Unable to Ping/SSH multiple Cisco 887VA/897VAB ADSL and VDSL.

Stevenve · ‎08-16-2019

Dear All,

For simple ADSL/VDSL connections we are using the Cisco 887VA or 897VA. Currently i have three routers that all have the same issue: they are working, but we are not able to manage them. The PPPoE is online and also traffic is passing through. The Firewall behind the router is also reachable. We are not able too ping, SSH, SNMP or anything else to the routers. Currently 1 of them i can manage from the LAN side onsite(for the others i dont have that possibilty). I know the routers are on 15.6 and the 1 i can manage is specific on 15.6(2)T1. I have looked at the open Bugs for this version but i cant see anything thats even close to this problem. See below my config, can u please help me.

version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
ethernet lmi ce
memory-size iomem 10
clock timezone AMS 1 0
clock summer-time AMS recurring
!
!
no ip domain lookup
ip domain name client.public

ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
controller VDSL 0
operating mode vdsl2
training log filename flash:dsl.txt
sync mode itu
sra

!
no cdp run
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
!
interface Ethernet0.6
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description to VLAN1
ip address WAN IP/SUBNET
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
description WAN dialer
mtu 1492
ip unnumbered Vlan1
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password PASSWORD
ppp ipcp mask request
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
snmp-server community OUR SNMP
!
access-list 23 permit OUR IP ADRESSES
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
exec-timeout 30 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in vrf-also
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 23 in vrf-also
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 0.nl.pool.ntp.org
!
end

Thank u in advanced!

Giuseppe Larosa · ‎08-16-2019

Hello Steven,

I don't see any NAT statement are these VDSL lines connecting your routers to public Internet or to an MPLS L3 VPN?

In addition I see conflicting configuration under interface dialer

interface Dialer1
description WAN dialer
mtu 1492
>>ip unnumbered Vlan1

! if you want the dialer interface to get an IP address from PPP you need instead of above the following:

ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password PASSWORD
ppp ipcp mask request
ppp ipcp address accept
no cdp enable
!

Also I would expect to have an internal Vlan interface like Vlan2 with at least one port associated to it.

The configuration that you have posted and likely edited is doing almost nothing.

You have probably skipped part of your configuration.

Hope to help

Giuseppe

Stevenve · ‎08-16-2019

Dear Giuseppe,

Thanks for your quick reply.

We've configured a static WAN IP on the Interface Vlan 1, this we unnumber to use for the Dailer interface as well. The switchports are default and thereby all access Vlan1. We use the second WAN IP (in our block) for the Firewall. The Firewall has as default gateway the Cisco Routers Int Vlan 1 adres. So the Cisco router only works as a modem from VDSL to Ethernet and Routing 1 on 1 all traffic to and from the Firewall. Nat is thereby also done in de Firewall.

This is a basic config thats currently working (in terms of traffic flow).

Giuseppe Larosa · ‎08-16-2019

Hello Steven,

ok I understand that NAT is performed on the firewall.

I know that it is a silly question have you performed all the required steps to enable SSH on the router ?

a) verify that the IOS image name contains k9. This is for stronger encryption

b) configure an hostname [done]

c) configure a domain name with ip domain-name <name>

d) configure an authentication method you have login local [done]

e) generate RSA keys for your router with the following comand in global config mode:

crypto key generate rsa

specify the key size

f) enable ip ssh version 2

ip ssh version 2

g) on line vty 0 4 ( or more)

transport input none

transport input ssh

Hope to help

Giuseppe

Stevenve · ‎08-16-2019

Hi Guiseppe,

Yes we did, from the inside network we can manage the router with SSH.

From the outside we cant even ping the Dailer/Vlan1 IP adres.

Thanks for thinking with us.

Giuseppe Larosa · ‎08-16-2019

Hello Steven,

it was just a sanity check.

>>Yes we did, from the inside network we can manage the router with SSH.

>>From the outside we cant even ping the Dailer/Vlan1 IP adres.

This second aspect is the more strange. I would aspect Dialer1/Vlan1 to have a public IP address and the router has a default route using the dialer1 interface as output interface.

There is only a single exit point and you have configured uRPF as a security measure.

int vlan1

ip verify unicast reverse-path

For seeing if the ping can be fixed you could try to remove the uRPF only for few moments or make it loose and not strict.

If I remember correctly to allow ping to be successful with uRPF you need an additional keyword

Forwarding (uRPF) check could be enabled using the ip verify unicast source reachable-via {rx |
any} [allow-default] [allow-self-ping] [list] interface subcommand.

You can try to add the options allow-default and allow-self-ping you may need to use option reachable-via any before being able to use them.

what is in access-list 23 used as access-class VTY are your source addresses (public ones) included ?

Can you check if it is possible to SSH from a router to another using the session of the locally connected router attempting to SSH to the public address of one the four remote routers?

Change access-list 23 to allow this.

Again from the local router SSH shell try to ping a remote router on its public address.

Hope to help

Giuseppe

Stevenve · ‎09-23-2019

Hi Giuseppe,

Thanks for the answers, i've been away but now i'm following up the problem.

I have tried to remove the uRPF, do u know if it requires a restart? It didn't work without at least.

I also tried to SSH to another Router, i added the Public IP adres of the 897 Router in a other router and i saw a match in this router ACL's. It looks like it can reach the router but, the return traffic doesnt find a way back to the 897 Router.

My source addresses are in the ACL 23.

Thanks again in advanced!