Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 606
  • Last Modified:

Cisco 851 Router Locks Up 3 times a day

I have a 10Mbps SDL connection delivered over radio using Ubiquity Nanostations. The connection comes into a CISCO 851 router which supports a LAN with a server and 5 Clients.

The router is freezing 3 times a day on the fastethernet4 port breaking the internet connectivity while still reachable and functioning on the LAN side. When not locked, the network performs well.

Is this router overstretched, or is there anything I can try to eliminate this problem.
0
ls21gce
Asked:
ls21gce
  • 7
  • 6
1 Solution
 
asavenerCommented:
Have you checked the logs to see if it's throwing any errors?  What functions is the device performing?  Firewall?  NAT?  VPN?  Intrusion prevention?


0
 
ls21gceAuthor Commented:
Hi asavener,

I have just discovered that the router is locking up EXACTLY every 7 hours. Looking back in the logs this is clear. So at least now I can predict when the next freeze is going to occur !

NAT and basic SDM set up firewall only. Alowing traffic for the usual ports.

Regards,

SMc
0
 
asavenerCommented:
Sounds like a good opportunity to get on the console and watch for any error messages.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ls21gceAuthor Commented:
Hi Asavener,

The Lock up was due about 20 mins ago and duely obliged. I was logged onto the router and took a snapshot of the last few messages before if froze up. I have included the snapshot here so I hope it is viewable.

Regards,

SMc


Cisco-Log.doc
0
 
asavenerCommented:
OK, the "getting aggressive" and "calming down" messages refer to the number of half-open connections the router is seeing.

This could indicate a denial-of-service attack, or it could be a networking problem.

A large number of half-open connections can cause resource (primarily memory) starvation.

Can you post the router's configuration?  We may be able to suggest changes that will make the router more robust.

Also, what version of IOS is the router running?  Can you provide the output of the "show version" command?
0
 
ls21gceAuthor Commented:
Were the final 2 messages about the time nothing to do with the problem then ?

Ok, I have updates the config to show the IOS image name as well as the version: -

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.3(8)YI1  [c850-advsecurityk9-mz.123-8.YI]
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Howletts
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$o4b5$.TysZquj5mLNa7Xh3cWhn.
!
username steve privilege 15 view root secret 5 $1$Zh6G$d40P0INOwQtrd89DdQiuh1
username steve1 privilege 15 view root secret 5 $1$DBup$NtyuiV.8MicYopXVofdfH.
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
ip dhcp pool Howletts
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.10
   domain-name howletts.co.uk
   lease infinite
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip name-server 217.33.8.107
ip name-server 217.33.8.106
no ftp-server write-enable
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address nnn.nn.nnn.nnn 255.255.255.252
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 nnn.nn.nnn.nnn permanent
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.0.5 110 interface FastEthernet4 110
ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.0.5 25 interface FastEthernet4 25
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny   any
access-list 50 remark Permit NAT Passthru
access-list 50 remark SDM_ACL Category=1
access-list 50 remark Public IP Address
access-list 50 permit nnn.nn.nnn.nnn
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.0.5 eq domain any
access-list 101 permit udp host 192.168.0.10 eq domain any
access-list 101 deny   ip nnn.nn.nnn.nnn 0.0.0.3 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 217.33.8.106 eq domain host nnn.nn.nnn.nnn
access-list 102 permit udp host 217.33.8.107 eq domain host nnn.nn.nnn.nnn
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any host nnn.nn.nnn.nnn echo-reply
access-list 102 permit icmp any host nnn.nn.nnn.nnn time-exceeded
access-list 102 permit icmp any host nnn.nn.nnn.nnn unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 194.73.73.96 eq domain any
access-list 103 permit udp host 217.33.8.106 eq domain any
access-list 103 permit udp host 217.33.8.107 eq domain any
access-list 103 deny   ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any host nnn.nn.nnn.nnn echo-reply
access-list 103 permit icmp any host nnn.nn.nnn.nnn time-exceeded
access-list 103 remark SMTP Mail server
access-list 103 permit tcp any host nnn.nn.nnn.nnn eq smtp
access-list 103 remark POP3 mail server
access-list 103 permit tcp any host nnn.nn.nnn.nnn eq pop3
access-list 103 remark HTTPS Secure www access
access-list 103 permit tcp any host nnn.nn.nnn.nnn eq 443
access-list 103 remark HTTP Access on Port 80
access-list 103 permit tcp any host nnn.nn.nnn.nnn eq www
access-list 103 permit icmp any host nnn.nn.nnn.nnn unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny   ip any any
no cdp run
!
control-plane
!
banner login ^CWelcome to the Howletts Network.....
This Network is configured and supported by Howletts

Have a nice day..............^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login local
 transport preferred all
 transport output telnet
line vty 0 4
 access-class 104 in
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


0
 
asavenerCommented:
"Were the final 2 messages about the time nothing to do with the problem then ?"

I think that's the router creating a timestamp for a crash file.  What's the output of "show flash"?
0
 
ls21gceAuthor Commented:
!This is the show flash output of the router: show flash
!----------------------------------------------------------------------------

20480K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

    2  -rwx     9186656   --- -- ---- --:--:-- -----  c850-advsecurityk9-mz.123-8.YI1.bin
    3  -rwx        1038  Mar 01 2002 00:55:07 +00:00  home.shtml
    4  -rwx        3179  Mar 01 2002 00:55:08 +00:00  sdmconfig-8xx.cfg
    5  -rwx      112640  Mar 01 2002 00:55:15 +00:00  home.tar
    6  -rwx     1505280  Mar 01 2002 00:56:51 +00:00  common.tar
    7  -rwx     6389760  Mar 01 2002 01:11:16 +00:00  sdm.tar
    8  -rwx       93095  Mar 01 2002 00:05:32 +00:00  attack-drop.sdf
    9  -rwx      931840  Mar 01 2002 01:17:40 +00:00  es.tar
   10  -rwx        7079  Apr 14 2009 21:47:31 +00:00  SDM_Backup

19353600 bytes total (1114112 bytes free)


What do you think about the exact 7 hours. This must be a huge clue, are there any network processes that would recurr every 7 hours ? I was thinking maybe access to an NTP server or similar, but why would it freeze the router ?

SMc
0
 
asavenerCommented:
One thing I note is that your IOS image is way out of date.  12(3)8-YI2 (a later release than yours) came out in 2005.

Upgrading IOS image and SDM would be my first steps if this were my router.
0
 
ls21gceAuthor Commented:
I have updated the SDM to the latest version which is 2.5, but I could not find anywhere to download a newer version of the IOS image. Do you know where this is possible ?
0
 
asavenerCommented:
www.cisco.com -> Support -> Download Software -> Cisco IOS and NX-OS Software.

Requires Cisco Connection Online (CCO) login, and you have to be authorized (licensed) to download the software.  You should have received a contract number when you purchased the router; you have to get your CCO account associated with the contract.  A SmartNet contract wil work as well.
0
 
ls21gceAuthor Commented:
Spoke to Cisco SmartNet but was informed that as a contract has not been in force, and the equipment is 2 years old, it would need to be inspected by them before they would be prepared to offer a contract. The cost of the inspection I was told would far exceed the value of the equipment and I cannot download the latest version of IOS without the SmartNet contract.

In effect they are telling me to throw away my 2 year old router (used for a maximum of 2 weeks) and buy a new one as a solution.

Given the fact that the router has some kind of 7 hour time-bomb inside it and that doesnt even attract advice from Cisco apart from chuck it away, doesnt fill me with a burning ambition to rush out and buy another one.

If as you suggest there may be a potential bug in the old version of the software the attitude strikes me as a bit rich.

Net result is I have a 2 year old Cisco "high quality" router that has been barely used and yet locks up every 7 hours to the exact second.

Time to look elsewhere I think. Thanks for your help
0
 
ls21gceAuthor Commented:
After making a Firmware Upgrade to Ubiquity equipment, this solved the 7 hour lease problem with the Cisco router.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now