Router on Stick: CISCO2911/K9 Stop serving DNS on random interval

emmurtaza · ‎12-31-2018

Hi,

I have the following problem: my Cisco 2900 Router stops resolving DNS requests for the hosts on random interval.
When troubleshoot via windows error displays: "Windows can't communicate with the device or resource (Primary DNS Server)"

And whenever i restart the router issue gets fixed for few hours.
Attached is the configuration of Router and Core switch
Router Model: Cisco 2900
Core Switch: Cisco 3750

Georg Pauwen · ‎12-31-2018

Hello,

looking at your router config, a few things look odd. Try and remove the lines marked in bold. Also, make the Google DNS server the first in your DHCP DNS server lists, e.g.:

dns-server 8.8.8.8 115.186.188.3 115.186.188.4 203.82.48.4

A-Router#sh run
Building configuration...

Current configuration : 7437 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname A-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXX
enable password 7 XXXXXXXXXX
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.5
ip dhcp excluded-address 192.168.20.1 192.168.20.5
ip dhcp excluded-address 192.168.40.1 192.168.40.5
ip dhcp excluded-address 192.168.50.1 192.168.50.15
ip dhcp excluded-address 192.168.60.1 192.168.60.10
ip dhcp excluded-address 192.168.30.1 192.168.30.10
!
ip dhcp pool vlan_10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
ip dhcp pool vlan_20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
ip dhcp pool vlan_30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
ip dhcp pool vlan_40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
ip dhcp pool vlan_50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
ip dhcp pool vlan_60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 115.186.188.3 115.186.188.4 203.82.48.4 8.8.8.8
lease 0 23
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FTX1728AKE6
!
username abc password 7 XXXXXXXXXX
!
class-map match-any BLOCK-P2P
match protocol bittorrent
match protocol kazaa2
match protocol gnutella
match protocol edonkey
match protocol fasttrack
match protocol winmx
match protocol cuseeme
match protocol irc
!
policy-map QOS-P2P-POLICY
class BLOCK-P2P
drop
!
interface GigabitEthernet0/0
ip address 115.186.185.18 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 115.186.163.225 255.255.255.240
ip nbar protocol-discovery
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy input QOS-P2P-POLICY
!
interface GigabitEthernet0/2
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
--> no ip default-gateway 115.186.185.17
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> no ip nat pool NAT-115 115.186.163.225 115.186.163.236 netmask 255.255.255.240
ip nat inside source list 95 interface GigabitEthernet0/0 overload
--> no ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 115.186.185.17
!
access-list 95 permit 192.168.10.0 0.0.0.255
access-list 95 permit 192.168.20.0 0.0.0.255
access-list 95 permit 192.168.30.0 0.0.0.255
access-list 95 permit 192.168.40.0 0.0.0.255
access-list 95 permit 192.168.50.0 0.0.0.255
access-list 95 permit 192.168.2.0 0.0.0.255
access-list 95 permit 192.168.60.0 0.0.0.255
--> no access-list 95 permit 115.186.163.0 0.0.0.255
access-list 100 permit tcp any any eq 22
!
!
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps adsl2line
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
!
control-plane
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXX
login local
transport input ssh
!
scheduler allocate 20000 1000
end

emmurtaza · ‎01-01-2019

--> no ip default-gateway 115.186.185.17

115.186.185.17 is the ip address provided by my ISP, i.e. for public traffic, should is disable this any way?

--> no ip nat pool NAT-115 115.186.163.225 115.186.163.236 netmask 255.255.255.240
115.186.163.224/28 is the public ip pool provided by my ISP and currently couple of servers (e.g. LMS) and security camera's etc. has been given public ip addresses from this pool so that to access outside the network.

access-list 95 is created for the same.

Should i remove what you have highlighted any way??

Thanks!

Georg Pauwen · ‎01-01-2019

Hello,

is the configuration you have posted the full configuration ? I don't see how the NAT pool works, since you have only defined the pool, but there is no line such as the below in there to use the pool:

ip nat inside source list access-list-number pool NAT-115

The default-gateway command is not needed, since you already have the default route configured. Delete the default-gateway statement.

emmurtaza · ‎01-01-2019

Yes complete configuration of Router as well as Core-Switch.
Ok.

Georg Pauwen · ‎01-01-2019

Hello,

thanks for the info. The NAT pool doesn't work and since you have statically assigned the IP addresses, the IP addresses, since they are public, don't need to be translated anyway.

That said, remove the default gateway, and I think the most important thing is to change the order of the DNS servers; make sure 8.8.8.8 is the first in the line.

emmurtaza · ‎01-01-2019

I have removed the default gateway and brought 8.8.8.8 first in the line.
Now observing internet.
Thank you so much for the assistance, will update in case of issue.

Georg Pauwen · ‎01-01-2019

Curious to know what the results are, keep us updated.