Cisco 801 (ISDN)

Discussion in 'Cisco' started by C.S.Mager, Oct 23, 2003.

  1. C.S.Mager

    C.S.Mager Guest

    Hi,

    I've recently thrown out my old cruddy router and replaced it with something
    decent - a Cisco 801 I picked up from eBay for quite a reasonable price.

    I've set it up, and all works ok. I've blocked all external ICMP traffic in
    a sledgehammer attempt to keep the timeout working properly (the virus
    traffic keeps the connection alive indefinitely if I don't, but if anyone
    has any better, more precise, ideas please feel free to tell me!)

    Anyway, my main problem is that when I click 'send/receive' in outlook, it
    sits there... and sits there.... and then comes up with an error. If I then
    click send/receive again, it works.

    The call setup happens, but it doesn't let Outlook carry on straight away
    like my old router did. Anyone have any ideas?

    C.S.Mager
     
    C.S.Mager, Oct 23, 2003
    #1
    1. Advertising

  2. On Thu, 23 Oct 2003 19:39:14 +0000 (UTC), C.S.Mager wrote:
    > Hi,
    >
    > I've recently thrown out my old cruddy router and replaced it with something
    > decent - a Cisco 801 I picked up from eBay for quite a reasonable price.
    >
    > I've set it up, and all works ok. I've blocked all external ICMP traffic in
    > a sledgehammer attempt to keep the timeout working properly (the virus
    > traffic keeps the connection alive indefinitely if I don't, but if anyone
    > has any better, more precise, ideas please feel free to tell me!)
    >
    > Anyway, my main problem is that when I click 'send/receive' in outlook, it
    > sits there... and sits there.... and then comes up with an error. If I then
    > click send/receive again, it works.
    >
    > The call setup happens, but it doesn't let Outlook carry on straight away
    > like my old router did. Anyone have any ideas?


    Yes, you broke path MTU discovery by denying all ICMP ...

    You should only block ICMP echo-requests

    --
    Jesper Skriver, CCIE #5456, FreeBSD committer
     
    Jesper Skriver, Oct 23, 2003
    #2
    1. Advertising

  3. Jesper Skriver wrote:

    > On Thu, 23 Oct 2003 19:39:14 +0000 (UTC), C.S.Mager wrote:
    >> Hi,
    >>
    >> I've recently thrown out my old cruddy router and replaced it with
    >> something decent - a Cisco 801 I picked up from eBay for quite a
    >> reasonable price.
    >>
    >> I've set it up, and all works ok. I've blocked all external ICMP traffic
    >> in a sledgehammer attempt to keep the timeout working properly (the virus
    >> traffic keeps the connection alive indefinitely if I don't, but if anyone
    >> has any better, more precise, ideas please feel free to tell me!)
    >>
    >> Anyway, my main problem is that when I click 'send/receive' in outlook,
    >> it
    >> sits there... and sits there.... and then comes up with an error. If I
    >> then click send/receive again, it works.
    >>
    >> The call setup happens, but it doesn't let Outlook carry on straight away
    >> like my old router did. Anyone have any ideas?

    >
    > Yes, you broke path MTU discovery by denying all ICMP ...
    >
    > You should only block ICMP echo-requests


    And the OP may also want "no ip unreachables" under the external i/f.


    B

    --
    http://www.mailtrap.org.uk/
    http://www.ibrox.demon.co.uk/
     
    Bob { Goddard }, Oct 23, 2003
    #3
  4. C.S.Mager

    C.S.Mager Guest

    Bob { Goddard } wrote:
    >> Yes, you broke path MTU discovery by denying all ICMP ...
    >>
    >> You should only block ICMP echo-requests

    >
    > And the OP may also want "no ip unreachables" under the external i/f.


    I think I already have 'no ip unreachables', but I'll check.

    I'm a bit of a newbie to Cisco (and routing!), could someone explain what
    Jesper meant by 'you broke path MTU discovery'? And will only blocking
    echo-requests still solve the disconnection problem?

    Thanks for the quick replies!

    C.S.Mager
     
    C.S.Mager, Oct 24, 2003
    #4
  5. On Fri, 24 Oct 2003 10:33:38 +0000 (UTC), C.S.Mager wrote:

    > Bob { Goddard } wrote:
    >
    >>> Yes, you broke path MTU discovery by denying all ICMP ...
    >>>
    >>> You should only block ICMP echo-requests

    >>
    >> And the OP may also want "no ip unreachables" under the external i/f.

    >
    > I think I already have 'no ip unreachables', but I'll check.


    That will make no difference, this configuration knob, control if your
    router will generate ICMP host/network unreachables etc, which makes
    absolutely no difference here.

    > I'm a bit of a newbie to Cisco (and routing!), could someone explain
    > what Jesper meant by 'you broke path MTU discovery'?


    Path MTU discovery works like this:

    You send a frame of say 1500 bytes to a server with the don't fragment
    bit set, somewhere in the path, there is a link which cannot send the
    frame, due to a smaller MTU, it will then send you a ICMP DF bit set,
    need to fragment packet back, which include the largest packet it's able
    to transmit, your PC/host will then adjust the MTU to the destination
    in question, and resend the data in smaller packets - but if you block
    all ICMP, the "ICMP DF bit set, need to fragment" packet will never get
    to your PC, and it will just try to retransmit the original packet, and
    eventually time out.

    > And will only blocking echo-requests still solve the disconnection
    > problem?


    If you by disconnection mean the timeouts, yes.

    > Thanks for the quick replies!


    --
    Jesper Skriver, CCIE #5456, FreeBSD committer
     
    Jesper Skriver, Oct 24, 2003
    #5
  6. C.S.Mager

    C.S.Mager Guest

    Jesper Skriver wrote:
    >> And will only blocking echo-requests still solve the disconnection
    >> problem?

    >
    > If you by disconnection mean the timeouts, yes.


    I'll try that later on then. If I've broken the MTU path, why can I check
    my email the second time I try? And why does everything else work as normal
    after it's connected?

    C.S.Mager
     
    C.S.Mager, Oct 24, 2003
    #6
  7. C.S.Mager

    C.S.Mager Guest

    Jesper Skriver wrote:
    >> And will only blocking echo-requests still solve the disconnection
    >> problem?

    >
    > If you by disconnection mean the timeouts, yes.


    I've changed the 'deny icmp any any' to 'deny icmp any any echo' (there is
    no echo-request on mine, just echo or echo-reply) This still lets the
    router disconnect ok, but I've still got the same problem.

    When I click Send/Receive, it sits there for ages and then comes up with a
    timeout message. If I then try again, it works. This never used to happen
    on my old router! I can type 'ping mail.xxx.net', and it says 'request
    timed out' for the first one, then it gets replies for the rest....

    My config is posted below:


    !
    version 12.0
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname csmisdn
    !
    enable secret 5 $1$93B7$hz/i1vyN4fVbLbcxGmxCA.
    !
    ip subnet-zero
    !
    ip name-server 213.1.119.97
    isdn switch-type basic-net3
    !
    !
    !
    interface Ethernet0
    description connected to EthernetLAN
    ip address 10.0.0.7 255.0.0.0
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    ip nat inside
    no cdp enable
    !
    interface BRI0
    description connected to Internet
    no ip address
    ip access-group 110 in
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    dialer rotary-group 1
    dialer-group 1
    isdn switch-type basic-net3
    no cdp enable
    !
    interface Dialer1
    description connected to Internet
    ip address negotiated
    ip access-group 110 in
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    no ip split-horizon
    dialer in-band
    dialer idle-timeout 60
    dialer string 08089933001
    dialer hold-queue 10
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname **********
    ppp chap password 7 ******************
    ppp pap sent-username ************ password 7 ***************
    !
    router rip
    version 2
    passive-interface Dialer1
    network 10.0.0.0
    no auto-summary
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    access-list 1 permit 10.0.0.0 0.255.255.255
    access-list 110 deny icmp any any echo
    access-list 110 permit ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    line con 0
    exec-timeout 0 0
    password 7 ********************
    login
    transport input none
    stopbits 1
    line vty 0 4
    exec-timeout 0 0
    password 7 ********************
    login
    !
    end
     
    C.S.Mager, Oct 24, 2003
    #7
  8. On Fri, 24 Oct 2003 13:54:23 +0000 (UTC), C.S.Mager wrote:
    > Jesper Skriver wrote:
    >>> And will only blocking echo-requests still solve the disconnection
    >>> problem?

    >>
    >> If you by disconnection mean the timeouts, yes.

    >
    > I've changed the 'deny icmp any any' to 'deny icmp any any echo' (there is
    > no echo-request on mine, just echo or echo-reply) This still lets the
    > router disconnect ok, but I've still got the same problem.


    Yes, echo is the one.

    > When I click Send/Receive, it sits there for ages and then comes up with a
    > timeout message. If I then try again, it works. This never used to happen
    > on my old router! I can type 'ping mail.xxx.net', and it says 'request
    > timed out' for the first one, then it gets replies for the rest....


    Perhaps it's the time it takes to dial - do you see the problem if
    the ISDN line is connected, eg due to loading a web page ?

    If yes, it's not related to dialing, if no - you could try this

    interface Dialer1
    dialer hold-queue 20

    Perhaps you could send the output when trying the first time (which
    fails), of these debug commands

    debug ip icmp
    debug ip packet
    debug isdn q931
    debug dialer

    /Jesper

    --
    Jesper Skriver, CCIE #5456, FreeBSD committer
     
    Jesper Skriver, Oct 24, 2003
    #8
  9. C.S.Mager

    C.S.Mager Guest

    Jesper Skriver wrote:
    > Perhaps it's the time it takes to dial - do you see the problem if
    > the ISDN line is connected, eg due to loading a web page ?
    >
    > If yes, it's not related to dialing, if no - you could try this
    >
    > interface Dialer1
    > dialer hold-queue 20


    Once I've loaded IE, it connects first time.

    Without doing that, sometimes Outlook doesn't even cause it to connect...
    but when it does, it still doesn't manage to complete the send/receive first
    time....

    I've tried changing the hold-queue to 20.... and then tried 100, but it made
    no difference.

    I'm completely mystified by this.... with my old router, I clicked
    send/receive, had a slight pause while it connected the ISDN line, and then
    it carried on and checked my email. With this Cisco one, there's a slight
    pause while it connects the ISDN line, and then it doesn't carry on.... just
    comes up with a timeout! I might plug my old router back in.....
     
    C.S.Mager, Oct 24, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. C.S.Mager

    Cisco 801 (ISDN): DNS Relay

    C.S.Mager, Oct 24, 2003, in forum: Cisco
    Replies:
    2
    Views:
    4,277
    Aaron Leonard
    Oct 27, 2003
  2. bistri
    Replies:
    0
    Views:
    622
    bistri
    Nov 27, 2003
  3. Michael Göttert
    Replies:
    1
    Views:
    421
  4. RobinC
    Replies:
    3
    Views:
    405
  5. sync
    Replies:
    0
    Views:
    573
Loading...

Share This Page