Jul 9 06:11:37 10.9.0.1 syslog: echo "600" > /proc/sys/net/ipv4/ip_conntrack_max
Jul 9 06:11:37 10.9.0.1 syslog: echo 2000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
Jul 9 06:11:37 10.9.0.1 syslog: echo 600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
Jul 9 06:11:37 10.9.0.1 syslog: echo 1400 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
Jul 9 06:11:37 10.9.0.1 syslog: echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
Jul 9 06:11:37 10.9.0.1 syslog: echo 4096 > /proc/sys/net/ipv4/ipfrag_high_thresh
Jul 9 06:11:37 10.9.0.1 syslog: echo 1024 > /proc/sys/net/ipv4/ipfrag_low_thresh
Jul 9 06:11:37 10.9.0.1 syslog: echo 5 > /proc/sys/net/ipv4/ipfrag_time
Jul 9 06:11:37 10.9.0.1 syslog: iptables -t nat -D PREROUTING -i br0 -d 10.9.0.1 -p udp --dport 53 -j DNAT --to 128.9.0.107 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: iptables -t nat -D POSTROUTING -o ppp_0_1_32_1 -s 10.9.0.0/255.255.255.0 -j MASQUERADE 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: iptables -t nat -A POSTROUTING -o ppp_0_1_32_1 -s 10.9.0.0/255.255.255.0 -j MASQUERADE
Jul 9 06:11:37 10.9.0.1 syslog: iptables -t nat -D PREROUTING -i br0 -d 10.9.0.1 -p udp --dport 53 -j DNAT --to 213.179.249.135 2>/dev/null
Jul 9 06:11:37 10.9.0.1 syslog: iptables -t nat -A PREROUTING -i br0 -d 10.9.0.1 -p udp --dport 53 -j DNAT --to 213.179.249.135
Jul 9 06:11:37 10.9.0.1 syslog: /bin/dnsprobe &
Jul 9 06:11:38 10.9.0.1 dnsprobe[588]: dnsprobe started!
Jul 9 06:11:39 10.9.0.1 syslog: iptables -I INPUT 1 -p icmp --icmp-type echo-request -i ppp_0_1_32_1 -j ACCEPT
Jul 9 06:11:39 10.9.0.1 syslog: echo 4096 > /proc/sys/net/ipv4/ipfrag_high_thresh
Jul 9 06:11:39 10.9.0.1 syslog: echo 1024 > /proc/sys/net/ipv4/ipfrag_low_thresh
Jul 9 06:11:40 10.9.0.1 syslog: echo 5 > /proc/sys/net/ipv4/ipfrag_time
Jul 9 06:13:18 10.9.0.1 kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries
Jul 9 06:13:18 10.9.0.1 kernel: net/ipv4/netfilter/./broadcom/ip_nat_ipsec.c:ipsec_nat_help Out of table entries
Jul 9 06:14:50 10.9.0.1 last message repeated 2 times
Jul 9 06:21:01 10.9.0.1 last message repeated 8 times
Jul 9 06:22:18 10.9.0.1 BCM96345 started: BusyBox v1.00 (2010.04.27-07:21+0000)
Jul 9 06:22:18 10.9.0.1 kernel: klogd started: BusyBox v1.00 (2010.04.27-07:21+0000)

В том случае если модем настроен в режиме Bridge - IpSec туннель работает?

_________________
С уважением, Давыдов Денис.

не приемлем режим, так как работают другие интернет сервисы на другом сервере, но для проверки можно по пробовать.

p.s. ADSL 500T нормально справлялся, до апгрейда на 2500.
Все из-за SRA в Annex-M...

Пожалуйста попробуйте и напишите.

_________________
С уважением, Давыдов Денис.

Сколько IPSec туннелей проходят через DSL-2500U?