Can't receive packets.... HELP!

[Niall22]

Hi Guys,

I need help on this one fast! I have a Cisco 2621 router.
This morning our @Home ISP changed our IP address thus resulting in no connectivity from our router. I telneted into the router and changed the ip of the outside interface to the new IP assigned to us by our ISP. However, I still can't connect to the Internet through the router. I have bypassed the router and hooked the cable modem directly into my computer and it works fine. The modem shows that it is sending and receiving packets when I ping out through the router but the router doesn't seem to show that it's receiving ANY packets.

FastEthernet0/1 is up, line protocol is up
Hardware is AmdFE, address is 0002.1666.39e1 (bia 0002.1666.39e1)
Description: Connected to Internet
Internet address is 24.157.40.177/23
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:33:54, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2 packets input, 120 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
2774 packets output, 242020 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 1 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

When our ISP changed our IP address the subnet mask changed from 255.255.255.0 to 255.255.254.0, would that affect packets getting routed correctly since the internal interface has a different subnet mask (255.255.255.0)???

Here's my config... I'm not using any routing protocols because it's a small network and the router is just performing NAT between the private network and the Internet.
Does anyone see any reasons why the router wouldn't be functioning correctly?

Current configuration : 2348 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
no logging console
enable secret 5 $1$t3Lx$lgAJ0mwTZKS/rhkB/P.BR1
!
!
!
!
!
clock timezone EST -4
ip subnet-zero
!
ip inspect name FastEthernet_0_1 smtp
ip inspect name FastEthernet_0_1 ftp
ip inspect name FastEthernet_0_1 tcp
ip inspect name FastEthernet_0_1 udp
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key password address X.X.X.X
crypto isakmp key password address 0.0.0.0
crypto isakmp client configuration address-pool local dhcppool
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map cryptomap client configuration address initiate
crypto map cryptomap client configuration address respond
crypto map cryptomap 1 ipsec-isakmp
description Oshawa Office
set peer X.X.X.X
set transform-set trans1
match address 100
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
description Conneted to EtherLAN
ip address 10.2.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description Connected to Internet
ip address A.B.C.D 255.255.254.0
ip nat outside
ip inspect FastEthernet_0_1 in
ip inspect FastEthernet_0_1 out
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map cryptomap
!
ip local pool dhcppool 10.2.3.5 10.2.3.254
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.157.40.1 permanent
no ip http server
!
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 105 deny ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 105 deny ip 10.2.1.0 0.0.0.255 10.2.3.0 0.0.0.255
access-list 105 permit ip 10.2.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 105
!
snmp-server engineID local 0000000902000002166639E0
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 04565F535673
login
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 0506525A781E
login
!
ntp clock-period 17180333
ntp server 132.246.168.164
no scheduler allocate
end

Any help is much appreciated.

Niall

 

[wybnormal]

Lets start with the basics.. what does show ip route tell us? does it show both ports as connected? You are doing more then just NAT.. VPN connection to remote sites? Strip the config down to it's basics.. ie.. IPs on the interfaces, no access lists, no VPNs, No NAT to start with. Can the interface see the internet at that point?? Try and extended PING or traceroute where you force it to use the E0/1 port... use a wild card mask for the ping address.. for example, 24.157.40.0 ( note the 0 ) it should do a ping SWEEP and return all the IPs it can see. One of which should be the default gateway. This does assume the gateway will respond to a ICMP packet. Traceroute should work as it's UDP based and not ICMP on the transmit side.

If it DOES work, then add your configuration back in a piece at a time. NAT first, check it, then something else and check. You will find where the error is pretty quickly.

Let us know how it goes..

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

I was hoping it would be something simple. The router has been working fine for over 6 months with the current settings. The only difference is the change of ip address and subnet mask. My first thought was with the subnet masks being different. Internal is 255.255.255.0 and external is 255.255.254.0. Would that affect anything since they were both the same before? Is NAT going to affect anything if I'm pinging directly from the router? I can ping the gateway (24.157.40.1) if I bypass the router so I know it accepts ICMP packets. Nothing jumps out at you about my current config? This is going to be a long day.

 

[Niall22]

I ended up removing anything fancy from the configuration including NAT and any crypto commands and still no connection. It seems to be a problem with the gateway. IP route shows both interfaces connected. The packets seem to travel out through the cable modem and back to it (send and receive lights light up) but not to the router. I am completely stumped... is it possible that the interfaces on the router are not functioning correctly (hardware problem)?

Niall

 

[wybnormal]

Something that comes to mind is the NAT.. try clearing the NAT translation table.. the table will age out but until it does, it will think that the IP on E0/1 is the old one.

clear ip nat translation

Also clear the security:

clear crypto isakmp
clear crypto sa

http://www.cisco.com/warp/public/707/ios_804.html

for details

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

I've already rebooted the router about 100 times. (That should clear everything, right?) I tried clearing the NAT table and security anyway and still no dice.

I just don't know what's wrong with this router. Everything works fine from a stand-alone computer but no through the router.

 

[wybnormal]

Another item to try... you said they changed the mask? along with the IP?? thats an odd change but on my cable system, I had to turn off the keepalives for the E0 port.. apparently, RR does( or did not) send keep alives that the router was expecting. So the port would work for a very brief time then just stop.. with eveything looking great.. aside from no traffic passing :-(

On the E0/1 side, try no keep-alive (I think thats the right syntax)

DO a shutdown of the port then bring it back up.

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

Unfortunately that didn't help.
Is it possible for a Cisco router to dislike my ISP's router and cause it to malfunction?

 

[Niall22]

Here's an update on the situation:

Spent over 5 hours on the phone, the last 2 days , with a Cisco Engineer at Cisco's TAC. He could't find anything wrong either. Tried another 2600 router and it did the same thing thus eliminating the possibility of a defective router. We've narrowed it down to our ISP who claims everything is working fine. As it stands, we have been down for 2 full business days and heading into a 3rd today. I have been in contact with other high speed Internet companies and it looks like we'll be getting rid of Cable Internet access and getting ADSL instead. Just so you know, the ISP we deal with is one of many @Home providers. Here in our area of Ontario, Canada we have Rogers @Home and when it comes to supporting their customers, they stink.

Niall

 

[wybnormal]

Sounds ugly :-( you wouldnt happen to have a sniffer handy would you? it would be telling to get a trace off the circuit to see whats missing.

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Niall22]

No, I've never used a sniffer although it did cross my mind earlier to try one. They way I see it now, if our ISP is not willing not help then they aren't getting our business. I shouldn't have to find out what their problem is and tell them how to fix it. They should be willing to do that themselves.

Thanks for all your help,

Niall

 

[wybnormal]

I would agree except for one small thing. It's been my experience that the folks doing much of the technical work at places like Cable Companies are not well trained and so there may be a simple fix if you can tell them what it is. Not that it's your job, it's really the fault of the management for not either hiring top people or not training the ones they have. Sometimes moving ISPs is not an option and so I try not to burn my bridges with my ISPs.

Just a thought

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Tremor]

Funny thread. I tried the same thing with a 2500 series router in place of my cable modem, and got the same result.
I can ping the gateway out E/0, and I can ping various locations on the internet, but could not get it to route anything.

Because everything would talk to the external interface, and nothing internal would work, I'm assuming it is a NAT problem. Havn't had time to really look into it though, as its just tinkering around at home.

 

[wybnormal]

Well.. let me add more to this thread.. I have a 2514 at home that is running NAT. Since my cable company is DHCP, I got a Linksys 1 port router to handle that aspect. It would not keep the connection to the Cisco till I clicked the keep-alive button on the router setup screen. At least I think that is what it is.. I'm doing this email from memory. I have since upgaded the IOS but have not yet tried the Cisco DHCP assigned interface yet.

cable---cable-modem----Linksys----cisco 2514---my net

Why did I do it this way??? 'cause I did not want to renumber everything I have since the Linksys is very limited to a single IP range. I also have static maps through NAT and I run IPX on the LAN side.. the Linksys is IP only.

But all in all, it's been working well for 4 months now.

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin