Re: WAN port on SR520W stops working after a couple days

hanleymike · ‎04-10-2010

Hello,

I have setup a Cisco SR520W and everything appears to be working. After about 2 days, it looks like the WAN port stops forwarding traffic to the Internet gateway IP of the device.

If I unplug and then plug in the network cable connecting the WAN port of the SR520W to my Comcast Cable Modem, traffic startings flowing again. Also, if I restart the SR520W, the traffic will flow again.

Any ideas?

Here is the running config:

Current configuration : 10559 bytes
!
version 12.4
no service pad
no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname sr520w.marin.edge.mydomain.com
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging rate-limit
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint TP-self-signed-334750407
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-334750407
revocation-check none
rsakeypair TP-self-signed-334750407
!
!
crypto pki certificate chain TP-self-signed-334750407
certificate self-signed 01
<removed>
   quit
dot11 syslog
!
dot11 ssid <removed>
vlan 75
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 <removed>
!
ip source-route
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool inside
   import all
   network 172.16.0.0 255.240.0.0
   default-router 172.16.0.1
   dns-server 10.0.0.15 10.0.0.12
   domain-name mydomain.com
!
!
ip cef
ip domain name mydomain.com
ip name-server 68.87.76.178
ip name-server 66.240.48.9
ip port-map user-ezvpn-remote port udp 10000
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
   retired true
category ios_ips basic
   retired false
!
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated

parameter-map type inspect z1-z2-pmap
audit-trail on
password encryption aes
!
!
username admin privilege 15 secret 5 <removed>
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
<removed>
quit
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key <removed>
mode client
peer 64.1.208.90
virtual-interface 1
username admin password <removed>
xauth userid mode local
!
!
archive
log config
logging enable
logging size 600
hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match access-group 101
class-map type inspect match-any Easy_VPN_Remote_VT
match access-group 102
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any L4-inspect-class
match protocol icmp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-permit_VT
class type inspect Easy_VPN_Remote_VT
pass
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
pass
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 75.149.48.76 255.255.255.240
ip nat outside
ip ips sdm_ips_rule out
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Virtual-Template1 type tunnel
no ip address
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
!
interface Dot11Radio0
no ip address
!
encryption vlan 75 mode ciphers aes-ccm
!
ssid <removed>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.75
encapsulation dot1Q 75 native
ip virtual-reassembly
bridge-group 75
bridge-group 75 subscriber-loop-control
bridge-group 75 spanning-disabled
bridge-group 75 block-unknown-source
no bridge-group 75 source-learning
no bridge-group 75 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan75
no ip address
ip virtual-reassembly
bridge-group 75
bridge-group 75 spanning-disabled
!
interface BVI1
no ip address
ip nat inside
ip virtual-reassembly
!
interface BVI75
description $FW_INSIDE$
ip address 172.16.0.1 255.240.0.0
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security in-zone
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.149.48.78 2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 75.149.48.64 0.0.0.15 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 64.1.208.90 any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
!
!
!
!
snmp-server community <removed> RO
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 75 route ip
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end

Thanks in advance,

-Mike

hanleymike · ‎05-30-2010

I'm curious if anyone has any ideas on this issue? Does Cisco monitor these forums?

Thanks,

-Mike

Andrew Hickman · ‎06-05-2010

Hi Mike,

Sorry for the delay in responding.

Do you notice this happening after the same period all of the time, or is the period variable?

Are you aware of any other event that might coincide with this issue?

I can't think of any particular reason why the device would stop forwarding.

Next time this happens, could you please collect some status information, so that we might be able to get some view of what is happening?

Specifically, can you grab the following "show" commands (either from the device CLI, or from CCA)

show interface fa4

show ip route

show ip arp

sh ip cef

Regards,

Andy

hanleymike · ‎06-20-2010

Hi Andy,

Thank you for the reply. Since I last posted, I reset the device (SR520W-FE) back to the factory defaults and setup the device with the nearly the exact same config (instead of changing the DHCP server to use 172.16.x.x, I left the default 192.168.75.x addressing). I am still experiencing the same problem (the WAN port stops workign after 1-2 days).

Here is the output of the commands you requested:

1. show interface fa4

FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0026.99c5.b434 (bia 0026.99c5.b434)
Description: $FW_OUTSIDE$
Internet address is 75.149.48.76/28
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 01:08:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/23/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
     336446 packets input, 455403158 bytes
     Received 23 broadcasts, 0 runts, 0 giants, 37 throttles
     41 input errors, 0 CRC, 0 frame, 0 overrun, 41 ignored
     0 watchdog
     0 input packets with dribble condition detected
     172529 packets output, 23580132 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

2. show ip route

Gateway of last resort is 75.149.48.78 to network 0.0.0.0

C    192.168.75.0/24 is directly connected, BVI75
     64.0.0.0/32 is subnetted, 1 subnets
S       64.1.208.90 [1/0] via 75.149.48.78
S    192.168.10.0/24 is directly connected, BVI75
     75.0.0.0/28 is subnetted, 1 subnets
C       75.149.48.64 is directly connected, FastEthernet4
S*   0.0.0.0/0 [2/0] via 75.149.48.78

3. show ip arp

Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 75.149.48.65           69   001e.2a39.7b08 ARPA   FastEthernet4
Internet 75.149.48.76            -   0026.99c5.b434 ARPA   FastEthernet4
Internet 75.149.48.78           93   0022.2d6c.ae36 ARPA   FastEthernet4
Internet 192.168.75.1            -   0027.0d58.f5f0 ARPA   BVI75
Internet 192.168.75.12          50   7c6d.62c7.8c0a ARPA   BVI75
Internet 192.168.75.13           0   001b.6301.1227 ARPA   BVI75

4. sh ip cef

Prefix               Next Hop             Interface
0.0.0.0/0            75.149.48.78         FastEthernet4
0.0.0.0/8            drop
0.0.0.0/32           receive
64.1.208.90/32       75.149.48.78         FastEthernet4
75.149.48.64/28      attached             FastEthernet4
75.149.48.64/32      receive              FastEthernet4
75.149.48.65/32      attached             FastEthernet4
75.149.48.76/32      receive              FastEthernet4
75.149.48.78/32      attached             FastEthernet4
75.149.48.79/32      receive              FastEthernet4
127.0.0.0/8          drop
192.168.10.0/24      attached             BVI75
192.168.75.0/24      attached             BVI75
192.168.75.0/32      receive              BVI75
192.168.75.1/32      receive              BVI75
192.168.75.12/32     attached             BVI75
192.168.75.13/32     attached             BVI75
192.168.75.255/32    receive              BVI75
224.0.0.0/4          drop
224.0.0.0/24         receive
240.0.0.0/4          drop
255.255.255.255/32   receive

Thanks again for your help!

-Mike

hanleymike · ‎06-27-2010

Any ideas? Would additional data help out? I'm at a lost as to what is going on.

Thanks,

-Mike

hanleymike · ‎08-03-2010

Hi Andy,

I am still have trouble with my SR520W. I have tried resetting the device back to the factory defaults and I am still experiencing the problem.

Is there anything I can do to troubleshoot the issue?

-Mike

hanleymike · ‎11-15-2010

Hello, is there any chance I could get some help?

Thanks,

-Mike

hanleymike · ‎07-02-2010

I could really use some help on this issue. If I remove the site-to-site VPN configuration, the SR520W works just fine. It seems like it is a problem when I configure the SR520w as a VPN client.

Is there anything I can do to troubleshoot?

The VPN server is a SR520. I have 2 SR520 VPN clients. One of them works just fine and the other one (the SR520W) stops working after a a day or 2 (random internval it seems). If I unplug the WAN port and plug it back in, everything starts working for another day or two.

-Mike

davbarre · ‎11-16-2010

Hello Sir,

I believe the reason you are not seeing the correct support for your configuration is that this posting is in the wrong section.

I trust if you post this on the following link you will have better support on the current issue.

https://supportforums.cisco.com/community/netpro/network-infrastructurehttp://tac.linksys.com/smallbiz/?p=1605

Thanks!

David L. Barrett, Jr.

soesed · ‎11-16-2010

Hello,

I'm wondering if davbarre might be able to take a look at this thread as I'm

driving myself crazy trying to make sense of/solving the problem:

https://supportforums.cisco.com/thread/2051999

Thanks,

Robert

hanleymike · ‎11-20-2010

Hello,

I came to this form from the CCA software so I am not sure why it is not correct. The link you posted seems to be 2 links. Which one are you recommending?

Network Infrastructure - Cisco Support Community

https://supportforums.cisco.com/community/netpro/network-infrastructure

- or -

Linksys

http://tac.linksys.com/smallbiz/?p=1605

The 2nd link doesn't work for me. Also, why would it be Linksys since this is a Cisco product?

It seems like I am getting no where with this forum...does Cisco support/monitor these forums?

-Mike

hanleymike · ‎11-24-2010

Hello Dave and Andy,

Is there any way I can get some help from Cisco?

Thank you.

-Mike

cindy toy · ‎11-24-2010

Hi Hanley,

Sorry for the confusion regarding the SR520-FE. It has come to my attention that depending on which SR520 you have FE or T1 will determine which support group can help you. Since you have the SR520-FE you can get support by Cisco TAC (Technical Assistance Center) instead of SBSC (Small Business Support Center). The SR520-T1 is supported by SBSC.

Since you have the SR520-FE I will move this thread into the correct area in hopes that one of our Cisco experts can help you. In the meantime, I suggest you go here: http://tools.cisco.com/ServiceRequestTool/create/launch.do and login to start a TAC case.

Regards,

Cindy Toy

Small Business Community Manager

for Cisco Small Business Products

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!

crazylegs367 · ‎02-10-2011

Did you every have a solution? I have the same problem on my SR520W and followed

the same steps as you.

hanleymike · ‎02-10-2011

Nope, I eventually just gave up. Cisco has been unresponsive on this issue. I purchased a SmartNET contract, but my request to TAC expired so I just gave up. At the end of the day, this has been a dead end for me -- the forum was not much help. I switched over to a Cisco ASA 5510 with no problems. If you figure out the problem, please let me know. -Mike