Re: Strange Router behaviour
- From: Scooty <scootyjthompson@xxxxxxxxx>
- Date: Sat, 14 Jun 2008 18:14:30 -0700 (PDT)
On Jun 15, 4:48 am, Darren Green <darrenfgr...@xxxxxxxxxxxxx> wrote:
Scooty wrote:
Hi all
I have installed a new Cisco 871 as we have changed ISP's and have
gone from ADSL to Fibre, the original router was an ADSL Cisco 877 and
the new router is a Cisco 871
Since installing the new router a couple of days ago I have had some
strange problems
For example I was able to VPN into my network but could not access
webmail. Internet going out was affected and if I logged into the
router and tried to do a show log it would just hang, in otherwords it
just wouldn't display the log. Also I have IPSEC setup between my home
network and the office network. I was able to ping hosts and I was
able to telnet to the office switches etc, but performance was pretty
slow and I could not remote desktop to any hosts.
I am unsure if it's any sort of DoS or an actual hardware fault or
something else all together. A reload has always fixed it, till it
happens again anyway. This has happened 3 times in the last 1 1/2 days
I do have a Cisco 2801 I am going to put in it's place to help
eliminate the router as the problem but I was hoping someone might be
able to offer some suggestions as to whether or not these problems
seem either hardware or software related.
Attached is the show ver and a copy of the config (note that any
static IP's pertaining to the network have been x'd out). Lastly the
router connects to a Cisco PIX 515E V6.3
I suppose it could be firewall related but then why would a reload of
the router fix the issues?
Cheers
Scott
show ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.4(4)T8, RELEASE SOFTWARE (fc3)
Technical Support:http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Sat 11-Aug-07 03:34 by khuie
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
Internet_Router uptime is 12 minutes
System returned to ROM by reload at 23:37:09 WST Sat Jun 14 2008
System restarted at 23:37:51 WST Sat Jun 14 2008
System image file is "flash:c870-advsecurityk9-mz.124-4.T8.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use
encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product
you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email
to
exp...@xxxxxxxxxx
Cisco 871 (MPC8272) processor (revision 0x200) with 118784K/12288K
bytes of memory.
Processor board ID FHK1144270N
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
show run
Building configuration...
Current configuration : 4742 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname Internet_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable password 7 <passwd>
!
no aaa new-model
!
resource policy
!
clock timezone WST 8
clock summer-time WST recurring last Sun Oct 2:00 last Sun Mar 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name somedomain.com.au
ip name-server 203.161.127.1
vpdn enable
!
!
!
!
username <username> password <password>
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip policy route-map clear-df
speed 10
half-duplex
!
interface Vlan1
ip address x.x.x.x 255.255.255.248
ip access-group 102 in
ip tcp adjust-mss 1452
ip policy route-map clear-df
hold-queue 100 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 <nexthop>
!
no ip http server
no ip http secure-server
!
access-list 1 remark The local LAN.
access-list 1 permit x.x.x.0 0.0.0.255
access-list 2 permit x.x.x.x
access-list 2 remark vty access list
access-list 2 permit x.x.x.x 0.0.0.7
access-list 2 permit x.x.x.x 0.0.0.7
access-list 5 permit any
access-list 101 remark Traffic allowed to router from Internet
access-list 101 deny icmp any any log
access-list 101 permit tcp any any established
access-list 101 deny ip x.x.x.x 0.0.0.7 any
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit ip any host x.x.x.x
access-list 101 permit ip any host x.x.x.x
access-list 101 permit ip any host x.x.x.x
access-list 101 permit ip any host x.x.x.x
access-list 101 permit ip any host x.x.x.x
access-list 101 permit ip any host x.x.x.x
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any any eq domain
access-list 101 permit gre any host x.x.x.x
access-list 101 permit udp host 203.161.127.1 host x.x.x.x
access-list 101 permit udp host 203.153.224.42 host x.x.x.x
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to router from Ethernet
access-list 102 permit icmp any any
access-list 102 permit tcp any any established
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 permit ip host x.x.x.x any
access-list 102 permit ip host x.x.x.x any
access-list 102 permit ip host x.x.x.x any
access-list 102 permit ip host x.x.x.x any
access-list 102 permit ip host x.x.x.x any
access-list 102 permit ip host x.x.x.x any
access-list 102 deny ip any host 116.212.213.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 deny ip any host 255.255.255.255
access-list 102 deny ip any any log
snmp-server community public RW
snmp-server community private RO
snmp-server location AFF Balcatta
snmp-server contact AFF IT Dept
snmp-server system-shutdown
snmp-server enable traps tty
no cdp run
route-map clear-df permit 10
match ip address 5
set ip df 0
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
sntp server 128.250.36.2
end
I was trying to work out your topology. I think what you are saying is
that you have:
remote PIX-------871 router-----Internet-------Head Office-----LAN
You say you cannot access Webmail. Is this via the VPN on your remote
PIX, if so what do your crypto ACL's say. Have you a split tunnel policy
in your VPN setup that maybe excludes access to the Webmail box. What is
the topology at the Head Office end. How does the Webmail route back to
your home network ? Could you access any other servers / devices other
than your switches.
When you say you were logging into your router and the show log just
hung the device. Where were you logging in from, your Head Office, your
local LAN etc.
Slow VPN performance can be as a result of fragmentation issues amongst
other things but I note that you override the DF bit for packets on your
router. However, as I am not sure how your topology hangs together it is
hard to determine what effect this is having and why you added the command..
May be an idea to do a quick topology map and add a little more detail.
Regards
Darren- Hide quoted text -
- Show quoted text -
Thanks Darren
Basically it is Office LAN -- PIX (Internal) -- Cisco 871 VLAN1 /28 --
Cisco 871 FastEthernet4 /30 -- Internet
From my home laptop I can telnet to the router over the internet to
the public IP set on the inside IP of the ethernet i/f (VLAN1) of the
router
Webmail is straight over the internet no VPN or anything like that
using https
As only some services are affected it does seem strange that the PIX
maybe the issue as I had no problems whatsoever over the old
connection. I have simply changed the outside IP on the PIX and
recofigured the outside addresses. The ethernet i/f connection to the
ISP equipment has been hard set at 10Mb/s Hal Duplex, this is correct,
it was set to auto and this is what was been reported on the i/f using
a sh int fa4 before I hard set it, I remember the ISP saying to hard
set it if there were problems
The other router (877) is using the exact same IOS as the 871 so I
would be suprised if the version of IOS was an issue
A year old in Cisco terms is not that old!
When I asy hung on the sh log, I would type the command and nothing
would happen it would just sit there, I would disconnect and reconnect
to the router no worries at all so it didn't lock the router up per
say
Also if it is PIX related why would a reboot of the router fix the
problem?
Cheers,
Scott
.
- References:
- Strange Router behaviour
- From: Scooty
- Re: Strange Router behaviour
- From: Darren Green
- Strange Router behaviour
- Prev by Date: Re: Strange Router behaviour
- Next by Date: Re: Strange Router behaviour
- Previous by thread: Re: Strange Router behaviour
- Next by thread: Re: Strange Router behaviour
- Index(es):
Relevant Pages
|
