| [HELP] Cisco 871w intermittent inbound problem w/ FIOS 35/35 Hello everyone – I’m a first time poster, so please forgive any mistakes I make.
I recently changed my companies network over from Dual Bonded T1’s to Verizon FIOS. My previous connection was 3mbps/3mbps and my new connection is 35mbps/35mbps. We currently use VPN Tunnel, Firewall, NAT (10 address), Inspection, and ACL.
Everything was working fine until the 5 hours after the changeover. What’s happening is that after approx 4-5 hours, all inbound traffic becomes blocked on the outside interface EXCEPT for the VPN Tunnel. This means my website and mail server go dark every 4-5 hours which is extremely annoying. Lucky a basic “reload” command fixes it, and since the VPN stays up I can get to the router by that method. I’ve gone as far as erasing the entire config, and rebuilding it line by line and it STILL happens.
The interface on this router says its 10/100mbps, so I thought the 35mbps wouldn’t be a problem, but I’m starting to wonder if maybe I’m overloading the router and it just craps out.
So am I just overloading the bandwidth causing the ACL to stop working? Or is there something else I should look at?
Any ideas to help?
This is the running config of the router: 192.168.2.1
----------------------------------------------------------------------------
!version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname oxnard871w
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging console alerts
!
username *****.
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name larrivee.com
ip name-server 68.238.64.12
ip name-server 68.238.128.12
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ****
!
!
crypto ipsec transform-set ****
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to206.108.xxx.xxx
set peer 206.108.xxx.xxx
set transform-set ESP-3DES-SHA
match address 102
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 108.0.xxx.xxx 255.255.255.0
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 108.0.xxx.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip http client source-interface FastEthernet4
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.2.50 108.0.xxx.67 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.53 108.0.xxx.68 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.52 108.0.xxx.69 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.54 108.0.xxx.70 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.76 108.0.xxx.71 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.40 108.0.xxx.72 route-map SDM_RMAP_1
ip nat inside source static 192.168.2.56 108.0.xxx.73 route-map SDM_RMAP_1
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit icmp any any
access-list 100 deny ip 108.0.xxx.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 108.0.xxx.0 0.0.0.192 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host 68.238.128.12 eq domain any
access-list 105 permit udp host 68.238.64.12 eq domain any
access-list 105 permit tcp any host 108.0.xxx.73 eq www
access-list 105 permit tcp any host 108.0.xxx.72 eq smtp
access-list 105 permit tcp any host 108.0.xxx.71 eq 3389
access-list 105 permit tcp any host 108.0.xxx.70 eq www
access-list 105 permit tcp any host 108.0.xxx.69 eq 41228
access-list 105 permit tcp any host 108.0.xxx.69 eq www
access-list 105 permit tcp any host 108.0.xxx.68 eq ftp
access-list 105 permit tcp any host 108.0.xxx.68 eq www
access-list 105 permit tcp any host 108.0.xxx.67 eq smtp
access-list 105 permit tcp any host 108.0.xxx.67 eq 443
access-list 105 permit tcp any host 108.0.xxx.67 eq 3389
access-list 105 permit tcp any host 108.0.xxx.67 eq www
access-list 105 permit ahp host 206.108.xxx.18 host 108.0.253.66
access-list 105 permit esp host 206.108.xxx.18 host 108.0.253.66
access-list 105 permit udp host 206.108.xxx.18 host 108.0.253.66 eq isakmp
access-list 105 permit udp host 206.108.xxx.18 host 108.0.253.66 eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 deny ip 192.168.2.0 0.0.0.255 any
access-list 105 permit icmp any host 108.0.xxx.66 echo-reply
access-list 105 permit icmp any host 108.0.xxx.66 time-exceeded
access-list 105 permit icmp any host 108.0.xxx.66 unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end |
|
| Get the most recent stable IOS version on there; 12.4.25d I think, and go from there. |
|
| I'll give that a try, and report back! |
|
| reply to svirfnebli
Excellent, BTW, about your other question about saturating that router.
Oh yes, you will.
Cisco rates it for 12.8Mbit. Which means you are likely not going to see even that depending on the type of traffic, packet size....etc.
This doesn't mean it won't do the job. It will. The issue you are experiencing shouldn't be related to the device being unable to handle the traffic; at least in my experience with overloading Cisco routers. They typically just make the 'net a little slow  |
|
| reply to svirfnebli
One more thing:
Set your speed and duplex to auto.
If they aren't hard-coded to 100/full on the other end (which they aren't) then you should be using auto. |
|
| reply to svirfnebli
Do you show any type of errors on the log during or after the time it messes up?
Have you done any show proc cpu to see if you are really maxing out the router? IF you really where maxing the router, why would the vpn tunnel stay up? I would think it would be one of the first things to go down.
How many static ip addresses do you have and is the tunnel on its own ip?
If it was a speed/duplex thing, your tunnel wouldnt work either.
Maybe some kind of arp timeout between you and verizon? |
|
| Sorry i just dug into your config more.
It seems you have a full /24 from verizon? And the tunnel goes through the ip on fe0/4.
Your servers are in the .67-.73 ip range and they are the ones that stop working? |
|
| reply to svirfnebli
I have a block of 13 IP's but it looks like they assigned me an entire class c - based on the subnet mask of 255.255.255.0. I phoned then and they said this is normal for them and other customers are in the same C-Block.
What gets me is the VPN stays up, but everything goes down.
Im very new to cisco programming, so if someone can explain to me how to look at the errors I would be appriciative. I have telnet and console access - SDM doesnt seem to be working properly. |
|
| reply to OVERKILL
said by OVERKILL:If they aren't hard-coded to 100/full on the other end (which they aren't) then you should be using auto. That's a remnant from the previous internet connection - It was connected to another cisco router and wouldnt work without hard coding that in. |
|
| Ahhh, OK. You want that stuff to match.
For example, if you are hard coding 100/full, then that has to be done on both ends. Since I doubt you have that configuration option on the equipment from Verizon, it would be set to auto/auto, so your configuration should reflect that.
There are funky bugs in various IOS versions. Essentially finding the version that works right for you is the fun part
I had a couple weird issues with one of the 15-series T-train releases giving me memory errors. The subsequent two releases, that didn't happen, and neither did earlier releases.
This may simply be a software bug. I would think that if it was an issue with the connection, the VPN tunnel should be one of the first things to drop. At least in my experience.
Try the IOS update and go from there. |
|
| Thank you for the advise. I've not updated the IOS before. Is it difficult to do? Is there a primer that you can recommend on how to do it? |
|
|
|
| reply to svirfnebli
It is normally done with TFTP.
HOWEVER
Since you are new to Cisco, the easiest way is through CCP.
CCP is the replacement for SDM.
Install CCP
Connect to the router.
Go to flash management, copy the new IOS image to flash (you may need to delete the old IOS image first depending on space). It will tell you it detected a new image, and ask if you want to set it as the default boot image. Hit yes.
Do a copy running to startup, and then issue a reload. |
|
| reply to svirfnebli
Hit up the forum FAQ under section 60.0 - slow connection through a router,
firewall or switch. There's actually a link to a thread for another person
with an 871w and FiOS you may want to check out. It also collects a few other
previous threads with other things to check out to troubleshoot this more.
Do you have any sort of syslogging / performance monitoring on the device
as well? It would be worth it to look into to see what it's doing at the
time the "hang" occurs.
Regards |
|
| reply to OVERKILL
Ok, got the CCP installed. LOVE IT. Thank you for telling me about that.
Does cisco only provide the IOS updates if you pay for a subscription? I've had this router a few years and no subscription : Is there any way to obtain it without paying monthly fees? |
|
| reply to HELLFIRE
said by HELLFIRE:Do you have any sort of syslogging / performance monitoring on the device as well? It would be worth it to look into to see what it's doing at the time the "hang" occurs. I know you'll look at this and go "what a dummy!" but can you happen to tell me how to enable loging to check for errors? Either using CCP or comand line. I'd love to learn how to do that |
|
| To view the log, sh log.
No prob about CCP, great app for guys not familiar with Cisco and just want to get a basic config up and running.
And yes, you need a service contract on the router to have IOS update access.
Did you buy the router new? |
|
| I've had the router for about five years. I did buy it new a long time ago.
It's a shame to spend money to get a service contract only to find out it doesnt work still have need to upgrade to a new 2900 series. : |
|
| reply to svirfnebli
@svirfnebli
router# config t
router# logging [your syslog server IP address here]
router# ^z
router# copy run start
If you have an old Windows box lying around, look into Kiwi Syslog server
for the logging software.
SDM / CCP's nice if you don't do CLI very well, but I'm the type that
is MUCH more comfortable with CLI.
You may also want to check the FAQ what benefits a support contract gets
you; working in the enterprise arena, with 2000+ devices live, believe me
a 0200 hard down situation is NOT something you want to tell the boss
"it'll get fixed when it gets fixed" :D
Regards |
|
| reply to svirfnebli
Hey,
My Local CDW rep called me this morning so I ordered the premium support package for $85 bucks. So w'll see how long it takes to get the contract. I dont know what to expect.. maybe its an E-mail?
I'll look into that logging to find out whats going on. I can pinpoint to the minute when it drops because my mailservers log stops receiving mail. If I can match the mailservers time and the routers time, and look at the logs, then maybe I can find a solution. |
|
| reply to svirfnebli
Ok, I may be a little bit closer here. My tech noticed that there were as many as 800 nat translations on the router (mostly from junk mail being processed by the exchange server, and SSL to our exchange server (probably clients using rdp over HTTP).
He entered in the command
ip nat translation max-entries 200
then our computers on vlan1 couldnt see the outside. I reset it to 300 and instantly I was able to see the outside world again.
So I guess my questions new questions are:
1) How long does a translation stay valid before it expires
2) What is a reasonable number to have this set to
3) Does anyone have an idea of how many translations this router should or could handle? Do other cisco products handle them better?
4) Can you set how fast they expire or timeout?
svirf |
|
