«

Hi,

I am having a strange problem with a batch of 837 routers. I have
currently deployed 5 of these to some of our remote offices dotted
around the UK. They are all running IOS Version 12.3(11)T3.

The ADSL ISP is Nildram.

The problem I am having is that the router drops the ADSL connection
for no reason. This seems quite random, although it does happen with
more frequancy when no traffic on the line.

We use these routers to create IPSec tunnels to 3 hub offices in
Denmark, the US, and Australia. Dynamic tunnels can also be opened
between any other of our IPSec enabled sites. Such as one UK site to
another.

Here is my config...
Building configuration...

Current configuration : 29027 bytes
!
version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Mai-test
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
!
username <removed>privilege 15 secret 5 <removed>
username <removed>privilege 7 secret 5 <removed>
username <removed> privilege 15 secret 5 <removed>
username <removed>privilege 15 secret 5 <removed>
clock timezone UK 0
clock summer-time UK recurring last Sun Mar 2:00 last Sun Oct 3:00
aaa new-model
!
!
aaa authentication banner ^C

Welcome to this router.

UNAUTHORIZED ACCESS PROHIBITED

^C
aaa authentication fail-message ^C

Failed login. Try again.

^C
aaa authentication login default local-case
aaa authorization console
aaa authorization exec default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.73.1.0 10.73.1.29
!
ip dhcp pool Mai-test
import all
network 10.73.1.0 255.255.255.0
dns-server 10.100.3.1 10.98.3.1
netbios-name-server 10.100.3.1 10.98.3.1
netbios-node-type h-node
default-router 10.73.1.1
lease 0 8
!
!
ip telnet source-interface Ethernet0
ip cef
ip tftp source-interface Ethernet0
ip domain name oticon.dk
ip host ipseccert 10.100.128.12
ip host ipsec_AU 10.28.128.11
ip host ipsec_US 10.64.128.11
ip host ipsec_DK 10.100.128.12
ip name-server 213.129.10.4
no ip bootp server
ip multicast-routing
ip inspect max-incomplete low 500
ip inspect max-incomplete high 1100
ip inspect one-minute low 500
ip inspect one-minute high 1100
ip inspect name fw cuseeme
ip inspect name fw fragment maximum 256 timeout 1
ip inspect name fw ftp
ip inspect name fw h323
ip inspect name fw http
ip inspect name fw icmp
ip inspect name fw netshow
ip inspect name fw rcmd
ip inspect name fw realaudio
ip inspect name fw rtsp
ip inspect name fw sip
ip inspect name fw skinny
ip inspect name fw smtp
ip inspect name fw sqlnet
ip inspect name fw streamworks
ip inspect name fw tcp
ip inspect name fw tftp
ip inspect name fw udp
ip inspect name fw vdolive
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
crypto pki trustpoint ipsec_AU
enrollment retry count 5
enrollment retry period 2
enrollment mode ra
enrollment url http://ipsec_AU:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address 10.73.1.1
subject-name OU=DK O=DK
crl query ldap://ipsec_AU
revocation-check none
auto-enroll
!
crypto pki trustpoint ipsec_DK
enrollment retry count 5
enrollment retry period 2
enrollment mode ra
enrollment url http://ipsec_DK:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address 10.73.1.1
subject-name OU=DK O=DK
crl query ldap://ipsec_DK
revocation-check none
auto-enroll
!
crypto pki trustpoint ipsec_US
enrollment retry count 5
enrollment retry period 2
enrollment mode ra
enrollment url http://ipsec_US:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address 10.73.1.1
subject-name OU=DK O=DK
crl query ldap://ipsec_US
revocation-check none
auto-enroll
!
!
crypto pki certificate chain ipsec_AU
certificate 14C4E3CA0000000000DB
<removed>
quit
certificate ca 1E6063DC000000000034
<removed>
quit
crypto pki certificate chain ipsec_DK
certificate 453D063300000000016C
<removed>
quit
certificate ca 15920DE2000000000016
<removed>
quit
crypto pki certificate chain ipsec_US
certificate 79FCF1BD00000000003A
<removed>
quit
certificate ca 15A57BCF000000000033
<removed>
quit
no crypto engine onboard 0
!
!
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 10
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile DMVPN1
set transform-set 3DES
!
!
!
!
interface Tunnel0
ip address 172.16.73.1 255.255.0.0
no ip redirects
ip mtu 1408
ip nhrp authentication KildeDal
ip nhrp map 172.16.100. <removed>
ip nhrp map multicast <removed>
ip nhrp map 172.16.64.15 <removed>
ip nhrp map multicast <removed>
ip nhrp map 172.16.28.15 <removed>
ip nhrp map multicast <removed>
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 172.16.100.15
ip nhrp nhs 172.16.64.15
ip nhrp nhs 172.16.28.15
ip nhrp registration delay 5
keepalive 10 3
tunnel source <removed>
tunnel mode gre multipoint
tunnel key <removed>
tunnel protection ipsec profile DMVPN1
!
interface Loopback0
ip address <removed> 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Ethernet0
description Inside
ip address 10.73.1.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
standby 73 ip 10.73.1.1
standby 73 preempt
hold-queue 100 out
!
interface ATM0
no ip address
atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description Outside
bandwidth 2048
ip unnumbered Loopback0
ip access-group inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect fw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname <removed>@gotadsl.co.uk
ppp chap password <removed>
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0 0.15.255.255
distribute-list eigrp-filter out Ethernet0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
ip nat inside source list NATlist interface Loopback0 overload
!
!
ip access-list standard eigrp-filter
deny 10.0.254.100
deny 10.0.254.64
deny 10.0.254.28
permit any
!
ip access-list extended NATlist
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended inbound
deny ip host 213.208.101.25 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any redirect
permit icmp any host <removed>echo-reply
permit icmp any host <removed> unreachable
permit icmp any host <removed>time-exceeded
permit tcp 213.129.10.0 0.0.0.255 host <removed> eq 22
permit tcp 213.129.10.0 0.0.0.255 host <removed> eq telnet
permit icmp 213.129.10.0 0.0.0.255 host <removed>
permit gre any host <removed>
permit esp any host <removed>
permit udp any host <removed> eq isakmp
permit udp host 192.38.7.240 eq ntp host <removed>
logging trap debugging
logging source-interface Ethernet0
logging 10.100.3.11
logging 10.73.1.30
access-list 58 permit 10.0.0.0 0.255.255.255
access-list 58 deny any
dialer-list 1 protocol ip permit
snmp-server community <removed> RO 58
snmp-server community <removed> RW 58
no cdp run
!
!
control-plane
!
banner login ^C
!================================================= ===============
!
!Authorized access only
!
!This system is the property of Oticon Denmark + 45 3917 7100
!
!Disconnect IMMEDIATELY if you are not an authorised user !
!
!================================================= ===============


^C
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler process-watchdog reload
scheduler interval 500
ntp clock-period 17180010
ntp server 10.100.1.15 prefer
ntp server 192.38.7.240
end


Hope someone can help. I have bought 45 more of these which need to be
deployed.


Regards,

Colin J Fakley.

Timeout issue perhaps ?
Try a "deb dia " and "deb dia pack". This should enable you to see the
packets triggering un/interesting traffic,
upon connection drop you should see the reason.
Without going too deep in your cfg, there's apparently no
timeout set which defaults IMHO to 120 seconds ?

jt


"Colin Fakley" <> schrieb im Newsbeitrag
news: oups.com...
> Hi,
>
> I am having a strange problem with a batch of 837 routers. I have
> currently deployed 5 of these to some of our remote offices dotted
> around the UK. They are all running IOS Version 12.3(11)T3.
>
> The ADSL ISP is Nildram.
>
> The problem I am having is that the router drops the ADSL connection
> for no reason. This seems quite random, although it does happen with
> more frequancy when no traffic on the line.
>
> We use these routers to create IPSec tunnels to 3 hub offices in
> Denmark, the US, and Australia. Dynamic tunnels can also be opened
> between any other of our IPSec enabled sites. Such as one UK site to
> another.
>
> Here is my config...
> Building configuration...
>
> Current configuration : 29027 bytes
> !
> version 12.3
> service nagle
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname Mai-test
> !
> boot-start-marker
> boot-end-marker
> !
> memory-size iomem 5
> !
> username <removed>privilege 15 secret 5 <removed>
> username <removed>privilege 7 secret 5 <removed>
> username <removed> privilege 15 secret 5 <removed>
> username <removed>privilege 15 secret 5 <removed>
> clock timezone UK 0
> clock summer-time UK recurring last Sun Mar 2:00 last Sun Oct 3:00
> aaa new-model
> !
> !
> aaa authentication banner ^C
>
> Welcome to this router.
>
> UNAUTHORIZED ACCESS PROHIBITED
>
> ^C
> aaa authentication fail-message ^C
>
> Failed login. Try again.
>
> ^C
> aaa authentication login default local-case
> aaa authorization console
> aaa authorization exec default local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> no ip gratuitous-arps
> !
> !
> no ip dhcp conflict logging
> ip dhcp excluded-address 10.73.1.0 10.73.1.29
> !
> ip dhcp pool Mai-test
> import all
> network 10.73.1.0 255.255.255.0
> dns-server 10.100.3.1 10.98.3.1
> netbios-name-server 10.100.3.1 10.98.3.1
> netbios-node-type h-node
> default-router 10.73.1.1
> lease 0 8
> !
> !
> ip telnet source-interface Ethernet0
> ip cef
> ip tftp source-interface Ethernet0
> ip domain name oticon.dk
> ip host ipseccert 10.100.128.12
> ip host ipsec_AU 10.28.128.11
> ip host ipsec_US 10.64.128.11
> ip host ipsec_DK 10.100.128.12
> ip name-server 213.129.10.4
> no ip bootp server
> ip multicast-routing
> ip inspect max-incomplete low 500
> ip inspect max-incomplete high 1100
> ip inspect one-minute low 500
> ip inspect one-minute high 1100
> ip inspect name fw cuseeme
> ip inspect name fw fragment maximum 256 timeout 1
> ip inspect name fw ftp
> ip inspect name fw h323
> ip inspect name fw http
> ip inspect name fw icmp
> ip inspect name fw netshow
> ip inspect name fw rcmd
> ip inspect name fw realaudio
> ip inspect name fw rtsp
> ip inspect name fw sip
> ip inspect name fw skinny
> ip inspect name fw smtp
> ip inspect name fw sqlnet
> ip inspect name fw streamworks
> ip inspect name fw tcp
> ip inspect name fw tftp
> ip inspect name fw udp
> ip inspect name fw vdolive
> ip ips po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> no ftp-server write-enable
> !
> crypto pki trustpoint ipsec_AU
> enrollment retry count 5
> enrollment retry period 2
> enrollment mode ra
> enrollment url http://ipsec_AU:80/certsrv/mscep/mscep.dll
> usage ike
> serial-number
> ip-address 10.73.1.1
> subject-name OU=DK O=DK
> crl query ldap://ipsec_AU
> revocation-check none
> auto-enroll
> !
> crypto pki trustpoint ipsec_DK
> enrollment retry count 5
> enrollment retry period 2
> enrollment mode ra
> enrollment url http://ipsec_DK:80/certsrv/mscep/mscep.dll
> usage ike
> serial-number
> ip-address 10.73.1.1
> subject-name OU=DK O=DK
> crl query ldap://ipsec_DK
> revocation-check none
> auto-enroll
> !
> crypto pki trustpoint ipsec_US
> enrollment retry count 5
> enrollment retry period 2
> enrollment mode ra
> enrollment url http://ipsec_US:80/certsrv/mscep/mscep.dll
> usage ike
> serial-number
> ip-address 10.73.1.1
> subject-name OU=DK O=DK
> crl query ldap://ipsec_US
> revocation-check none
> auto-enroll
> !
> !
> crypto pki certificate chain ipsec_AU
> certificate 14C4E3CA0000000000DB
> <removed>
> quit
> certificate ca 1E6063DC000000000034
> <removed>
> quit
> crypto pki certificate chain ipsec_DK
> certificate 453D063300000000016C
> <removed>
> quit
> certificate ca 15920DE2000000000016
> <removed>
> quit
> crypto pki certificate chain ipsec_US
> certificate 79FCF1BD00000000003A
> <removed>
> quit
> certificate ca 15A57BCF000000000033
> <removed>
> quit
> no crypto engine onboard 0
> !
> !
> !
> crypto isakmp policy 10
> encr 3des
> group 2
> crypto isakmp invalid-spi-recovery
> crypto isakmp keepalive 30 10
> !
> !
> crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
> mode transport
> no crypto ipsec nat-transparency udp-encaps
> !
> crypto ipsec profile DMVPN1
> set transform-set 3DES
> !
> !
> !
> !
> interface Tunnel0
> ip address 172.16.73.1 255.255.0.0
> no ip redirects
> ip mtu 1408
> ip nhrp authentication KildeDal
> ip nhrp map 172.16.100. <removed>
> ip nhrp map multicast <removed>
> ip nhrp map 172.16.64.15 <removed>
> ip nhrp map multicast <removed>
> ip nhrp map 172.16.28.15 <removed>
> ip nhrp map multicast <removed>
> ip nhrp network-id 100
> ip nhrp holdtime 300
> ip nhrp nhs 172.16.100.15
> ip nhrp nhs 172.16.64.15
> ip nhrp nhs 172.16.28.15
> ip nhrp registration delay 5
> keepalive 10 3
> tunnel source <removed>
> tunnel mode gre multipoint
> tunnel key <removed>
> tunnel protection ipsec profile DMVPN1
> !
> interface Loopback0
> ip address <removed> 255.255.255.255
> ip nat outside
> ip virtual-reassembly
> !
> interface Ethernet0
> description Inside
> ip address 10.73.1.2 255.255.255.0
> no ip redirects
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> no cdp enable
> standby 73 ip 10.73.1.1
> standby 73 preempt
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer0
> description Outside
> bandwidth 2048
> ip unnumbered Loopback0
> ip access-group inbound in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect fw out
> ip virtual-reassembly
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp chap hostname <removed>@gotadsl.co.uk
> ppp chap password <removed>
> !
> router eigrp 1
> network 10.0.0.0
> network 172.16.0.0 0.15.255.255
> distribute-list eigrp-filter out Ethernet0
> no auto-summary
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> !
> no ip http server
> no ip http secure-server
> !
> ip nat inside source list NATlist interface Loopback0 overload
> !
> !
> ip access-list standard eigrp-filter
> deny 10.0.254.100
> deny 10.0.254.64
> deny 10.0.254.28
> permit any
> !
> ip access-list extended NATlist
> deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
> deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
> permit ip 10.0.0.0 0.255.255.255 any
> ip access-list extended inbound
> deny ip host 213.208.101.25 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip host 0.0.0.0 any
> deny icmp any any redirect
> permit icmp any host <removed>echo-reply
> permit icmp any host <removed> unreachable
> permit icmp any host <removed>time-exceeded
> permit tcp 213.129.10.0 0.0.0.255 host <removed> eq 22
> permit tcp 213.129.10.0 0.0.0.255 host <removed> eq telnet
> permit icmp 213.129.10.0 0.0.0.255 host <removed>
> permit gre any host <removed>
> permit esp any host <removed>
> permit udp any host <removed> eq isakmp
> permit udp host 192.38.7.240 eq ntp host <removed>
> logging trap debugging
> logging source-interface Ethernet0
> logging 10.100.3.11
> logging 10.73.1.30
> access-list 58 permit 10.0.0.0 0.255.255.255
> access-list 58 deny any
> dialer-list 1 protocol ip permit
> snmp-server community <removed> RO 58
> snmp-server community <removed> RW 58
> no cdp run
> !
> !
> control-plane
> !
> banner login ^C
> !================================================= ===============
> !
> !Authorized access only
> !
> !This system is the property of Oticon Denmark + 45 3917 7100
> !
> !Disconnect IMMEDIATELY if you are not an authorised user !
> !
> !================================================= ===============
>
>
> ^C
> !
> line con 0
> no modem enable
> transport preferred all
> transport output all
> line aux 0
> transport preferred all
> transport output all
> line vty 0 4
> transport preferred all
> transport input telnet ssh
> transport output all
> !
> scheduler max-task-time 5000
> scheduler process-watchdog reload
> scheduler interval 500
> ntp clock-period 17180010
> ntp server 10.100.1.15 prefer
> ntp server 192.38.7.240
> end
>
>
> Hope someone can help. I have bought 45 more of these which need to be
> deployed.
>
>
> Regards,
>
> Colin J Fakley.
>

Ok, thanks.

I am monitoring packet triggering on the 837 I am testing here.
Hopefully I will see when it goes down.

I have also modified two of the routers I have in the field to include
"dialer persistent" for the Dialer0 interface.

I will see how that goes.

Colin J Fakley.

Morkin wrote:

> Ok, thanks.
>
> I am monitoring packet triggering on the 837 I am testing here.
> Hopefully I will see when it goes down.
>
> I have also modified two of the routers I have in the field to include
> "dialer persistent" for the Dialer0 interface.
>
> I will see how that goes.

Why not "dialer idle-timeout 0" ?


B

Hi Colin,

You may wish to investigate these 837 Config Wizards:

http://www.ifm.net.nz/cookbooks/ipv6configwizard.html

as well as

http://www.ifm.net.nz/cookbooks/configwizard.html

Sincerely,

Brad Reese
BradReese.Com Cisco Resource Center
Toll Free: 877-549-2680
International: 828-277-7272
Website: http://www.BradReese.Com

> Why not "dialer idle-timeout 0" ?

Thanks. I will give it a try.