11-09-2010 01:23 AM - edited 03-04-2019 10:24 AM
Hello,
We have a fairly major problem with some of our Cisco 877 units (5 in all). All are running 15.2(2)T2 in order to make use of zone-based firewalls and virtual reassembly, and all are exhibiting the same problem. When our ADSL line drops this si shown in syslog
2010-11-09 01:03:06 Local7.Info 192.168.7.1 4733: Nov 9 01:03:05.707: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:25 109.224.142.52:41799 on zone-pair OutsideToInside class cm-MainServerServices due to RST inside current window with ip ident 0
2010-11-09 01:04:06 Local7.Info 192.168.7.1 4734: Nov 9 01:04:05.946: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:25 109.224.142.52:41809 on zone-pair OutsideToInside class cm-MainServerServices due to RST inside current window with ip ident 0
2010-11-09 01:05:29 Local7.Info 192.168.7.1 4735: Nov 9 01:05:28.069: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:48854 69.43.160.174:25 on zone-pair InsideToOutside class cm-AllowedOut due to Stray Segment with ip ident 0
2010-11-09 01:07:06 Local7.Info 192.168.7.1 4736: Nov 9 01:07:05.710: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.2:25 109.224.142.52:41839 on zone-pair OutsideToInside class cm-MainServerServices due to RST inside current window with ip ident 0
2010-11-09 01:08:09 Local7.Info 192.168.7.1 4737: Nov 9 01:08:08.782: %FW-6-DROP_PKT: Dropping tcp session 192.168.7.74:59503 212.118.234.157:80 on zone-pair InsideToOutside class cm-AllowedOut due to RST inside current window with ip ident 0
2010-11-09 01:08:28 Local7.Debug 192.168.7.1 4738: Nov 9 01:08:28.280: NTP Core (INFO): system event 'event_clock_reset' (0x05) status 'sync_alarm, sync_unspec, 13 events, event_peer/strat_chg' (0xC0D4)
2010-11-09 01:08:28 Local7.Debug 192.168.7.1 4739: Nov 9 01:08:28.280: NTP Core (NOTICE): Clock synchronization lost.
2010-11-09 01:08:29 Local7.Notice 192.168.7.1 4740: .Nov 9 01:08:28.288: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
2010-11-09 01:08:37 Local7.Debug 192.168.7.1 4741: .Nov 9 01:08:36.706: NTP Core (INFO): system event 'event_peer/strat_chg' (0x04) status 'sync_alarm, sync_local_proto, 14 events, event_clock_reset' (0xC5E5)
2010-11-09 01:08:37 Local7.Debug 192.168.7.1 4742: .Nov 9 01:08:36.706: NTP Core (INFO): synchronized to 127.127.1.1, stratum 7
2010-11-09 01:08:37 Local7.Debug 192.168.7.1 4743: .Nov 9 01:08:36.706: NTP Core (INFO): system event 'event_sync_chg' (0x03) status 'leap_none, sync_local_proto, 15 events, event_peer/strat_chg' (0x5F4)
2010-11-09 01:08:37 Local7.Debug 192.168.7.1 4744: .Nov 9 01:08:36.706: NTP Core (NOTICE): Clock is synchronized.
2010-11-09 01:08:37 Local7.Debug 192.168.7.1 4745: Nov 9 01:08:36.706: NTP Core (INFO): system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_local_proto, 15 events, event_sync_chg' (0x5F3)
2010-11-09 01:10:44 Local7.Notice 192.168.7.1 4746: Nov 9 01:10:41.790: %TRACKING-5-STATE: 10 ip sla 10 reachability Up->Down
2010-11-09 01:10:44 Local7.Notice 192.168.7.1 4747: Nov 9 01:10:41.790: %TRACKING-5-STATE: 20 ip sla 20 reachability Up->Down
2010-11-09 01:10:44 Local7.Info 192.168.7.1 4748: Nov 9 01:10:41.798: %HA_EM-6-LOG: ema-ADSL-Down: ********** WARNING! ADSL Line Down! **********
2010-11-09 01:10:44 Local7.Info 192.168.7.1 4749: Nov 9 01:10:41.798: %HA_EM-6-FMS_RELOAD_SYSTEM: fh_io_msg: Policy has requested a system reload; -Process= "EEM Server", ipl= 0, pid= 225
<<< Our event manager applet reloads the router as the IPA SLA trackers cannot ping external servers.
2010-11-09 01:10:45 Local7.Notice 192.168.7.1 4750: Nov 9 01:10:41.842: %SYS-5-RELOAD: Reload requested by EEM. Reload Reason: Embedded Event Manager action.
2010-11-09 01:13:12 Local7.Notice 192.168.7.1 34: *Jun 16 14:55:17.580: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
2010-11-09 01:13:30 Local7.Error 192.168.7.1 35: *Jun 16 14:55:35.194: %LINK-3-UPDOWN: Interface ATM0, changed state to up
2010-11-09 01:13:30 Local7.Notice 192.168.7.1 36: *Jun 16 14:55:36.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up
2010-11-09 01:13:39 Local7.Info 192.168.7.1 37: *Jun 16 14:55:43.839: %DIALER-6-BIND: Interface Vi3 bound to profile Di0
2010-11-09 01:13:40 Local7.Error 192.168.7.1 38: *Jun 16 14:55:43.843: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
2010-11-09 01:14:01 Local7.Debug 192.168.7.1 39: *Jun 16 14:56:04.562: NTP Core (INFO): system event 'event_peer/strat_chg' (0x04) status 'sync_alarm, sync_local_proto, 1 event, event_unspec' (0xC510)
2010-11-09 01:14:01 Local7.Debug 192.168.7.1 40: *Jun 16 14:56:04.562: NTP Core (INFO): synchronized to 127.127.1.1, stratum 7
2010-11-09 01:14:01 Local7.Debug 192.168.7.1 41: *Jun 16 14:56:04.562: NTP Core (INFO): system event 'event_sync_chg' (0x03) status 'leap_none, sync_local_proto, 2 events, event_peer/strat_chg' (0x524)
2010-11-09 01:14:01 Local7.Debug 192.168.7.1 42: *Jun 16 14:56:04.562: NTP Core (NOTICE): Clock is synchronized.
2010-11-09 01:14:01 Local7.Debug 192.168.7.1 43: Jun 16 14:56:04.562: NTP Core (INFO): system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_local_proto, 3 events, event_sync_chg' (0x533)
2010-11-09 01:29:59 Local7.Error 192.168.7.1 44: Jun 16 15:12:04.154: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
2010-11-09 01:30:00 Local7.Info 192.168.7.1 45: Jun 16 15:12:04.154: %DIALER-6-UNBIND: Interface Vi3 unbound from profile Di0
2010-11-09 01:30:01 Local7.Error 192.168.7.1 46: Jun 16 15:12:05.222: %LINK-3-UPDOWN: Interface ATM0, changed state to down
2010-11-09 01:30:01 Local7.Notice 192.168.7.1 47: Jun 16 15:12:06.222: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
2010-11-09 01:30:27 Local7.Debug 192.168.7.1 48: Jun 16 15:12:31.214: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:30:47 Local7.Debug 192.168.7.1 49: Jun 16 15:12:51.216: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:31:07 Local7.Debug 192.168.7.1 50: Jun 16 15:13:11.219: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:31:27 Local7.Debug 192.168.7.1 51: Jun 16 15:13:31.221: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:31:47 Local7.Debug 192.168.7.1 52: Jun 16 15:13:51.232: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:32:07 Local7.Debug 192.168.7.1 53: Jun 16 15:14:11.235: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:32:27 Local7.Debug 192.168.7.1 54: Jun 16 15:14:31.237: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:32:47 Local7.Debug 192.168.7.1 55: Jun 16 15:14:51.240: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:33:07 Local7.Debug 192.168.7.1 56: Jun 16 15:15:11.246: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:33:27 Local7.Debug 192.168.7.1 57: Jun 16 15:15:31.249: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:33:47 Local7.Debug 192.168.7.1 58: Jun 16 15:15:51.252: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:34:07 Local7.Debug 192.168.7.1 59: Jun 16 15:16:11.254: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:34:27 Local7.Debug 192.168.7.1 60: Jun 16 15:16:31.257: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:34:47 Local7.Debug 192.168.7.1 61: Jun 16 15:16:51.259: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:35:07 Local7.Debug 192.168.7.1 62: Jun 16 15:17:11.262: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:35:27 Local7.Debug 192.168.7.1 63: Jun 16 15:17:31.265: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:35:47 Local7.Debug 192.168.7.1 64: Jun 16 15:17:51.267: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:36:07 Local7.Debug 192.168.7.1 65: Jun 16 15:18:11.270: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:36:27 Local7.Debug 192.168.7.1 66: Jun 16 15:18:31.272: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:36:47 Local7.Debug 192.168.7.1 67: Jun 16 15:18:51.275: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:37:07 Local7.Debug 192.168.7.1 68: Jun 16 15:19:11.278: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:37:27 Local7.Debug 192.168.7.1 69: Jun 16 15:19:31.280: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:37:47 Local7.Debug 192.168.7.1 70: Jun 16 15:19:51.283: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:38:07 Local7.Debug 192.168.7.1 71: Jun 16 15:20:11.285: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:38:27 Local7.Debug 192.168.7.1 72: Jun 16 15:20:31.288: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:38:47 Local7.Debug 192.168.7.1 73: Jun 16 15:20:51.290: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:39:07 Local7.Debug 192.168.7.1 74: Jun 16 15:21:11.293: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:39:27 Local7.Debug 192.168.7.1 75: Jun 16 15:21:31.296: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:39:47 Local7.Debug 192.168.7.1 76: Jun 16 15:21:51.298: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:40:07 Local7.Debug 192.168.7.1 77: Jun 16 15:22:11.301: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:40:27 Local7.Debug 192.168.7.1 78: Jun 16 15:22:31.303: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:40:47 Local7.Debug 192.168.7.1 79: Jun 16 15:22:51.306: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:41:07 Local7.Debug 192.168.7.1 80: Jun 16 15:23:11.309: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:41:27 Local7.Debug 192.168.7.1 81: Jun 16 15:23:31.311: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:41:47 Local7.Debug 192.168.7.1 82: Jun 16 15:23:51.314: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:42:07 Local7.Debug 192.168.7.1 83: Jun 16 15:24:11.316: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:42:27 Local7.Debug 192.168.7.1 84: Jun 16 15:24:31.319: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:42:47 Local7.Debug 192.168.7.1 85: Jun 16 15:24:51.322: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:43:07 Local7.Debug 192.168.7.1 86: Jun 16 15:25:11.324: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:43:28 Local7.Debug 192.168.7.1 87: Jun 16 15:25:31.327: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:43:48 Local7.Debug 192.168.7.1 88: Jun 16 15:25:51.329: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:44:08 Local7.Debug 192.168.7.1 89: Jun 16 15:26:11.332: DSL(ATM0): No retrain. sleep 20 seconds
2010-11-09 01:44:28 Local7.Debug 192.168.7.1 90: Jun 16 15:26:31.335: DSL(ATM0): No retrain. sleep 20 seconds
The "no retrain. sleep 20 seconds" messages continue forever more until somebody power-cycles the router - which is a bit inconvenient as two are 300 miles away.
Suprisingly, our event manager applet isn't triggering the reload either, which defeats the object.
Config below. Anyone any ideas please?
Many thanks,
Jim
!
! Last configuration change at 09:07:05 GMT Tue Nov 9 2010 by xx
! NVRAM config last updated at 09:07:07 GMT Tue Nov 9 2010 by xx
!
version 15.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Shore877
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
!
!
!
aaa session-id common
!
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
no ip cef
ip domain name sln.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip port-map user-ESET port tcp xxx description ESET NOD32 Communication
ip port-map user-RDP-TS port tcp xx description Terminal Services on terminal server
ip port-map user-RDP-Main port tcp xxxx description Terminal Services on main server
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
parameter-map type inspect pmap-audit
audit-trail on
!
!
archive
log config
hidekeys
object-group network og-L1-DNS-Servers
description Allowed external DNS servers
host 208.67.222.222
host 208.67.220.220
!
object-group network og-L1-Jim-Home
description Jim Home IP
host xxx.xxx.xx.xxx
host xx.xxx.xxx.xxx
!
object-group network og-L1-MainServer
description Main server IP
host 192.168.7.2
!
object-group network og-L1-NTP-Servers
description Allowed external NTP servers
host 129.6.15.xxx
!
object-group network og-L1-TerminalServer
description Terminal server IP
host 192.168.7.4
!
object-group network og-L2-Allow-RDP
description Allow access to RDP from these hosts
group-object og-L1-Jim-Home
!
object-group network og-L2-Allow-SNMP
description Allow SNMP from these hosts
group-object og-L1-Jim-Home
group-object og-L1-MainServer
!
object-group network og-L2-Allow-SSH
description Allow SSH to router from these external hosts
group-object og-L1-Jim-Home
!
username xxx privilege 15 secret 5 xx
!
!
ip ssh version 2
!
track 10 ip sla 10 reachability
delay down 180 up 10
!
track 20 ip sla 20 reachability
delay down 180 up 10
!
class-map type inspect match-any cm-MainServerProtocols
description Externally visible protocols on the server
match protocol https
match protocol smtp
match protocol user-ESET
class-map type inspect match-all cm-MainServerServices
description Externally-visible protocols headed to main server
match class-map cm-MainServerProtocols
match access-group name acl-MainServer
class-map type inspect match-any cm-TerminalServerProtocols
description Externally visible protocols on the terminal server
match protocol user-RDP-TS
class-map type inspect match-all cm-TerminalServerServices
description Externally-visible protocols headed to terminal server
match class-map cm-TerminalServerProtocols
match access-group name acl-TerminalServer
class-map type inspect match-any cm-Allow-SSH
description Allow SSH access to router
match access-group name acl-Allow-SSH
class-map type inspect match-any cm-AllowedOut
description Permitted Traffic to internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all cm-PPTP-Passthrough
match access-group name acl-PPTP-Passthrough
class-map type inspect match-all cm-ICMP-Request
description Only certain pings permitted to router
match access-group name acl-ICMP-Request
match protocol icmp
class-map type inspect match-all cm-ICMP-Reply
description Only certain pings permitted to router
match access-group name acl-ICMP-Reply
class-map type inspect match-all cm-Allow-SNMP
description Allow SNMP access to router
match access-group name acl-Allow-SNMP
match protocol snmp
class-map type inspect match-all cm-Allow-NTP-Replies
description Allow NTP replies
match access-group name acl-Allow-NTP-Replies
match protocol ntp
class-map type inspect match-all cm-RDP
description Remote Desktop access to server
match protocol user-RDP-Main
match access-group name acl-Allow-RDP
match access-group name acl-MainServer
class-map type inspect match-all cm-Allow-DNS-Replies
description Allow DNS replies
match access-group name acl-Allow-DNS-Replies
!
!
policy-map type inspect pm-RouterToInside
description Router to LAN
class class-default
pass
policy-map type inspect pm-InsideToRouter
description LAN to router
class class-default
pass
policy-map type inspect pm-InsideToOutside
description LAN to Internet
class type inspect cm-PPTP-Passthrough
pass
class type inspect cm-AllowedOut
inspect
class class-default
drop log
policy-map type inspect pm-OutsideToInside
description Internet to LAN (server)
class type inspect cm-PPTP-Passthrough
pass
class type inspect cm-Allow-NTP-Replies
inspect pmap-audit
class type inspect cm-MainServerServices
inspect
class type inspect cm-TerminalServerServices
inspect
class type inspect cm-RDP
inspect
class class-default
drop log
policy-map type inspect pm-OutsideToRouter
class type inspect cm-Allow-NTP-Replies
pass
class type inspect cm-Allow-SSH
pass
class type inspect cm-ICMP-Reply
pass
class type inspect cm-Allow-SNMP
pass
class type inspect cm-ICMP-Request
inspect
class type inspect cm-Allow-DNS-Replies
pass
class class-default
drop log
policy-map type inspect pm-RouterToOutside
description Router to internet
class class-default
pass
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect pm-InsideToOutside
zone-pair security RouterToInside source self destination Inside
service-policy type inspect pm-RouterToInside
zone-pair security InsideToRouter source Inside destination self
service-policy type inspect pm-InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
service-policy type inspect pm-OutsideToRouter
zone-pair security RouterToOutside source self destination Outside
service-policy type inspect pm-RouterToOutside
zone-pair security OutsideToInside source Outside destination Inside
service-policy type inspect pm-OutsideToInside
!
!
!
!
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
dsl enable-training-log
dsl bitswap both
hold-queue 200 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
no ip address
zone-member security Inside
!
interface Vlan1
description Shore LAN
ip address 192.168.7.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xx@xx
ppp chap password 7 xx
ppp ipcp dns 208.67.222.222 208.67.220.220
ppp ipcp wins request
no cdp enable
ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.7.2 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.7.4 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.7.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.7.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.7.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.7.2 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.7.3 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.7.3 xx interface Dialer0 xx
ip nat inside source static tcp 192.168.7.2 2222 interface Dialer0 xx
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list standard acl-NAT-Ranges
remark Define NAT internal ranges
permit 192.168.7.0 0.0.0.255
!
ip access-list extended acl-Allow-DNS-Replies
permit udp object-group og-L1-DNS-Servers eq domain any
ip access-list extended acl-Allow-NTP-Replies
permit udp object-group og-L1-NTP-Servers any eq ntp
ip access-list extended acl-Allow-RDP
permit tcp object-group og-L2-Allow-RDP any
ip access-list extended acl-Allow-SNMP
permit udp object-group og-L2-Allow-SNMP any eq snmp
ip access-list extended acl-Allow-SSH
remark Allow SSH from these external hosts
permit tcp object-group og-L2-Allow-SSH any eq 22
ip access-list extended acl-ICMP-Reply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-reply
ip access-list extended acl-ICMP-Request
permit icmp any any echo
ip access-list extended acl-MainServer
permit tcp any object-group og-L1-MainServer
ip access-list extended acl-PPTP-Passthrough
permit gre any any
ip access-list extended acl-TerminalServer
permit tcp any object-group og-L1-TerminalServer
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Vlan1
threshold 3000
timeout 3000
frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface Vlan1
threshold 3000
timeout 3000
frequency 10
ip sla schedule 20 life forever start-time now
ip access-list logging interval 10
logging esm config
logging trap debugging
logging 192.168.7.2
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community xx RO
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 0 0
privilege level 15
length 40
width 160
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp master
ntp server 129.6.15.28
event manager applet ema-ADSL-Down
event tag PingDown1 track 10 state down
event tag PingDown2 track 20 state down
trigger
correlate event PingDown1 and event PingDown2
action 10 syslog msg "********** WARNING! ADSL Line Down! **********"
action 20 reload
event manager applet ema-ADSL-Up
event tag PingUp1 track 10 state up
event tag PingUp2 track 20 state up
trigger
correlate event PingUp1 or event PingUp2
action 10 syslog msg "********** ADSL Line UP **********"
!
end
Solved! Go to Solution.
12-28-2010 12:55 PM
You say your EEM applet doesn't reboot your router. The following just rebooted mine:
event manager applet ATMFIX
event syslog occurs 3 pattern "No retrain. sleep 20 seconds"
action 1.0 syslog msg "Rebooting to recover from no retrain problem."
action 2.0 reload
11-09-2010 10:14 AM
To be honest with you, and sorry if that is not the answer you are looking for, ZBFW only causes trouble in my experience, and its usefulness is debatable.
With just NAT and few ACLs, you are 100% protected anyway. This is my experience of hundreds of sites of my own clients, and I guess some millions worldwide.
This said, you should look first at stabilizing the circuit. Updating ADSL firmware is a good way to do it.
11-10-2010 01:53 AM
Many thanks. Yes, ZBFW was a big move and I wasn;t sure whether to do it or not. But I need to learn it sooner or later since Cisco aren't enhancing CBAS at all now.
Unfortuately we're already on the latest ADSL firmware.
Jim
12-09-2010 03:05 AM
Hi Jim, I had a similar problem, after I changed the IOS to c870-advsecurityk9-mz.150-1.M.bin and you can have you ZBFirewall.
Regards
Z
12-09-2010 03:07 AM
We had to rollback to 12.4 on all our routers, which also meant rolling back to CBAC since ZBF in 12.4 doesn't handle out-of-sequence packets. A shame, but we had no choice,.
The problem hasn't happened since we went back to 12.4
Jim
12-26-2010 01:34 AM
I've been getting this too on an 877 running various patch levels of 15.1T. I am using the 4.0.15 firmware it comes
with in the IOS, and it's the same firmware I ran (non built in) on 12.4T, where I never had this no retrain problem.
A colleague running 15.0M isn't getting the no retrain problem.
It would appear that it can't be affecting all that many people because googling I only find about 3 people
asking about it.
Does the semi-mythical 4.0.195 firmware fix the problem?
For the record, I'm not using ZBFW.
12-26-2010 02:33 AM
We had to rollback on all our 877s. We had 15.x running, all configured with ZBF, and then we started hitting this problem.
All had 4.0.195 so no, it doesn't fix the problem. The only solution for us was to revert to 12.4
Jim
12-26-2010 03:59 AM
I've exchanged email with someone who said it didn't happen to them on 15.1(1)T but only on later patch levels. I don't recall it happening to me that early either, or I'm sure I'd have reverted to 12.4T as well.
As I said, my 15.0 colleague has never had this happen to him. And I don't think it happened to me on 15.0 either.
It's odd so few people seem to be getting this. Could it be dependent on multiple factors, e.g. exact model of DSLAM, bootrom, dsl firmware?
12-26-2010 04:50 AM
I only tried it on 15.1. I was going to try on 15.0 but then read some dire warnings about stability on 15.0 so I didn't progress any further. It is surprising that it's not widespread, given that 15.1 is "current". But then I think lots of people will stay on 12.4 for a while?
Jim
12-28-2010 12:55 PM
You say your EEM applet doesn't reboot your router. The following just rebooted mine:
event manager applet ATMFIX
event syslog occurs 3 pattern "No retrain. sleep 20 seconds"
action 1.0 syslog msg "Rebooting to recover from no retrain problem."
action 2.0 reload
12-28-2010 11:13 PM
I was using different logic in my event manager. I ping a Google DNS server every few seconds, and a different DNS server every few seconds. If BOTH fail to repond then I assume my line is down and I reload. Bizarrely, my logic works okay normally except it didn't in this scenario.
I'm going to stick on 12.4 for a while. It's such a showstopper bug in 15.x, and 15.x doesnt' actually bring any benefits for me, so I'll err on the side of stability.
Jim
01-27-2011 12:25 AM
I bought an used 887-K9 and I am getting troubles with ADSL2 lines in Italy.
I am totally unable to get the latest ADSL2 firmware with official channels, could somebody please help me?
01-27-2011 02:09 PM
If you buy a support contract, you will have acess to all DSL firmware.
Otherwise, you can only download whatever is under public access.
01-27-2011 11:39 PM
When I'm saying official channels, I mean I can download anything is available in Cisco support site, however that particular firmware, such as the previous 4.0.18, is NOT available.
09-01-2011 05:52 AM
The release notes for 15.2 say that this has been fixed. Since 15.2 is not available for the 877 you
can instead use the workaround, which is to remove this line from your config under interface ATM0
dsl enable-training-log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide