Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 2801 Drops WAN after x minutes, for x seconds recurring pattern

Reply
Thread Tools

2801 Drops WAN after x minutes, for x seconds recurring pattern

 
 
Screamin'04 Screamin'04 is offline
Junior Member
Join Date: Dec 2008
Posts: 3
 
      12-17-2008
I have a 2801 (see config below) that is routing via ethernet (FE 0/0) to our time warner business class cable modem. Have 2 VLANs on the HWIC (10.x.x.x & 192.168.x.x)

When FE 0/0 is at speed auto, I experience drops every 14 minutes for anywhere between 9 and 18 seconds. When FE 0/0 is forced to 10Mbit those drops spread out to between a couple and several hours.

The port isn't cycling and it's definately the router as only traffic that routes through FE 0/0 is affected, VLAN routing is unaffected.

Someone please help! LOL, I'm frustrated...

-----------------
WC2801R#sh run br
Building configuration...

Current configuration : 16433 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WC2801R
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius MAIN5
server 10.0.0.8 auth-port 1645 acct-port 1646
!
aaa authentication login TRAuthList local group MAIN5
aaa authorization exec default local group MAIN5
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip port-map smtp port tcp 25 list 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
ip tcp path-mtu-discovery
!
!
no ip bootp server
ip domain name xxxxxxxxxxxx.local
ip name-server 10.0.0.8
ip ssh logging events
ip ssh version 2
!
!
!
crypto pki trustpoint TP-self-signed-1357659192
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1357659192
revocation-check none
rsakeypair TP-self-signed-1357659192
!
!
crypto pki certificate chain TP-self-signed-1357659192
certificate self-signed 01
username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group HO_vpn
key HO143
dns 10.0.0.8
wins 10.0.0.2
domain xxxxxxxxx.local
pool SDM_POOL_1
acl 107
netmask 255.255.248.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list TRAuthList
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description HO - WAN$FW_OUTSIDE$$ETH-WAN$
ip address xx.xx.xx.xx 255.255.255.248
ip access-group WAN in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache flow
no ip mroute-cache
duplex auto
speed 10
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1/0
switchport access vlan 250
!
interface FastEthernet0/1/1
shutdown
!
interface FastEthernet0/1/2
switchport access vlan 200
!
interface FastEthernet0/1/3
shutdown
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface Vlan200
description HO - LAN$ES_LAN$$FW_INSIDE$
ip address 10.0.0.254 255.255.255.0
ip access-group HO in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Vlan250
ip address 192.168.1.254 255.255.254.0
ip access-group RO in
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 10.10.0.10 10.10.0.25
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RO_NAT interface FastEthernet0/0 overload
ip nat inside source route-map HO_NAT interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.8 xx.xx.xx.xx route-map SDM_RMAP_3
ip nat inside source static 10.0.0.4 xx.xx.xx.xx route-map SDM_RMAP_2
ip nat inside source static tcp 192.168.1.10 443 xx.xx.xx.xx 443 route-map RO-GLS extendable
ip nat inside source static 192.168.1.10 xx.xx.xx.xx route-map RO-GLS
!
ip radius source-interface Vlan200
logging trap debugging
logging 10.0.0.8
!
no cdp run
route-map HO_NAT permit 1
match ip address 101
!
route-map RO-GLS permit 1
match ip address 108
!
route-map RO_NAT permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
!
radius-server host 10.0.0.8 auth-port 1645 acct-port 1646 key 7 14141B180F0B
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------
Computer systems may be monitored
for authorized use and for management of the system.
-----------------------------------------------------------------------

^C
!
line con 0
line aux 0
line vty 0 4
access-class VTERM in
exec-timeout 60 0
password 7 xxxxxxxxxxxxxxxxxxxxxx
login authentication TRAuthList
transport input ssh
line vty 5 15
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxxxxxxx
transport input none
!
end
 

Last edited by Screamin'04; 12-17-2008 at 09:45 PM..
Reply With Quote
 
 
 
 
Screamin'04 Screamin'04 is offline
Junior Member
Join Date: Dec 2008
Posts: 3
 
      12-17-2008
Here are the ACLs...
--------------
ip access-list extended RO
remark VLAN 250 Inbound ACL
remark SDM_ACL Category=1
permit ip any host 24.25.5.61
permit ip any host 24.25.5.60
permit ip host 192.168.1.10 host 10.0.0.8
permit tcp host 192.168.1.10 host 10.0.0.8
permit ip any host 10.0.0.211
permit tcp any host 192.168.1.10 eq 8383
remark WSUS
permit tcp any eq 8530 10.0.0.0 0.0.0.255
remark Deny HO
permit tcp any 10.0.0.0 0.0.0.255
permit tcp any any
permit ip any any
ip access-list extended VTERM
remark Virtual Terminal ACL
permit tcp host 10.0.0.211 any
permit tcp host xx.xx.xx.xx any
permit icmp host xx.xx.xx.xx any
deny tcp any host xx.xx.xx.xx
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended WAN
remark WAN Inbound ACL
remark SDM_ACL Category=17
permit ip host 10.10.0.10 10.0.0.0 0.0.0.255
permit ip host 10.10.0.11 10.0.0.0 0.0.0.255
permit ip host 10.10.0.12 10.0.0.0 0.0.0.255
permit ip host 10.10.0.13 10.0.0.0 0.0.0.255
permit ip host 10.10.0.14 10.0.0.0 0.0.0.255
permit ip host 10.10.0.15 10.0.0.0 0.0.0.255
permit ip host 10.10.0.16 10.0.0.0 0.0.0.255
permit ip host 10.10.0.17 10.0.0.0 0.0.0.255
permit ip host 10.10.0.18 10.0.0.0 0.0.0.255
permit ip host 10.10.0.19 10.0.0.0 0.0.0.255
permit ip host 10.10.0.20 10.0.0.0 0.0.0.255
permit ip host 10.10.0.21 10.0.0.0 0.0.0.255
permit ip host 10.10.0.22 10.0.0.0 0.0.0.255
permit ip host 10.10.0.23 10.0.0.0 0.0.0.255
permit ip host 10.10.0.24 10.0.0.0 0.0.0.255
permit ip host 10.10.0.25 10.0.0.0 0.0.0.255
permit tcp host xx.xx.xx.xx host xx.xx.xx.xx
permit ahp any host xx.xx.xx.xx
permit esp any host xx.xx.xx.xx
permit udp any host xx.xx.xx.xx eq isakmp
permit udp any host xx.xx.xx.xx eq non500-isakmp
permit tcp host 10.0.0.8 any
permit tcp host 10.0.0.14 any
permit tcp host 10.0.0.211 any
permit icmp host xx.xx.xx.xx any echo-reply
permit icmp host xx.xx.xx.xx any echo
permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 2200
deny tcp any any eq 2200
deny tcp any host xx.xx.xx.xx eq telnet
permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 22
deny tcp any host xx.xx.xx.xx eq 22
permit tcp any host xx.xx.xx.xx eq smtp
permit tcp any host xx.xx.xx.xx eq 443
permit tcp any host xx.xx.xx.xx eq smtp
permit tcp any host xx.xx.xx.xx eq www
permit tcp any host xx.xx.xx.xx eq 443
deny tcp any host xx.xx.xx.xx
permit tcp any host xx.xx.xx.xx eq 443
deny tcp any host xx.xx.xx.xx
permit udp host 24.25.5.61 eq domain host xx.xx.xx.xx
permit udp host 24.25.5.60 eq domain host xx.xx.xx.xx
permit udp host 24.25.5.150 eq domain host xx.xx.xx.xx
permit icmp any host xx.xx.xx.xx echo-reply
permit icmp any host xx.xx.xx.xx time-exceeded
permit icmp any host xx.xx.xx.xx unreachable
deny tcp any host xx.xx.xx.xx
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended HO
remark VLAN 200 Inbound ACL
remark SDM_ACL Category=1
permit icmp any any
permit udp host 10.0.0.8 eq 1645 any
permit udp host 10.0.0.8 eq 1646 any
permit tcp 10.0.0.0 0.0.0.255 host xx.xx.xx.xx eq smtp
permit tcp 10.0.0.0 0.0.0.255 host 192.168.1.10 eq smtp
permit tcp 10.0.0.0 0.0.0.255 host 192.168.1.10 eq 8383
permit tcp 10.0.0.0 0.0.0.255 host 192.168.1.11 eq 8530
permit ip host 10.0.0.211 192.168.1.0 0.0.0.255
permit tcp host 10.0.0.8 host 192.168.1.10
permit ip host 10.0.0.8 host 192.168.1.10
permit ip host 10.0.0.8 192.168.1.0 0.0.0.255
permit udp host 10.0.0.8 eq domain any
permit udp host 192.168.1.1 eq domain any
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip xx.xxx.xx.0 0.0.0.255 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 remark HO NAT
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.10
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.11
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.12
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.13
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.14
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.15
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.16
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.17
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.18
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.19
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.20
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.21
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.22
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.23
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.24
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.0.25
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 deny ip host 10.0.0.4 any
access-list 101 deny ip host 10.0.0.8 any
access-list 102 remark RO NAT ACL
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.25
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.24
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.23
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.22
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.21
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.20
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.19
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.18
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.17
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.16
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.15
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.14
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.13
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.12
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.11
access-list 102 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.10
access-list 102 deny ip host 10.0.0.4 any
access-list 102 deny ip host 10.0.0.8 any
access-list 102 permit ip 192.168.0.0 0.0.1.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip host 10.0.0.4 host 10.10.0.25
access-list 104 deny ip host 10.0.0.4 host 10.10.0.24
access-list 104 deny ip host 10.0.0.4 host 10.10.0.23
access-list 104 deny ip host 10.0.0.4 host 10.10.0.22
access-list 104 deny ip host 10.0.0.4 host 10.10.0.21
access-list 104 deny ip host 10.0.0.4 host 10.10.0.20
access-list 104 deny ip host 10.0.0.4 host 10.10.0.19
access-list 104 deny ip host 10.0.0.4 host 10.10.0.18
access-list 104 deny ip host 10.0.0.4 host 10.10.0.17
access-list 104 deny ip host 10.0.0.4 host 10.10.0.16
access-list 104 deny ip host 10.0.0.4 host 10.10.0.15
access-list 104 deny ip host 10.0.0.4 host 10.10.0.14
access-list 104 deny ip host 10.0.0.4 host 10.10.0.13
access-list 104 deny ip host 10.0.0.4 host 10.10.0.12
access-list 104 deny ip host 10.0.0.4 host 10.10.0.11
access-list 104 deny ip host 10.0.0.4 host 10.10.0.10
access-list 104 permit ip host 10.0.0.4 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip host 10.0.0.8 host 10.10.0.25
access-list 105 deny ip host 10.0.0.8 host 10.10.0.24
access-list 105 deny ip host 10.0.0.8 host 10.10.0.23
access-list 105 deny ip host 10.0.0.8 host 10.10.0.22
access-list 105 deny ip host 10.0.0.8 host 10.10.0.21
access-list 105 deny ip host 10.0.0.8 host 10.10.0.20
access-list 105 deny ip host 10.0.0.8 host 10.10.0.19
access-list 105 deny ip host 10.0.0.8 host 10.10.0.18
access-list 105 deny ip host 10.0.0.8 host 10.10.0.17
access-list 105 deny ip host 10.0.0.8 host 10.10.0.16
access-list 105 deny ip host 10.0.0.8 host 10.10.0.15
access-list 105 deny ip host 10.0.0.8 host 10.10.0.14
access-list 105 deny ip host 10.0.0.8 host 10.10.0.13
access-list 105 deny ip host 10.0.0.8 host 10.10.0.12
access-list 105 deny ip host 10.0.0.8 host 10.10.0.11
access-list 105 deny ip host 10.0.0.8 host 10.10.0.10
access-list 105 permit ip host 10.0.0.8 any
access-list 107 remark VPN IPSec ACL
access-list 107 remark VPN IPSec ACL
access-list 107 permit ip 10.0.0.0 0.0.0.255 any
access-list 108 remark RO-GLS SMTP
access-list 108 remark SDM_ACL Category=18
access-list 108 remark RO-GLS ACL
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.25
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.24
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.23
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.22
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.21
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.20
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.19
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.18
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.17
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.16
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.15
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.14
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.13
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.12
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.11
access-list 108 deny ip 192.168.0.0 0.0.0.255 host 10.10.0.10
access-list 108 permit tcp any host 192.168.1.10 eq smtp
access-list 108 permit tcp any host 192.168.1.10 eq 8383
 
Reply With Quote
 
 
 
 
Screamin'04 Screamin'04 is offline
Junior Member
Join Date: Dec 2008
Posts: 3
 
      12-18-2008
Ok,

I was finally able to correlate it with bad ARP requests from the cable modem. Every drop we experience happens at the same time "debug arp" shows the following:

Does anyone know what I can do to filter out?

2008-12-18 09:00:14 Local7.Debug 10.0.0.254 399529: 992494: *Dec 18 09:04:29.071 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.190 0000.0000.0000 wrong cable, interface FastEthernet0/0
2008-12-18 11:30:43 Local7.Debug 10.0.0.254 411566: 1003413: Dec 18 11:30:43.142 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.185 0000.0000.0000 wrong cable, interface FastEthernet0/0
2008-12-18 12:00:59 Local7.Debug 10.0.0.254 414229: 1005857: Dec 18 12:00:53.348 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.190 0000.0000.0000 wrong cable, interface FastEthernet0/0
2008-12-18 12:15:59 Local7.Debug 10.0.0.254 415576: 1007097: Dec 18 12:15:55.455 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.185 0000.0000.0000 wrong cable, interface FastEthernet0/0
2008-12-18 12:15:59 Local7.Debug 10.0.0.254 415577: 1007098: Dec 18 12:15:57.475 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.190 0000.0000.0000 wrong cable, interface FastEthernet0/0
2008-12-18 15:16:56 Local7.Debug 10.0.0.254 434647: 1024836: Dec 18 15:16:46.769 PCTime: IP ARP req filtered src 192.168.1.1 0019.cb51.74a8, dst xx.xx.xx.190 0000.0000.0000 wrong cable, interface FastEthernet0/0
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
combining wan links with 2801?? ljm Cisco 0 01-16-2008 12:03 AM
Curiously Recurring Template Pattern chsalvia@gmail.com C++ 4 07-11-2007 01:22 PM
1. Ruby result: 101 seconds , 2. Java result:9.8 seconds, 3. Perl result:62 seconds Michael Tan Ruby 32 07-21-2005 03:23 PM
Curiously recurring template pattern iuweriur C++ 15 07-12-2004 08:48 PM
curiously recurring template pattern problem Denis Remezov C++ 7 04-07-2004 10:50 AM



Advertisments