I'm having issues accessing my device/router as well as discovering from my poller via snmp. We notice that this issue happens on a certain time. Here's sample output of the issue which I can't connect from our remote server.
Note: that I can ping the device without any packet loss, Plus no interruption on its routing protocol.
ssh: connect to host 172.27.136.222 port 22: Connection timed out
or sometimes it gets stuck after typing the password
After issuing the "show users" I'm able to see my remote server address, means that the server can connect but somehow get's interrupted. (Note: I'm able to access the router thru a backdoor)
During the investigation, I ran a packet capture to verify what is actually happening .
From the link you will see two set of communication, the oneAbove photois the time that device is unable to remote and theBelow photois the time that we can access the device.
a. Above photo (ssh not working):
Notice that192.168.200.200(remote server) sent a SYN (random ports-54656 / tcp-22) but I see different address send the reply as opposed to the destination ip which is 172.27.136.22...and after that192.168.200.200(remote server) sends a re transmission.
b. Below photo(ssh working):
Notice that192.168.200.200(remote server) sent a SYN (random ports-32824 / tcp-22) but here I see that the router mgmt ip sends a reply which is correct.
REMOTE SERVER -----> HUB(Tun100) ------> (Tun100)SPOKE(loopback99-mgmt)
REMOTE SERVER <----- HUB(Tun100) <------ (Tun100)SPOKE(loopback99-mgmt)
ip address 10.118.2.45 255.255.255.255
ip address 172.27.136.222 255.255.255.255
ip address x
no ip redirects
ip mtu 1400
ip nat outside
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map x
ip nhrp map x
ip nhrp network-id 23
ip nhrp holdtime 500
ip nhrp nhs x
ip nhrp redirect
zone-member security IN_ZONE
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf ISP
tunnel protection ipsec profile SPK_PROF shared
ip nat translation timeout 14400
ip nat translation tcp-timeout 14400
ip nat inside source route-map NTPOL interface Loopback1 overload
route-map NTPOL permit 10
match ip address ACL:NTPOL
match interface Tunnel100
ip access-list extended ACL:NTPOL
permit tcp any host 10.125.156.118 eq 8080
permit tcp any host 10.125.156.200 eq 1352
permit tcp any host 10.125.156.201 eq 1352
permit tcp any host 10.125.156.206 eq 1352
permit tcp any 22.214.171.124 0.0.255.255
permit tcp any 126.96.36.199 0.0.255.255
permit tcp any 188.8.131.52 0.0.255.255
permit udp any any range 3478 3481
permit udp any any range 50000 59999
permit tcp any any range 50000 59999
permit tcp any any eq 443
adnt-pa0869rz1#sh ip access-lists ACL:NTPOL <-------- NO MATCHES?
Extended IP access list ACL:NTPOL
10 permit tcp any host 10.125.156.118 eq 8080
20 permit tcp any host 10.125.156.200 eq 1352
30 permit tcp any host 10.125.156.201 eq 1352
40 permit tcp any host 10.125.156.206 eq 1352
70 permit tcp any 184.108.40.206 0.0.255.255
80 permit udp any any range 3478 3481
90 permit udp any any range 50000 59999
100 permit tcp any any range 50000 59999 <---- seems like due to this?
110 permit tcp any any eq 443
Pro Inside global Inside local Outside local Outside global
tcp 10.118.2.45:640 172.27.136.2:22 192.168.200.200:58758 192.168.200.200:58758
tcp 10.118.2.45:640 172.27.136.2:22 192.168.200.200:59150 192.168.200.200:59150
So we can see that NAT affects the ssh connection but how does the router/remote server selects the source port is this randomly generated?
This issue normally happens during office hours can we somehow link this to the volume of client(note no congestion)?
Also why router is translating Loopback99-mgmt ip even if NAT is not enable or loopback doesn't have ip nat inside?
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN. What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology o...
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.
Meraki Vision Session
MV smart camera range is getting big...
To participate in this event, please use the button to ask your questions
Dynamic Routing Protocols & IPv6
Have any questions on dynamic routing protocols with IPv6?
In this event we will answer all your questions related to dynamic routing pro...
Today I'm going to talk about SD-wan including SD-WAN advanced , first thing let's take a small brief about the SD_WAN.What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology of software-definednetworking ...
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats...