Announcement

Collapse
No announcement yet.

Help needed - new 877 disconnecting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help needed - new 877 disconnecting

    Hi all,

    I have a Cisco 877 at home, which works really well. So this weekend we bought an identical Cisco 877 to use at work. I'm using a fairly simple config, and it syncs with the exchange at abour 9Mb - perfectly fine for the line length.

    All worked well on Sunday so I came home. Then on Monday morning I got a call from the office saying that "nobody could get onto the internet". The 877 was rebooted and all was fine.

    Last night I was working from home again and found that I couldn't RDP to our server (that's behind the 877). BUT I was able to SSH in to the 877 and issue a reload. I could then RDP successfully. Later on last night, RDP failed again and so did SSH, so I've been unable to access the router.

    This morning I can ping the router's external address, and I get 82% replies (when router is behaving, I get 100% replies). But I can't RDP or SSH. However telnet to port 25 *does* successfully connect to our mailserver, so clearly something is working.


    So...where to start! My sh ver:

    Code:
    Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Sat 20-Jun-09 02:20 by prod_rel_team
    ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
    Cisco877 uptime is 2 weeks, 1 day, 23 hours, 53 minutes
    System returned to ROM by reload at 08:19:51 GMT Sun Feb 28 2010
    System restarted at 08:18:54 GMT Sun Feb 28 2010
    System image file is "flash:c870-advipservicesk9-mz.124-24.T1.bin"
    Last reload reason: Reload Command
     
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 877 (MPC8272) processor (revision 0x300) with 177152K/19456K bytes of memory.
    Processor board ID FHK125126EN
    MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of non-volatile configuration memory.
    28672K bytes of processor board System flash (Intel Strataflash)
    Configuration register is 0x2102
    and my config

    Code:
    !
    ! Last configuration change at 08:55:52 GMT Fri Mar 1 2002 by yyyyy
    ! NVRAM config last updated at 08:56:00 GMT Fri Mar 1 2002 by yyyyy
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    !
    hostname Shore877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 16386
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 XXXXXXXXX
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    no ip domain lookup
    ip domain name sln.local
    ip inspect name fw tcp timeout 3600
    ip inspect name fw udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp master
    !
    multilink bundle-name authenticated
    !
    !
    !
    username yyyyy privilege 15 secret 5 XXXXXXXXXX
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
     description Shore LAN
     ip address 192.168.7.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group 120 in
     ip access-group 121 out
     ip nat outside
     ip inspect fw out
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 XXXXXX
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.7.2 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.7.2 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.7.2 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.7.2 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.7.2 3389 interface Dialer0 3389
    ip nat inside source list 102 interface Dialer0 overload
    ip nat inside source static tcp 192.168.7.22 3390 interface Dialer0 3390
    !
    ip access-list standard SNMP-ALLOWED
     permit <my home IP>
     permit 192.168.7.2
     permit <branch office IP>
     deny   any
    ip access-list standard SSH-ALLOWED
     permit <my home IP>
     permit 192.168.7.2
     permit 192.168.7.25
     permit <branch office IP>
     deny   any
    !
    !
    ip access-list logging interval 10
    access-list 102 remark Define NAT internal ranges
    access-list 102 permit ip 192.168.7.0 0.0.0.255 any
    access-list 120 remark Inbound external interface
    access-list 120 remark The below set the rfc1918 private exclusions
    access-list 120 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 120 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 120 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 120 remark Allow established sessions back in
    access-list 120 permit tcp any any established
    access-list 120 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
    access-list 120 permit tcp any any eq smtp
    access-list 120 permit tcp any any eq www
    access-list 120 permit tcp any any eq 22 log
    access-list 120 permit udp host <my home IP> any eq snmp
    access-list 120 permit tcp any any eq 443
    access-list 120 permit tcp any any eq 3389
    access-list 120 permit tcp any any eq 3390
    access-list 120 permit tcp any any eq 1723
    access-list 120 permit gre any any
    access-list 120 permit udp any eq domain any
    access-list 120 remark Standard acceptable icmp rules
    access-list 120 permit icmp any any echo
    access-list 120 permit icmp any any echo-reply
    access-list 120 permit icmp any any source-quench
    access-list 120 permit icmp any any packet-too-big
    access-list 120 permit icmp any any time-exceeded
    access-list 120 deny   ip any any
    access-list 121 remark Allow all outbound IP
    access-list 121 permit ip any any
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community Shore RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     access-class SSH-ALLOWED in
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    end

    I'm happy to set up syslogging to our internal server, if somebody can point me in the right direction.

    The thing that's confusing me is that the router is responding to pings, and I can telnet to port 25 and Exchange answers, so clearly the ADSL is up. But as it's a remote site and SSH has stopped working, I'm stumped!

    Many thanks for any and all assistance.



    Jim
    Last edited by jimwillsher; 16th March 2010, 09:23.

  • #2
    Re: Help needed - new 877 disconnecting

    start with logging - that may give you a better idea.

    in my last role, we noted an issue where the router would occasionally just stop like trhat.. through the use of a rollover cable, we were able to ascertain that it was spiking in cpu and/or memory, as even the console wouldn't respond,,
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Help needed - new 877 disconnecting

      Many thanks. Any pointers on logging? The cisco seems to have dozens of different logs, so I don't want to drown in info. Also, is syslogging to a utility on Windows good enough?

      Cheers,



      Jim

      Comment


      • #4
        Re: Help needed - new 877 disconnecting

        Does this give any clues? All day today, when people were using the line, pings from my home address to the router's external address gave this:

        Code:
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=95ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=53ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        This evening, we get:

        Code:
        Request timed out.
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Request timed out.
        Reply from 109.224.152.229: bytes=32 time=95ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Request timed out.
        Request timed out.
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=53ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=51ms TTL=242
        Reply from 109.224.152.229: bytes=32 time=52ms TTL=242
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.
        Ping statistics for 109.224.152.229:
            Packets: Sent = 501, Received = 277, Lost = 224 (44% loss),
        Approximate round trip times in milli-seconds:
            Minimum = 50ms, Maximum = 163ms, Average = 54ms
        I've managed to connect via SSH, albeit slowly, and reload, but with no change. So clearly it's still connected, but struggling badly.

        DSL stats (after reverting to the embedded ADSL firmware):

        Code:
                        ATU-R (DS)                      ATU-C (US)
        Modem Status:    Showtime (DMTDSL_SHOWTIME)
        DSL Mode:        ITU G.992.5 (ADSL2+) Annex A
        ITU STD NUM:     0x03                            0x2
        Chip Vendor ID:  'STMI'                          'IFTN'
        Chip Vendor Specific:  0x0000                    0x71B9
        Chip Vendor Country:   0x0F                      0xB5
        Modem Vendor ID: 'CSCO'                          '    '
        Modem Vendor Specific: 0x0000                    0x0000
        Modem Vendor Country:  0xB5                      0x00
        Serial Number Near:    FHK14057A6R
        Serial Number Far:
        Modem VerChip ID:        C196 (0)
        DFE BOM:         DFE3.0 Annex A (1)
        Capacity Used:   100%                            100%
        Noise Margin:     4.5 dB                          6.0 dB
        Output Power:    20.5 dBm                        12.5 dBm
        Attenuation:     44.0 dB                         22.0 dB
        FEC ES Errors:    0                               0
        ES Errors:        1                               0
        SES Errors:       1                               0
        LOSES Errors:     1                               2
        UES Errors:       0                              215
        Defect Status:   None                            None
        Last Fail Code:  None
        Watchdog Counter: 0xA0
        Watchdog Resets: 0
        Selftest Result: 0x00
        Subfunction:     0x00
        Interrupts:      5833 (0 spurious)
        PHY Access Err:  0
        Activations:     1
        LED Status:      ON
        LED On Time:     100
        LED Off Time:    100
        Init FW:         init_AMR-3.0.014_no_bist.bin
        Operation FW:    AMR-3.0.014.bin
        FW Source:       embedded
        FW Version:      3.0.14



        Tomorrow I'll have to put the NetGear DG834 back whilst I can diagnose this



        Jim
        Last edited by jimwillsher; 17th March 2010, 00:10.

        Comment


        • #5
          Re: Help needed - new 877 disconnecting

          Sh interface and try replacing the cables. I've seen this before although it was an ISA NLB cluster.
          Replacing the cabling and the external switch helped.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X