[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.0

Network problems, Cisco 2800 Router

Asked by UptimeSystems in Network Routers, Networking Hardware Firewalls, Miscellaneous Networking

Tags: cisco, 2800, router, network, problems

We are having intermittant but persistent network problems on a small LAN with a Cisco 2800 router as the edge device/firewall.  

NETWORK OVERVIEW:

10 PC's, no servers, most unit hard-wired
Network switch: Cisco catalyst
Edge Device: Cisco 2800 w/ Firweall Feature Set
Internt Connection: Integrated T1
VLAN 1 "Voice" (for Cisco IP phones)
VLAN 2 "Data" (for PC's)
DHCP: Enabled, served by the Cisco 2800

Again--a very simple network.  No servers, just the Cisco 2800 which provides DHCP services as well as connectivity to the Internet.  (The wan interface of the router connect directly to an Adtran unit provided by the ISP).

THE PROBLEM:

Intermittantly, one or more PC's cannot traverse the Cisco router and get to the Internet.  The most common symptom is that the user cannot browse the web, however when this problem happens I also cannot ping past the router (cannot ping the ISP DNS servers, or other known working public IP addresses).  

The problem occurs almost every day and can last for anywhere from a few minutes to an hour.  This problem SEEMS to only affect the "Data" VLAN, as the Cisco phones never have any problems.

The router is doing NAT Overload (PAT) for Internet connectivity.  The router is also doing a site-to-site VPN to another branch office.

The problem typically affects only one PC at a time.  This originally made me think that perhaps its a user limit problem, and the Cisco is only licensed for X users (such as you might see on a Cisco PIX or Cisco ASA--or any firewall).   However it seems this model of Cisco router has no such hard-coded limit.

I've also had the ISP replace their Adtran unit (CSU/DSU) just in case.  This did not fix the problem.
I also don't beleive this to be a problem witht he switch or cabling, as no users have reported seeing the loss of phyiscal connectivity you see on Windows hosts when a LAN link is lost.

As far as I can tell, the problem is something with the router itself, either DCHP, NAT, or something else.

The Cisco router was installed and configured by a prior IT person.  I'm comfortable enough with Cisco routers and CIOS (save the Cisco IP Phone/SIP stuff--which I have no experience with.)  I've looked over the config and see no obvious problems.

The problem seemingly started by itself without any network changs.  The ONLY change I can think of when this problem started happening (about a month ago) is the adding of a new PC to the network.  (Maybe one too many DHCP clients?)

I've included the entire config below (code snippet).
If anyone has any ideas--I'd love to hear them. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:

!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BSG_MSP_Router
!
boot-start-marker
boot-end-marker
!
card type t1 0 2
logging buffered 51200 debugging
enable secret 5 $1$iJAw$jL2vZv5DBXEkxBiH55/hq/
!
no aaa new-model
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
clock calendar-valid
network-clock-participate wic 2
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.99
ip dhcp excluded-address 172.16.0.250 172.16.0.254
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.250 10.0.0.254
!
ip dhcp pool Voice
   network 172.16.0.0 255.255.255.0
   option 150 ip 172.16.1.20
   default-router 172.16.0.254
!
ip dhcp pool Data
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.254
   dns-server 65.106.1.196 65.106.7.196
!
!
no ip domain lookup
ip domain name buyerssupport.com
ip ssh version 2
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
!
voice rtp send-recv
!
!
 
BSG_MSP_Router#sh run | more
                        ^
% Invalid input detected at '^' marker.
 
BSG_MSP_Router#sh run
Building configuration...
 
Current configuration : 9466 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BSG_MSP_Router
!
boot-start-marker
boot-end-marker
!
card type t1 0 2
logging buffered 51200 debugging
enable secret 5 $1$iJAw$jL2vZv5DBXEkxBiH55/hq/
!
no aaa new-model
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
clock calendar-valid
network-clock-participate wic 2
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.99
ip dhcp excluded-address 172.16.0.250 172.16.0.254
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.250 10.0.0.254
!
ip dhcp pool Voice
   network 172.16.0.0 255.255.255.0
   option 150 ip 172.16.1.20
   default-router 172.16.0.254
!
ip dhcp pool Data
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.254
   dns-server 65.106.1.196 65.106.7.196
!
!
no ip domain lookup
ip domain name buyerssupport.com
ip ssh version 2
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
!
voice rtp send-recv
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 no supplementary-service h450.2
 no supplementary-service h450.3
 fax protocol pass-through g711ulaw
 h323
 modem passthrough nse codec g711ulaw
 sip
!
!
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
!
voice class h323 1
 h225 timeout tcp establish 3
 h225 timeout setup 3
!
!
!
!
!
!
voice translation-rule 1
 rule 1 // /6122040024/
!
!
voice translation-profile OUT
 translate calling 1
!
!
!
crypto pki trustpoint TP-self-signed-605737594
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-605737594
 revocation-check none
 rsakeypair TP-self-signed-605737594
!
!
crypto pki certificate chain TP-self-signed-605737594
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36303537 33373539 34301E17 0D303730 33323132 30353934
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3630 35373337
  35393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  D831A1DB E5088F22 422332CF 8CC0B117 52852568 F5DC0D6F 560742D8 E9B4A47C
  16399AEE 24D219CC 10DB9B5D D1645AF6 02FB5CFB BCA0CC58 5D441351 526FC9B4
  E12FB0C2 7F813556 91DE715D 59D58878 323C0B25 CEF283E1 22292E95 7CA04EAD
  2466135E 000C6777 80E826A0 4E836AB3 DF0F12C4 EB70C005 92A4A633 358BECAB
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 4253475F 4D53505F 526F7574 65722E62 75796572 73737570
  706F7274 2E636F6D 301F0603 551D2304 18301680 14196E44 62DE3121 A680DCD7
  D4DD35B6 147DFB98 90301D06 03551D0E 04160414 196E4462 DE3121A6 80DCD7D4
  DD35B614 7DFB9890 300D0609 2A864886 F70D0101 04050003 8181008F 1D6FFBDC
  0917D65B 3CFAF982 C9D2AD1B C3664885 CB482FE4 74E4F372 9658339A FF7B398E
  38AC0D2A 87C82CD9 51D30275 DC5350F6 C27444B5 AC8263A3 17452D96 6514E257
  457B57A3 E9CDC526 12B75703 8E82643B B64609AE CCC03152 AD327B82 40E1CE59
  1D4246E0 906A0BD9 8F26467C 82C8CE1B 3E6E734E 5B232F1C 45854A
  quit
username administrator password 7 104D1C1C
username admin secret 5 $1$3X5u$SxXWXrLWXoXonAk.xuZBi0
!
!
controller T1 0/2/0
 framing esf
 linecode b8zs
 ds0-group 1 timeslots 1-6 type e&m-wink-start
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key #bsg#zxc! address 65.45.22.209
no crypto isakmp ccm
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
 set peer 65.45.22.209
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 description Data VLAN
 encapsulation dot1Q 10 native
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
!
interface FastEthernet0/0.172
 description Voice VLAN
 encapsulation dot1Q 172
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 172.16.0.254
!
interface FastEthernet0/1
 ip address 67.95.34.242 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet0/1/0
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/1
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/2
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/3
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/4
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/5
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/6
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/7
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 switchport voice vlan 172
 no ip address
 shutdown
 spanning-tree portfast
!
interface FastEthernet0/1/8
 switchport access vlan 10
 switchport trunk native vlan 10
 switchport mode trunk
 no ip address
 shutdown
!
interface Service-Engine1/0
 ip unnumbered FastEthernet0/0.172
 service-module ip address 172.16.0.10 255.255.255.0
 service-module ip default-gateway 172.16.0.254
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.95.34.241
ip route 172.16.0.10 255.255.255.255 Service-Engine1/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.0.10 80 67.95.34.243 80 extendable
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 11 permit 209.98.190.1
access-list 11 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny   ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ip 172.16.0.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110
!
!
!
tftp-server flash:P00303020214.bin
tftp-server flash:P00305000301.sbn
tftp-server flash:P00403020214.bin
!
control-plane
!
!
!
voice-port 0/2/0:1
 translation-profile outgoing OUT
 timeouts interdigit 4
!
voice-port 0/3/0
!
voice-port 0/3/1
!
!
!
sccp local FastEthernet0/0.172
sccp ccm 172.16.0.20 identifier 1 version 4.0
sccp
!
!
dial-peer voice 1 voip
 description Default Peer to matching incoming VOIP
 modem passthrough nse codec g711ulaw
 voice-class codec 1
 voice-class h323 1
 incoming called-number .
 dtmf-relay h245-alphanumeric
 fax rate disable
 no vad
!
dial-peer voice 2 pots
 description Peer to match incoming VNET Calls
 translation-profile incoming VNETPROFILE
 incoming called-number .
 port 0/2/0:1
!
dial-peer voice 2589 voip
 destination-pattern 2589
 voice-class codec 1
 voice-class h323 1
 session target ipv4:172.16.1.20
 dtmf-relay h245-alphanumeric
 fax rate disable
 no vad
!
dial-peer voice 2555 voip
 destination-pattern 2555
 voice-class codec 1
 voice-class h323 1
 session target ipv4:172.16.1.20
 dtmf-relay h245-alphanumeric
 fax rate disable
 no vad
!
num-exp 0835 104
num-exp 0020 7000
num-exp 0024 2555
!
dial-peer voice 2589 voip
 destination-pattern 2589
 voice-class codec 1
 voice-class h323 1
 session target ipv4:172.16.1.20
 dtmf-relay h245-alphanumeric
 fax rate disable
 no vad
!
dial-peer voice 2555 voip
 destination-pattern 2555
 voice-class codec 1
 voice-class h323 1
 session target ipv4:172.16.1.20
 dtmf-relay h245-alphanumeric
 fax rate disable
 no vad
!
num-exp 0835 104
num-exp 0020 7000
num-exp 0024 2555
!
!
banner login ^CC
---------------------------------------------
 
*** Unauthorized use is strictly prohibited! ***
 
     *** Violators will be prosecuted! ***
 
------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179867
ntp master 3
ntp update-calendar
ntp server 128.101.101.101 prefer
ntp server 134.84.84.84
!
end
[+][-]07/31/08 03:02 PM, ID: 22133949Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07/31/08 06:01 PM, ID: 22134795Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/01/08 02:56 PM, ID: 22142246Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Network Routers, Networking Hardware Firewalls, Miscellaneous Networking
Tags: cisco, 2800, router, network, problems
Sign Up Now!
Solution Provided By: lanboyo
Participating Experts: 4
Solution Grade: A
 
[+][-]08/03/08 08:17 PM, ID: 22149742Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/12/08 04:08 AM, ID: 22211703Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/12/08 09:32 AM, ID: 22214729Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/12/08 09:09 PM, ID: 22218945Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89 / EE_QW_2_20070628