Re: Static IP address causing network outage

johnlloyd_13 · ‎04-13-2011

hi all,

i have a client site using an 877 with just a basic set up. strange issue was when a server is statically assigned with a public IP address 203.120.XX.20/28, a network outage will occur. meaning our hosts are unable to surf to the internet. but when assigning the same server with 203.120.XX.28/28 no issue at all. no virus nor the server is compromised. could any shed any light on this phenomena and how could it be resolved?

877>sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 203.120.XX.19          2   0001.6900.2a12 ARPA   Vlan1
Internet 203.120.XX.18          0   842b.2b53.d648 ARPA   Vlan1
Internet 203.120.XX.17          -   001a.2f30.db33 ARPA   Vlan1
Internet 203.120.XX.20          0   Incomplete      ARPA
Internet 203.120.XX.27          5   0011.5f02.d989 ARPA   Vlan1
Internet 203.120.XX.26         10   000e.b507.1a82 ARPA   Vlan1
Internet 203.120.XX.25          1   000e.5313.b152 ARPA   Vlan1
Internet 203.120.XX.28          1   0010.1860.2854 ARPA   Vlan1

NKG-SG-GW>ping 203.120.XX.18

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.120.XX.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

NKG-SG-GW>ping 203.120.XX.19

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.120.XX.19, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

877>sh ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 22:34 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE

877 uptime is 6 days, 5 hours, 56 minutes
System returned to ROM by power-on
System restarted at 13:37:37 SGT Thu Apr 7 2011
System image file is "flash:c870-advsecurityk9-mz.124-9.T1.bin"

Jon Marshall · ‎04-13-2011

Are the clients using public addressing ?

If so what is the default-gateway for the clients ? it's not .20 is it

Jon

johnlloyd_13 · ‎04-13-2011

hi jon,

LAN hosts or servers are statically configured with public IP addresses provided by the ISP. LAN default gateway is 203.120.XX.17. ping from server to router's GW and vice versa are ok.

877>sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset up                    up
FastEthernet1              unassigned      YES unset up                    up
FastEthernet2              unassigned      YES unset up                    up
FastEthernet3              unassigned      YES unset up                    up
ATM0                       202.42.XX.XX YES NVRAM up                    up
Vlan1                      203.120.XX.17 YES NVRAM up                    up

cadet alain · ‎04-13-2011

Can you clear arp cache on router and then put a static entry for .20 and assign .20 to the server and try a ping again

Regards.

Alain.

Don't forget to rate helpful posts.

johnlloyd_13 · ‎04-13-2011

hi alain,

already done this part but still can't ping the .20 from the 877 and vice versa. but when the same sever using .28 pings ok.

cadet alain · ‎04-13-2011

Hi,

when doing so can you do a debug ip packet detail where acl permits icmp to see if the echoes are sent and what is received back

Regards.

Alain.

Don't forget to rate helpful posts.

johnlloyd_13 · ‎04-13-2011

hi alain,

no ACL applied on either WAN and LAN interfaces. was thinking of doing packet sniffing but would need to do this again on another window time. will also do what you've suggested. i'm still currently doing some research on this issue.

877#sh run int vl1
Building configuration...

Current configuration : 97 bytes
!
interface Vlan1
description Connection to LAN
ip address 203.120.XX.17 255.255.255.240
end

877#sh run int atm0
Building configuration...

Current configuration : 261 bytes
!
interface ATM0
description Connection to WAN
mtu 1500
bandwidth 510
ip address 202.42.XX.XX 255.255.255.252
no atm ilmi-keepalive
pvc 8/35
protocol ip 202.42.XX.XXbroadcast
encapsulation aal5snap
!
dsl operating-mode auto
end

cadet alain · ‎04-13-2011

Is it only failing with .20 and working with others?

Regards.

Alain.

Don't forget to rate helpful posts.

johnlloyd_13 · ‎04-13-2011

Hi alain,

Yes, it pings fails on the .20 and the rest on the range works fine.

Sent from Cisco Technical Support iPhone App

cadet alain · ‎04-13-2011

what device is there between your router and server, is there a switch?

Regards.

Alain.

Don't forget to rate helpful posts.

johnlloyd_13 · ‎04-13-2011

hi alain,

we found out that the IP address 203.120.XX.20 was compromised by a virus which initiated an unauthorized scanning to another Internet user.

logs from the complainant's firewall:

00:46:12.747085 IP 203.120.XX.20 > 174.36.XX.200: udp
00:46:12.910089 IP 203.120.XX.20 > 174.36.XX.200: udp
00:46:12.936614 IP 203.120.XX.20.64253 > 174.36.XX.200.33532: UDP, length
8192

we asked the server/security team to take the necessary actions to resolve this issue.