Re: Cisco 2901 randomnly stop passing traffic although interface is up

breakenridge · ‎04-12-2020

I have a 2901 router (c2900 -universalk9-mz.SPA.157-3.M5.bin) that is simply connected to a cable modem the router has a static IP assigned .It works for a while then stops passing traffic after a while .It will restart with a no shut command or if i reseat the cable connected to the modem.I have tried this with two different 2901 routers .

I have tried setting duplex and speed settings ..same result.

I placed a switch in between the router and the cable modem ..same results,

seeking assistance,

chrihussey · ‎04-13-2020

It may not be a configuration issue.

Would it be possible to post the router's config?

Thanks

breakenridge · ‎04-13-2020

Building configuration...

Current configuration : 4981 bytes
!
! Last configuration change at 14:00:28 UTC Mon Apr 13 2020 by cisco
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1.Router1
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication login abc1 local
aaa authorization network abc2 local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.159.99.1 10.159.99.10
ip dhcp excluded-address 192.168.99.1 192.168.99.20
ip dhcp excluded-address 172.16.99.1 172.16.99.20
!
ip dhcp pool PhoneNetwork
network 10.159.99.0 255.255.255.0
default-router 10.159.99.1
dns-server 8.8.8.8 9.9.9.9
lease infinite
!
ip dhcp pool LANNetwork
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 8.8.8.8 9.9.9.9
!
ip dhcp pool WIFINetwork
network 172.16.99.0 255.255.255.0
default-router 172.16.99.1
dns-server 8.8.8.8 9.9.9.9
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FTX1814843B
license boot module c2900 technology-package securityk9
!
!

!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key cisco123
pool VPNPOOL
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map map1 10
set transform-set set1
reverse-route
!
!
crypto map map1 client authentication list abc1
crypto map map1 isakmp authorization list abc2
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.252
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
crypto map map1
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.159.99.1 255.255.255.0
ip access-group 120 in
ip access-group 120 out
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.172
encapsulation dot1Q 172
ip address 172.16.99.1 255.255.255.0
ip access-group 121 in
ip access-group 121 out
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.192
encapsulation dot1Q 192
ip address 192.168.99.1 255.255.255.0
ip access-group 119 in
ip access-group 119 out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPNPOOL 192.168.88.10 192.168.88.100
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static tcp 10.159.99.2 5060 interface GigabitEthernet0/0 5060
ip nat source static tcp 10.159.99.2 5090 interface GigabitEthernet0/0 5090
ip nat source static tcp 10.159.99.2 5001 interface GigabitEthernet0/0 5001
ip nat source static tcp 172.16.99.2 443 interface GigabitEthernet0/0 443
ip nat inside source list Out2Net interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list standard Out2Net
permit 192.168.99.0 0.0.0.255
permit 172.16.99.0 0.0.0.255
permit 10.159.99.0 0.0.0.255
!
!
!
access-list 119 permit ip 192.168.88.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 119 permit ip 192.168.99.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 119 deny tcp any any eq telnet
access-list 119 permit udp any eq bootpc any eq bootps
access-list 119 deny ip 192.168.99.0 0.0.0.255 172.16.99.0 0.0.0.255
access-list 119 deny ip 192.168.99.0 0.0.0.255 10.159.99.0 0.0.0.255
access-list 119 permit ip any any
access-list 120 permit ip 10.159.99.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 120 permit ip 192.168.88.0 0.0.0.255 10.159.99.0 0.0.0.255
access-list 120 deny tcp any any eq telnet
access-list 120 permit udp any eq bootpc any eq bootps
access-list 120 deny ip 10.159.99.0 0.0.0.255 172.16.99.0 0.0.0.255
access-list 120 deny ip 10.159.99.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 120 permit ip any any
access-list 121 permit ip 172.168.99.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 121 permit ip 192.168.88.0 0.0.0.255 172.16.99.0 0.0.0.255
access-list 121 deny tcp any any eq telnet
access-list 121 permit udp any eq bootpc any eq bootps
access-list 121 deny ip 172.16.99.0 0.0.0.255 10.159.99.0 0.0.0.255
access-list 121 deny ip 172.16.99.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 121 permit ip any any
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 140D31313A12211F162120310843251D3C2E58490F7651072D09
transport input none
!
scheduler allocate 20000 1000
!
end

Router1.Router1#

Richard Burts · ‎04-13-2020

Thanks for posting the configuration. I have looked through it and do not see obvious issues. When this happens are you able to login to the router? If so can you do a show log and look for any error messages that might relate to this? Also would you post the output of the command show ip interface brief

When this happens if you login to the router is the router able to ping something in the Internet by IP address? Is the router able to ping the ISP next hop address?

I have seen symptoms similar to this when the issue was about arp. When the problem happens again would you login to the router and post the output of the command show arp

Another possibility is some issue with address translation. When the problem happens again would you show the translate table and post the output.

HTH

Rick

chrihussey · ‎04-13-2020

This may not be anything of significance, but I did notice you have NAT enabled on both the G0/1 major interface as well as the sub interfaces. Although it may be not be hurting, it certainly isn't helping. Suggest removing "ip nat inside" from the G0/1 interface and just keeping it on the subs.

That and Richard's suggestions will certainly help in isolating what may be happening.

Regards.

Georg Pauwen · ‎04-12-2022

Hello,

is this router actually being used for remote access VPNs ?

breakenridge · ‎04-11-2022

Better late than never .It was an IP address conflict on the ISP side .issued the public address twice

Richard Burts · ‎04-12-2022

Thanks for the update. Sorry that you had to live with this for so long. Glad that the issue is finally resolved.

HTH

Rick