Cisco 871 configured with SDM, internal traffic problems, packets lost

[linaz]

Hi,

This forum and people was always been helpful to me, hope to hear from ye again this time.

Have cisco 871 router configured, on our small business office.

This problem started to happen when i installed cisco router. As we had MS ISA 2004 before.

Setup:

ISP
Modem (Bridge mode)
Cisco 871 router [172.20.20.100]
Switch
Server 2k3SBS [172.20.20.110] (acts as DC, DNS, DHCP, exchange, crm, and etc)
Lan clients

So router is gateway and firewall.

Server 2k3 sbs is our DC and DHCP, so router is not dhcp.

Problem i have is:

Some times in the mornings comunication between server and lan clients are broken, packets are lost. No-one can log in, or some of clients wont get ip addresses. If i ping server when the problem occurs, i can see that packets being lost, lets say two three packets in every 5 packets received.

So if unplug the cisco router and leave network without it, communication between server and lan clients comes back. Ping reply level 100%.

Plug back in cisco, packets lost.

And funny enough everything just comes back without explanation, after unpluging and pluging router on to network.

My question is, can this be caused by cisco router? Can you help me with config file and see is there anything what could inspect traffic, and drop packets in lan? As i didnt setup this router to inspect or drop packets in lan, or lan to wan.

Here is my config file:

!This is the running config of the router: 172.20.20.100
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NIS-Gateway
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 *******
enable password *******
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1774761845
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1774761845
revocation-check none
rsakeypair TP-self-signed-1774761845
!
!
crypto pki certificate chain TP-self-signed-1774761845
certificate self-signed 01

*******

quit
dot11 syslog
no ip cef
!
!
ip port-map user-RDP port tcp 3389 description RDPPORT
ip name-server 213.94.190.194
ip name-server 213.94.190.236
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

!
!
username admin privilege 15 password 0 *******
username ******* privilege 15 secret 5 *******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group NIS
key *******
pool SDM_POOL_1
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group NIS
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any PPTP
match class-map SDM_GRE
class-map type inspect match-any RDP-IN
match protocol user-RDP
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3
match class-map RDP-IN
match access-group name ANYTODC
class-map type inspect match-any SMTPTODC
match protocol smtp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map SMTPTODC
match access-group name SMTP
class-map type inspect match-any HTTPSTODC
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map HTTPSTODC
match access-group name HTTPS
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-3
inspect
class type inspect PPTP
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class class-default
drop log
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
class type inspect sdm-protocol-imap
inspect
class type inspect sdm-protocol-pop3
inspect
class type inspect sdm-protocol-im
inspect
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservices
log
reset
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect sdm-permit
class class-default
drop log
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
switchport access vlan 172
!
interface FastEthernet1
switchport access vlan 172
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 2
pppoe-client dial-pool-number 1
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan172
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan172
description $FW_INSIDE$
ip address 172.20.20.100 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 0 *******
ppp pap sent-username ******* password 0 *******
!
ip local pool SDM_POOL_1 192.168.22.10 192.168.22.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 172.20.20.110 443 interface Dialer0 443
ip nat inside source static tcp 172.20.20.110 25 interface Dialer0 25
ip nat inside source static tcp 172.20.20.110 3389 interface Dialer0 3389
ip nat inside source static tcp 172.20.20.110 80 interface Dialer0 80
!
ip access-list extended ANYTODC
remark SDM_ACL Category=128
permit ip any host 172.20.20.110
ip access-list extended HTTPS
remark SDM_ACL Category=128
permit ip any host 172.20.20.110
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended SMTP
remark SDM_ACL Category=128
permit ip any host 172.20.20.110
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan172
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.20.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.20.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *******
transport input telnet ssh
!
scheduler max-task-time 5000
end

Help is appreciated !

Thanks in advance!

 

[burtsbees]

interface Vlan172
description $FW_INSIDE$
ip address 172.20.20.100 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412

You want

ip tcp adjust-mss 1452

Also, what switch are they connecting to? A regular unmanaged one? Post a sh int from whatever physical interface is connected to the switch. Nice ZBFW, by the way!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[linaz]

hi Burtsbees,

first is sh f1 (thats where our network is connected)

NIS-Gateway#sh int f1
FastEthernet1 is up, line protocol is up
Hardware is Fast Ethernet, address is 0025.45ac.5ace (bia 0025.45ac.5ace)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 15000 bits/sec, 13 packets/sec
5 minute output rate 43000 bits/sec, 7 packets/sec
587638 packets input, 59939156 bytes, 0 no buffer
Received 44759 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
906675 packets output, 1127583338 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Can i ask you why i need to set mss to 1452, i just readed info about mss, and i understand that this is related to ppoe, but why 1452 bytes?

Sorry for asking questions, but i want to understand why i am doing stuff

I have changed this value anyway !

Switch we use is: HP ProCurve 1800-24G (J9028B), web-managed switch.

And what you mean by "ZBFW" ?

Thanks again!

 

[linaz]

I know what is ZBFW Zone based firewall, no need explaining that part

 

[burtsbees]

1452mss=1492MTU. That is for ADSL.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[linaz]

is MTU the only problem you can see in my config file?

Can i ask you one more thing, we have dc server which is our dns server as well, should i use dns server of ISP on router or use dns server from lan?

Or does it matter all together? Should i disable dns in router all together..?

Thanks

 

[burtsbees]

It's a rather large config to go through for a busy man like me all in one day

Someone else may jump in...be patient...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[VinceWhirlwind]

Your PCs and your server are on the same subnet, so they should be communicating directly.
When the problem occurs, you have dropped packets between PCs and Server.
The only way the router could be responsible for interrupting switched traffic that it isn't itself handling would be if it was generating a broadcast storm.
I notice on the router you have two interfaces in VLAN172 - what are these two interfaces connected to? One is your HP switch, the other...?

 

[linaz]

VinceWhirlwind,


It is hard name to type in

I have these both ports on one vlan just to be able to stick in my laptop in spare one, as we use wireless for laptops, when i use Cisco SDM tool, it is very slow, so i prefer to be wired to router and then cisco sdm works much faster.

So interfaces are these:
F0 is my laptop
F1 is switch

I am planing to have another port for test vlan192, so we could connect computers which are under repair, so then we wont expose our lan to untrusted pcs..

Familiar with broadcast storms, had few in history at customer sites, but this is not a case in our site, as traffic is calm as Belgian..

If this problem occurs again, any tips for troubleshooting from router side ?

Thanks again for your input to my problem !

Linas

 

[VinceWhirlwind]

You seem to be saying this thing happens on a predictable basis - I would monitor all switch ports at that time using an SNMP monitoring tool, as well as switch CPU/Memory.

If you have intermittent dropped pings - temporarily - that seems to be something hogging all your network for a period. Finding out which switchports go to high utilisation during this period would be good.
Alternatively, you may have address conflicts due to somebody doing something at that time - logging all events (debug level) from the switch (and router) to syslog at that time would be good.
Have a continuous ping going and when the problem occurs, check your syslog for which port(s) just came up.

 

[linaz]

Vince,

Do you know any handy free SNMP monitoring tool ?

As this is going to be first snmp experience to me,

Thanks

 

[VinceWhirlwind]

This one's only $99 - I'm thinking of buying it myself as the one I currently use is up for renewal and costs 10x as much:

http://www.packettrap.com/product/pt360_pro.aspx?lnk=hp4

 

[engjohn]

there is opmanager

http://www.manageengine.com/products/opmanager/

it will let you manage 10 devices for free.