• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 723
  • Last Modified:

router internet connection drops out !

Hi there,
I've an internet site (running a cisco router) but after every 1 week or so,
we always have to restart the router and then only it can send traffic.
At that instant when router doesnt responsd, we tested a ping to a WAN I.P and
got ttl expired in transit instead of request timed out ... we always have to
restart the router whenever this is the case .....

Below is my config and show version output
Current configuration : 5300 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone ACST 9 30
clock summer-time ACST recurring last Sun Oct 2:00 last Sun Mar 2:00
!
crypto pki trustpoint TP-self-signed-1394679709
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1394679709
 revocation-check none
 rsakeypair TP-self-signed-1394679709
!
!
crypto pki certificate chain TP-self-signed-1394679709
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31333934 36373937 3039301E 170D3032 30333031 30303035
  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33393436
  37393730 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BF55 847CE78D 5FB8B3E1 17DC6CB9 4FB3DC22 52A99099 736E495B A8311A99
  CF79998B ED8837A8 04991455 1F228E59 2ABF80C7 FCCF030E 25BCDAEC 45017F09
  8AA65D9F 5E80D8AD 200A9C21 D8A1984F DE338634 5260BFEF 86D5EB57 AB3DE649
  B66FFCA0 89AB8AF6 8E26F764 3F8EAA0E 945E4EC3 9D80BDC9 79F034B5 EB15015F
  C06B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14C94D0E D753B0F9 73E94A24 7AFCAA01 C85CA260
  37301D06 03551D0E 04160414 C94D0ED7 53B0F973 E94A247A FCAA01C8 5CA26037
  300D0609 2A864886 F70D0101 04050003 81810014 65F1B28C 0EA37A22 5FEC5729
  A7328E1A DDEC0C47 4F7746FB D5C6D27C 89E3E9C8 C6FB2AA1 498E39B1 0BB3BA81
  FF5FE05F 4FC585F0 B3D586C2 6E659A18 33F420FD 23A15FED 377C16F2 D846C271
  7DB46A9F 21348292 5EA4B62C FD72A572 28555F1A DCCB7941 8A3C39D8 5CCDF041
  5240BCE6 2FB9505C C56B0B4B A06E5F93 C74E81
        quit
!
!
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxx
!
multilink bundle-name authenticated
!
!
username xxxx privilege 15 xxxxx
archive
 log config
  hidekeys
!
!
!
track 1 rtr 1 reachability
 delay down 30
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description VLAN1_subnet1
 ip address 10.152.13.125 255.255.255.0 secondary
 ip address 10.152.13.126 255.255.255.128 secondary
 ip address 10.152.12.121 255.255.255.128
 ip tcp adjust-mss 1452
 standby delay minimum 20 reload 25
 standby 0 ip 10.152.12.126
 standby 0 preempt
 standby 1 priority 120
 standby 1 preempt
 standby 1 track 1 decrement 20
!
interface Dialer1
 description -- IPWAN ADSL2+ "ggbondi" --
 bandwidth 1000
 ip address negotiated
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxx
 ppp chap password 0 xxxx
 ppp multilink
!
interface Dialer2
 no ip address
 no cdp enable
!
ip local policy route-map IPWAN_access
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.152.12.128 255.255.255.128 10.152.12.101 permanent
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.152.12.102 5631 interface Dialer2 5631
ip nat inside source static tcp 10.152.12.103 5631 interface Dialer2 5633
!
ip sla 1
 icmp-echo 10.0.8.1
 timeout 4000
 frequency 5
 history hours-of-statistics-kept 24
ip sla schedule 1 life forever start-time now
access-list 101 permit icmp any host 10.0.8.1 echo
snmp-server community public RO
no cdp run
!
!
!
route-map IPWAN_access permit 10
 match ip address 101
 set interface Dialer1 Null0
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 terminal-type vt100
 length 25
 transport output all
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 session-timeout 10  output
 access-class 10 in
 privilege level 15
 password 7 xxxx
 login local
 terminal-type vt100
 length 25
 transport input all
 transport output all
!
scheduler max-task-time 5000
 
!
webvpn cef
end

Open in new window

0
nabeel92
Asked:
nabeel92
  • 10
  • 4
  • 2
1 Solution
 
nabeel92Author Commented:
I've removed
snmp-server community public RO
but any thing apart from that ?
0
 
nabeel92Author Commented:
and i'd say also ignore the misconfigured standby since there is no other peer ... this is the only router ...
0
 
ciscoml320Commented:
Can you provide a "sh version" for this router.  Your problem sounds like the router is running out of resources after that period of time (related to NAT table or Memory)
What are the types of traffic passing through this router? any "peer-to-peer" traffic? (not really for the bandwidth, but more on the number of connections the router has to NAT at any given time)
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
nabeel92Author Commented:
Yes, its an internet cafe where people use P2P traffic but its all data traffic only that passed through, no voip traffic .... There are 28 PC's in this site and usually all of them are online at the same time ... but we just started having this issue about a couple of weeks ago ... we have to restart the router that time and then it comes back to normal only ...

router1.ggbondi#sh version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T1,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 16:47 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

router1.ggbondi uptime is 6 days, 1 hour, 21 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-15.T1.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877-M (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of me
mory.
Processor board ID FCZ114691SH
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102
0
 
ciscoml320Commented:
Couple of ideas here - off the bat you can start with this
ip nat translation udp-timeout 900
ip nat translation tcp-timeout 900

This will make sure un-used NAT entries are cleared automatically every 15 minutes, instead of default which may be up to 24 hours.

Second: over a period of time (ie. during high peak times), see how many entries are being kept in NAT table.  You'll get that info by doing "show ip nat statist"
What is the "total active translations" at these times...?
By default the IOS doesn't impose a limit on the number of active translations (your mileage will vary based on device's memory ), but you can impose a limit on how many translations which are created by using the "ip nat translations max-entries <n>" command.
0
 
nabeel92Author Commented:
guess what, am kinda confused here  ! lol ...
wht u are saying absolutely makes sense .... but there is no ip nat inside, ip nat outside defined in the config on any of the interfaces .  ... there are just 2 port forwarding rules defined thru Nat, thats it ! It's a bit strange ! how can they get out to the internet right now if there is no nat ?
0
 
nabeel92Author Commented:
sorry, please ignore my previous entry ...
actually this goes through one of our core routers that is natted .. sorry for above ! my mistake .... but this also means that there is no nat happening at the current site in question ... so i guess i'd rule out teh nat table size or anything coz there is no nat happening at all ... Nat only happens at one of the core routers ... this is just a branch site with no natting ...
0
 
ciscoml320Commented:
I've been wondering the same thing as well...can you post the following:

"sh ip int br | e unas"

"sh ip route"

thx
0
 
nabeel92Author Commented:
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  up                    down

FastEthernet3              unassigned      YES unset  up                    down

ATM0                       unassigned      YES NVRAM  up                    up

Vlan1                      10.x.x.x   YES NVRAM  up                    up

Dialer1                    172.25.x.x   YES IPCP   up                    up

Dialer2                    unassigned      YES NVRAM  up                    up

Virtual-Access1            unassigned      YES unset  up                    up

NVI0                       unassigned      NO  unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up
0
 
nabeel92Author Commented:
so yeah no nat with this configuration .... ur article is abt configuring ppoatm which is already done !
0
 
nabeel92Author Commented:
and in the routing table, the default route is going via dialer 1 (the next hop) ... rest are just inside routes to a couple of servers ...
Thanks..
0
 
nabeel92Author Commented:
Hi there,
Any idea as to might might be in the configuration causing the error ... Else, Do you suggest an IOS upgrade if there are any known issues with this version ? Thanks...
0
 
memo_tntCommented:
hi
i have the same router same specifications but with this IOS image
"flash:c870-advsecurityk9-mz.124-4.T8.bin"
it's working 100% ,,
uptime is 1 week, 19 hours, 22 minutes
try it and reply results
BR
0
 
nabeel92Author Commented:
so ur using version 8 and i got 15 ? but anyway i will try your version if my router needs the usual restart again ! ...after ive removed those SNMP commands which made the router vulnerable to DOS attacks, things have been good so far ! if it restarts again, ill move to ur version ... thanks
0
 
memo_tntCommented:
ah
i didnt notice that,,
try create an ACL that permit specific IPs to read SNMP
and deny any any
this will prevent u from vulnerable attacks
,,
plus if this didnt solve try my IOS version
BR
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now