Cisco 2500 - reboot needed twice a day 3

[TopRung]

I have to reboot our Router probably twice a day 2-3 times a week. What happens is that we lose all access to the internet. A reboot brings it all back to norm in about 2 minutes.

I am unsure why, or what is causing this, but through my ISP I have a bandwidth monitor that I check regularly. There may or may not be a correlation here, but I notice that the router needs to be rebooted when out outgoing or incoming traffic reaches max.


Complete newb, so be gentle please

Thank you in advance!!

 

[bebop1065]

Does your config. tell the router to stop routing when bandwidth reaches that amount?

http://soulphoto.net

CCNA student

 

[FANCYpete]

What kind of connection do you have to your ISP, is it Frame-Relay, if so what is your bandwidth limitations? What's the CIR, and port speed? If you are saturating your pipe regularly, i.e. maxing out both INcoming ,and OUTgoing bandwidth and it requires a reboot of the router to get you back on the internet, you may want to consider upgrading your bandwidth, (mainly upgrading your CIR) Also, what kind of routing protocol are you running between you and your ISP, is it all Static routes, are you using NAT? Thanks, look forward to helping.

I'm the Fanciest of the Fancy...INDEED

 

[BuckWeet]

Is your router just going bad and crashing itself, 2 mins is about enough time for it to reboot and the T1 to come back up..

BuckWeet

 

[TopRung]

First thank you all for the interest. I will try and answer what I know.


We have a single unrestricted T1 using NAT.
I don't know the CIR or truly, what that is (shhhh). I had to look it up (Committed Information Rate)-- Freegn' newb I am But I have asked our ISP/Network support and will post the answer.

CIR: That is the first to check. Thank you so far for pointing me to that.

 

[lui3]

What version of the IOS are you running. Please do a show version on the router and post the output. Also next time before rebooting check the status of the input interface (eth0) and the output interface on the serial connection. Make sure the input queue is not negative or overfiled.

Ie 75/50

This causes an input wedge to occur. And you have to reboot to fix it. IOS version 11.3 fixed the problem.

 

[TopRung]

Okay I got some information:

Circuit is a point-to-point T1 with no bandwidth restrictions

The Circuit speed is 1.44 about 180kbs.

We are using static routes on your router. The Pix router is doing the nating.


As far as accessing the router, I haven't got that far. I need a PC to directly connect. I can not figure out the simple "telnet to" scenario. I think PIX needs adjusting but being a newb, I am hesitant to apply or remove rules. Not sure.


I know the OS version is crucial, and I am trying my hardest to get that information.

 

[lui3]

Who are you getting your information from--local tech or ISP? If its an ISP there are normally not nearly as helpful as a local tech. T1 normally run in the range you are quoting. The problem is with the router reboot. We need you or someone to gain access to the config so that we can see what you are talking about. Please post the configuration with all the necessary information deleted (passwords, ip addresses, etc) so that we can help sort out your problem.

Do a text capture on the terminal with a

show running-config


Thanks..

 

[bierhunter]

I'm curious as to why your bandwidth is maxing out.

When you start having problems check these.

Show int on your T-1 interface and see what direction the heavy traffic is going. In or out.

If you do a "show proc cpu" you may see that your cpu utilization is maxed, thus locking up and needing a reboot.

Since you're doing NAT, also do

show ip nat translations

Look for an address or addresses that have a huge number of connections. Especially on ports 135, 445. Also check for any port 20 traffic. You may have infected machines sending out attacks.

This quick also helped one company with a maxed T-1 discover they had an illegal FTP warez server running. They had connections from all over the world pulling stuff off and didn't know it.

 

[TopRung]

first, I am going to get access to the router shortly and do my best to post the config.

The majority of the bnadwidth is OUTGOING, but at times incoming traffic matches it. It is usually at that point, (when both max) that I see the drop. However, there have been times that it drops when only one max's out.

I am going to look into the FTP server issue, but I don't think that has happened. Can someone run a server like that and mask it? Is there a way to scan for that?

 

[bierhunter]

I'd be really curious what the NAT translation table shows. Sounds like a host or hosts on your network are acting up. I really suspect a virus or some other malware internally. The FTP is one of the things to check in the process, but isn't a real common one. It can be masked by someone who knows what they're doing, but ports 21 and 20 will give it away in most cases.

 

[TopRung]

I don't suspect a virus, as I have this netork very clean when it comes to that. Unless there is something out there that Norton hasn't seen, it isn't here internally. I am pretty confident about that. But, I will quadruple check that as well - A close mind leads to disaster.

Malware application of some kind not tagged as a virus is a possibility! The only thing I know about finding such things is using S&D, Adaware, etc. I am pretty green to that.

 

[NetEng631]

Use MRTG to check out the CPU utilization. You may be over taxing the router and need a more powerful box.

 

[bierhunter]

Have you been able to detect where the outbound traffic is coming from yet?