Link to home
Start Free TrialLog in
Avatar of LnxOne
LnxOne

asked on

Cisco 1811W keep failing after 1 to 2 hours

Help!

I just configured Cisco router 1811W for my office to connect to an ISP.  Things are working pretty good until 2 hours later the connection from my Cisco 1811W router to the ISP CSU/DSU keep dropping. It keeps doing this for over a week and it's driving crazy!!!

Here is my current configure file:

FE0: ip address 146.xxx.xxx.178  ==>> ISP CSU/DSU Interface:  146.xxx.xxx.177
Internal gateway BVI1: 192.168.xxx.65

Here are my Nating table:
ip nat inside source static 192.168.xxx.65 146.xxx.xxx.178
ip nat inside source static 192.168.xxx.67 146.xxx.xxx.179
ip nat inside source static tcp 192.168.xxx.67 80 interface FA0 80
ip nat inside source static tcp 192.168.xxx.67 110 interface FA0 110

Here is my ip routes:
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.177
router rip
 version 2
 passive-interface FastEthernet0
 passive-interface BVI1
 network 146.xxx.0.0
 network 192.168.xxx.0
 no auto-summary

...

Below text is my show run command:

!This is the show startup-config output of the router: show startup-config
!----------------------------------------------------------------------------

Using 8057 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C1811W
!
boot-start-marker
boot-end-marker
!
logging buffered 5xxx0 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 xxx3 2:00 Oct 26 xxx3 2:00
!
!
ip cef
ip dhcp excluded-address 192.168.2.0 192.168.2.254
ip dhcp excluded-address 192.168.xxx.65 192.168.xxx.80
!
!
ip domain name localdomain.local
ip name-server 192.168.xxx.70
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW esmtp
!
appfw policy-name SDM_LOW
  application http
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-4072465080
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4072465080
 revocation-check none
 rsakeypair TP-self-signed-4072465080
!
!
crypto pki certificate chain TP-self-signed-4072465080
 certificate self-signed 01 nvram:IOS-Self-Sig#3005.cer
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RVPN-SN20
 key xxxxxxxxxxxxxxxx
 dns 192.168.xxx.70
 wins 192.168.xxx.70
 domain localdomain
 pool VPN-PL20
 max-users 50
 netmask 255.255.255.192
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile RVPN-SN20
 set transform-set ESP-3DES-SHA
!
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA
!
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
bridge irb
!
!
!
interface FastEthernet0
 description $ETH-LAN$$FW_OUTSIDE$
 ip address 146.xxx.xxx.178 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 description VLAN1
!
interface FastEthernet3
 description VLAN1
!
interface FastEthernet4
 description VLAN1
!
interface FastEthernet5
 description VLAN1
!
interface FastEthernet6
 description VLAN1
!
interface FastEthernet7
 description VLAN1
!
interface FastEthernet8
 description VLAN1
!
interface FastEthernet9
 description VLAN1
!
interface Dot11Radio0
 description VL1- VLAN1
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid MY-WLAN
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 xxxxxxxxxxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 basic-24.0 36.0 48.0 54.0
 rts threshold 2312
 power local cck 20
 power local ofdm 17
 channel 2462
 station-role root
!
interface Dot11Radio0.1
 description VL1- VLAN1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip virtual-reassembly
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description BVI1$ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Async1
 no ip address
 ip virtual-reassembly
 encapsulation slip
!
interface BVI1
 description VL1- VLAN1$FW_INSIDE$
 ip address 192.168.xxx.65 255.255.255.192
 ip access-group 100 in
 no ip redirects
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 crypto map SDM_CMAP_2
!
router rip
 version 2
 passive-interface FastEthernet0
 passive-interface BVI1
 network 146.xxx.0.0
 network 192.168.xxx.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.177
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat Stateful id 1
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.xxx.67 110 interface FastEthernet0 110
ip nat inside source static tcp 192.168.xxx.67 80 interface FastEthernet0 80
ip nat inside source static 192.168.xxx.65 146.xxx.xxx.178
ip nat inside source static 192.168.xxx.67 146.xxx.xxx.179
!
ip access-list extended RMC_Out
 remark SDM_ACL Category=2
 deny   ip host 192.168.xxx.67 any
 deny   ip host 192.168.xxx.65 any
 permit ip any any
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ahp any host 192.168.xxx.65
access-list 100 permit esp any host 192.168.xxx.65
access-list 100 permit udp any host 192.168.xxx.65 eq isakmp
access-list 100 permit udp any host 192.168.xxx.65 eq non500-isakmp
access-list 100 deny   ip 146.xxx.xxx.176 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 146.xxx.xxx.179
access-list 101 permit tcp any host 146.xxx.xxx.179
access-list 101 permit udp any host 146.xxx.xxx.178
access-list 101 permit tcp any host 146.xxx.xxx.178
access-list 101 permit tcp any host 146.xxx.xxx.178 eq www
access-list 101 permit tcp any host 146.xxx.xxx.178 eq pop3
access-list 101 deny   ip 192.168.xxx.64 0.0.0.63 any
access-list 101 permit icmp any host 146.xxx.xxx.178 echo-reply
access-list 101 permit icmp any host 146.xxx.xxx.178 time-exceeded
access-list 101 permit icmp any host 146.xxx.xxx.178 unreachable
access-list 101 permit udp any any eq rip
access-list 101 permit ip any host 224.0.0.9
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address RMC_Out
!
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115xxx
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Does the FastEthernet0 interface actually go down?  If you look in the logs, do you see a message similar to the following?

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down

If so, I would contact your ISP and have them check the health of your connection.
I agree with Jfrederick on this one and you should check with your ISP, but may also want to check your router's hardware and make sure all cards/ cables are properly connected and your router is not overheating.

eb
Avatar of LnxOne
LnxOne

ASKER

Thank you, JFrederick29 & ebjers.

I appreciate your comments.  I think my router was overheating! Our building air condition is down and they are in the process of fixing it.  Because yesterday it was very HOT, near 90 degree outside and my router was down in every 1 to 2 hours. I had to reboot it every time it went down. Today it's up and running since 8:03 AM today due to the weather is not that hot outside.  I guess I need some type of cooling system to keep my route running at the expected temperature.  

By the way, what is the command line to view my route's system log from a remote client using ssh?

 
"sh log"
The router should be able to operate at 90 but if the room was 90 then the internal temp may have been over 100
Avatar of LnxOne

ASKER

Thanks for the temperature expected info. I will keep my eyes on it and I'll try to get a fans to cool down the router a little until our air conditioning is fixed. Hopefully soon...
Avatar of LnxOne

ASKER

I just want to let you know that my router was down again last night.  It was running at the temperature of 78 degreee. I check to log file but I don't see anything that could raise questionable. I don't think it's an overheating issue.  Can you please take a look at my configuration file above to see if I were missing anything.

I appreciate all your help.
Thank you
Your configuration looks fine.  Most likely it is an issue that needs to be raised with your ISP.
Avatar of LnxOne

ASKER

Thanks JFrederick29,

I'll do that, and let you know what my ISP insist on... To be honest with you I am reluctant to call them because they always insist that the problem is on my end not theirs. I can't wait for my contract is over with them.
Avatar of LnxOne

ASKER

My ISP scheduled to test the line on Wednesday night. I was told that the test process will take place at 6:00 PM.  I am still waiting for the result from them to see what I have found out.  Today I am testing my WAN interface and this is what found out.

Checking interface status...      [ Up ]
Checking for DNS settings...     [ Successful ]
Checking interface IP address  [ Successful ]
Checking exit interface...          [ Failed ]  <<=== This is my BVI1 interface

What is this mean? How do I fix this problem? Any advices will be very much appreciated...
Don't worry about the failed SDM test.  Most likely the access-list on the BVI interface is knocking down the test ping.  Your configuration is fine so wait and see what your ISP says...
Avatar of LnxOne

ASKER

Thank you JFrederick29,
I will get them a call again to see if they had a test result...
Avatar of LnxOne

ASKER

Hi JFrederick29

I have an update from my ISP.  They thought that it might be one of their router interfaces has problem so they sent a technician over to replace with the same exact router.  The technician copies the configuration from the old router and put them into the new one.  Guess what? I am still having the same problem.  My connection was down again last night at arrant 9:45 PM.

*Jul 24 21:17:12.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Jul 27 18:53:38.108: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Jul 28 20:24:43.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Jul 28 21:28:19.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Jul 29 19:55:13.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Aug  1 21:31:45.507: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*Aug  4 21:45:26.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down

I am starting to think that the problem is at my Cisco router.  I spoke with a Cisco engineer, she recommended me to upgrade my router ISO. I am running Cisco 1811W IOS 12.4.7 but there is a higher version (12.4.9) has been released. Do you think this is a good idea to upgrade my ISO? Any advises will be very much appreciated.
You can try it, maybe there is a known issue that the Cisco engineer found with the specific IOS you are running and the services you are running on the router.  My only thing though is why aren't the other FastEthernet interfaces on the router exhibiting the same issue?  It is a big coincidence that the only interface possibly effected by this "bug" is the one connected to your ISP.  

Have you tried replacing the cable from FastEthernet0 on the router to the device it is plugged into?  I might try that just to rule out local cabling.

Did your ISP specifically tell you to run auto Speed and auto Duplex with them?  What is the FastEthernet0 interface plugged into?  You might want to ask your ISP if you can run fixed 100/Full or whatever the connection is supposed to be versus auto-negotiate.  They will need to change there end of the connection as well so don't change yours without them changing theirs.
Avatar of LnxOne

ASKER

I just upgraded my IOS to version 12.4.15-T6.  and my router is rebooted.  So far it's been up and running for about two hours without dropping the connection.  I am keeping my fingers crossed!!!

I rewired my crossover cable two weeks ago that didn't take any effect at all.  Since I am having the same problem for a while now.  My ISP suggested me to change my FastEthenet to run as fixed 100/Full.

Thank you for your quick respond.  I'll keep you posted as to the status of my route functioning.

Avatar of LnxOne

ASKER

JFrederick29
One of my servers (192.168.xxx.67) keep losing internet connection while others host still able to go online. Could you please take a look at my current firewall config file to see what I am doing wrong here.

ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat Stateful id 1
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable
ip nat inside source static 192.168.xxx.67 146.145.xxx.179 extendable
!
interface FastEthernet0
description $ETH-LAN$$FW_OUTSIDE$
ip address 146.145.xxx.178 255.255.255.xxx
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
no ip route-cache cef
speed 100
full-duplex
!
ip access-list extended RMC_Out
remark SDM_ACL Category=2
deny ip host 192.168.xxx.67 any
deny ip host 192.168.xxx.65 any
permit ip any any
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ahp any host 192.168.xxx.65
access-list 100 permit esp any host 192.168.xxx.65
access-list 100 permit udp any host 192.168.xxx.65 eq isakmp
access-list 100 permit udp any host 192.168.xxx.65 eq non500-isakmp
access-list 100 deny ip 146.xxx.xxx.176 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 146.xxx.xxx.178
access-list 101 permit tcp any host 146.xxx.xxx.178
access-list 101 permit udp any host 146.xxx.xxx.179
access-list 101 permit tcp any host 146.xxx.xxx.179
access-list 101 permit tcp any host 146.xxx.xxx.179 eq www
access-list 101 permit tcp any host 146.xxx.xxx.179 eq pop3
access-list 101 deny ip 192.168.xxx.64 0.0.0.63 any
access-list 101 permit icmp any host 146.xxx.xxx.178 echo-reply
access-list 101 permit icmp any host 146.xxx.xxx.178 time-exceeded
access-list 101 permit icmp any host 146.xxx.xxx.178 unreachable
access-list 101 permit udp any any eq rip
access-list 101 permit ip any host 224.0.0.9
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address RMC_Out

This could be an issue also...

Are you doing this for a reason?

ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable

This may potentially cause bad things to happen.  I would remove this unless you specifically put it there for a reason.
Avatar of LnxOne

ASKER

This static nat: "ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable" is my internal gateway ip address and it translated to my public ip address on my cisco router interface FA0. The interface FA0 is communicating with my ISP (next hop) 146.145.xxx.177.  If I would remove this static nat, will it cause my internal LAN not to be able to go out to the Internet?
No, this is what allows your LAN clients to get to the Internet.

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

The command "ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable" should be removed as it can only cause problems.
Avatar of LnxOne

ASKER

Thank  you JFrederick29,
I will remove "ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable" from my router.
Thank you
 
Avatar of LnxOne

ASKER

JFrederick29,
After I removed this "ip nat inside source static 192.168.xxx.65 146.145.xxx.178 extendable".  I am still having the same problem, one of my Web/Mail server with this ip address ( 192.168.xxx.67 ) keep losing internet connnection.  Any advises would be very much appreciated.
Avatar of LnxOne

ASKER

JFrederick29,
I Think the problem is with the time out issue between my router and my ISP's router.  I am running a ping to 4.2.2.2 from one of my mail servers today and my line is not dropping for many hours. What do you think the problem should be?  
I really would point back to your ISP.  Your ISP should be able to do some kind of testing to try to determine where the issue resides.  If they are unwilling to work with you, I would consider switching to a different ISP. Your configuration is fine, you changed out cabling.  If you really want to rule out your side, flip-flop your Gig interfaces.  If the problem follows, it is your ISP and nothing hardware related.
Avatar of LnxOne

ASKER

I really can't take it any long with Broadview ATX ISP. They are the worst ISP I ever face I called technical support they gave me the ticket number I promised that someone will take of the problem I give me a call back. NO respond! then I call my account manager this is what I get "I will be in the internal meeting all morning and have appointment with customers all afternoon" Grrrrrrrr!  My Internet connection has been unstable since July 2, 2008. It's over a month now.  Do you think I should just give up with them I find other ISP?
I would start looking for another and make it clear to your current ISP that you may switch if they do not work with your to resolve this issue.  They me be more willing to help if you are threatening to cancel service.
Avatar of LnxOne

ASKER

I really can't take it any longer with Broadview ATX ISP. They are the worst ISP I have ever faceed with. I called technical support they gave me the ticket number I promised that someone will be taking care of the problem I give me a call back. NO respond! then I call my account manager this is what I get "I will be in the internal meeting all morning and have appointment with customers all afternoon" Grrrrrrrr!  My Internet connection has been unstable since July 2, 2008. It's over a month now.  Do you think I should just give up with them I find other ISP?
Sorry for the spelling above, I am so disappointed my my ISP!
Avatar of LnxOne

ASKER

I just called my ISP account manager I left a message. Let's see if I get any responds back from her.
Avatar of LnxOne

ASKER

JFrederick29,
Finally my ISP has an engineer sit down and work with me to resolve this problem I am having. This is what the problem was:
On their router ( Adtran ) interface, they assigned two IP addresses. The primary IP address was my internal gateway IP, and the secondary IP address was my external gateway ( my next hop ). This setting was causing data routing problem because my Cisco router has already setup to route all data packets to my ISP interface as my default route, but at the mean time my has my private IP address in their interface as well. so now I have two IPs to route the data packets to.  
                                                                / Pri: Private IP address ( My internal GW IP address )
My router FA0    ===>>> ISP router /
                                                               \  Sec: Public IP address ( My next hop to their router )
After an engineer removed the Primary private IP address out their router interface and changed the Secondary Public IP address to be a primary IP address, the connection between my Cisco router and their Adtran router seem to be stable. It is up and running for over twelve hours without dropping. The problem was originated from my ISP router all along, and they can't figure it out for over a month since July 2, 2008.
Thank you for all your help, I appreciate your advises on this issue.
Regards,
LnxOne  
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of LnxOne

ASKER

Thank you for all your helps...