Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Crazy 3825 need a kick 4 times a day!!!!!!!!

Status
Not open for further replies.
kageni

kageni

ISP
Feb 7, 2005
4
KE
My Cisco 3825 keeps blocking HTTP traffic at least 3-4 times a day until a hard reboot is done. My observations are: you can trace, ping to the internet, but cannot access any and any of the configured ipsec tunnel or rdp services. This usually happens in the evening hrs, late at night and on weekends anytime.

Below are the running configs - please note this is the second router installed as the 2811 that was running was maxed out on the memory usage.

==========================================================

#sh run
Load for five secs: 27%/23%; one minute: 25%; five minutes: 25%
Time source is NTP, *10:25:51.897 EAT Tue Jun 23 2009

Building configuration...

Current configuration : 16548 bytes
!
version 12.4
configuration mode exclusive manual
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
!
boot-start-marker
warm-reboot uptime 10
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 8
logging message-counter syslog
logging buffered 51200
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone EAT 3
!
dot11 syslog
no ip source-route
ip arp proxy disable
no ip gratuitous-arps
ip dhcp smart-relay
!
!
ip cef
!
!
ip domain name accesskenya.com
ip name-server 196.200.16.2
ip name-server 196.200.16.27
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
logging enable
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
!
!
crypto map MHC-VPNS client authentication list sdm_vpn_xauth_ml_1
crypto map MHC-VPNS isakmp authorization list sdm_vpn_group_ml_1
crypto map MHC-VPNS client configuration address respond
crypto map MHC-VPNS 1 ipsec-isakmp
description Tunnel MSA OFFICE
set peer 196.207.28.234
set transform-set msavpn
set pfs group2
match address MSA-VPN
crypto map MHC-VPNS 2 ipsec-isakmp
description Tunnel DSHOME
set peer 41.206.48.158
set transform-set msavpn
match address DSHOME-VPN
crypto map MHC-VPNS 3 ipsec-isakmp
description Tunnel VIT-VPN
set peer 217.207.116.242
set transform-set msavpn
match address VIT-VPN
crypto map MHC-VPNS 4 ipsec-isakmp
description Tunnel AGGREY'S-VPN
set peer 196.200.28.10
set transform-set myset
match address AGGREY'S-VPN
crypto map MHC-VPNS 5 ipsec-isakmp
description Tunnel SECURITY-VPN
set peer 196.207.31.40
set transform-set myset
match address BPVPN
crypto map MHC-VPNS 6 ipsec-isakmp
description Tunnel OPENVIEW-VPN
set peer 41.220.115.162
set transform-set msavpn
set pfs group2
match address OPENVIEW
crypto map MHC-VPNS 7 ipsec-isakmp
description Tunnel JSMUTHAIGA
set peer 196.207.21.66
set transform-set msavpn
match address JSMUTHAIGA-VPN
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
!
!
!
interface GigabitEthernet0/0
description TO-INTERNET$FW_OUTSIDE$
bandwidth 7000
ip address 41.206.48.74 255.255.255.252
ip access-group 2010 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
media-type rj45
no mop enabled
crypto map MHC-VPNS
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 196.200.19.105 255.255.255.248 secondary
ip address 172.17.8.1 255.255.252.0 secondary
ip address 196.200.19.225 255.255.255.240 secondary
ip address 172.17.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip helper-address 172.17.1.10
ip helper-address 172.17.1.11
ip helper-address 172.17.1.29
ip helper-address 172.17.1.16
ip nat inside
ip virtual-reassembly
shutdown
no cdp enable
!
interface GigabitEthernet0/1.300
encapsulation dot1Q 300
ip helper-address 172.17.1.17
ip helper-address 172.17.1.10
ip helper-address 172.17.1.11
ip helper-address 172.17.1.29
ip helper-address 172.17.1.16
ip helper-address 172.17.1.28
ip nat inside
ip virtual-reassembly
shutdown
no cdp enable
!
interface GigabitEthernet0/1.400
encapsulation dot1Q 400
ip helper-address 172.17.1.17
ip helper-address 172.17.1.10
ip helper-address 172.17.1.11
ip helper-address 172.17.1.29
shutdown
no cdp enable
!
interface GigabitEthernet0/1.500
encapsulation dot1Q 500
ip helper-address 172.17.1.17
ip helper-address 172.17.1.10
ip helper-address 172.17.1.11
ip helper-address 172.17.1.29
ip nat inside
ip virtual-reassembly
shutdown
no cdp enable
!
interface GigabitEthernet0/1.600
description ENG/STORES/ATHOME
encapsulation dot1Q 600
ip address 172.17.12.1 255.255.255.0
ip helper-address 172.17.1.16
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1.1000
encapsulation dot1Q 1000
shutdown
no cdp enable
!
ip forward-protocol nd
ip forward-protocol udp bootpc
ip route 0.0.0.0 0.0.0.0 41.206.48.73
ip route 1.0.0.0 255.0.0.0 Null0
ip route 2.0.0.0 255.0.0.0 Null0
ip route 5.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.17.1.217 255.255.255.255 Null0
ip route 192.168.36.0 255.255.255.0 172.17.1.3
ip route 192.168.110.251 255.255.255.255 Null0
ip route 223.0.0.0 255.0.0.0 Null0
no ip http server
ip http access-class 55
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool MAIL-SERVER 196.200.19.110 196.200.19.110 netmask 255.255.255.248
ip nat inside source list MAIL-SERVER pool MAIL-SERVER
ip nat inside source route-map MHC-NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.17.8.10 3389 196.200.19.106 8039 extendable
ip nat inside source static tcp 172.17.1.254 20 196.200.19.107 20 extendable
ip nat inside source static tcp 172.17.9.35 3389 196.200.19.107 3389 extendable
ip nat inside source static tcp 172.17.1.254 21 196.200.19.107 8021 extendable
ip nat inside source static tcp 172.17.1.8 25 196.200.19.110 25 extendable
ip nat inside source static tcp 172.17.1.8 110 196.200.19.110 110 extendable
ip nat inside source static tcp 172.17.1.8 143 196.200.19.110 143 extendable
ip nat inside source static tcp 172.17.1.8 3005 196.200.19.110 3005 extendable
ip nat inside source static tcp 172.17.1.15 8080 196.200.19.110 8080 extendable
ip nat inside source static tcp 172.17.1.13 3389 196.200.19.225 3389 extendable
ip nat inside source static tcp 172.17.1.14 8082 196.200.19.225 8082 extendable
ip nat inside source static tcp 172.17.1.250 3389 196.200.19.226 3389 extendable
!
ip access-list standard ALLOWED-OUT
remark SUBNETS ALLOWED FROM MHC-LAN
permit 172.17.1.0 0.0.0.255
permit 196.200.19.104 0.0.0.7
permit 196.200.19.224 0.0.0.15
permit 41.220.114.12 0.0.0.3
permit 41.215.5.248 0.0.0.7
permit 172.17.8.0 0.0.3.255
permit 41.215.127.0 0.0.0.255
deny any
ip access-list standard SNMP-ACL
!
ip access-list extended AGGREY'S-VPN
permit ip 172.17.1.0 0.0.0.255 192.168.133.0 0.0.0.255 log
ip access-list extended BPVPN
remark VPN to BP Security Segment
permit ip 172.17.1.0 0.0.0.255 192.168.31.0 0.0.0.255
ip access-list extended DSHOME-VPN
remark DSHOME-VPN TRAFFIC
permit ip 172.17.1.0 0.0.0.255 172.17.117.0 0.0.0.255 log
ip access-list extended JSMUTHAIGA-VPN
remark JSMUTHAIGA-VPN TRAFFIC
permit ip 172.17.1.0 0.0.0.255 172.17.116.0 0.0.0.255 log
ip access-list extended MAIL-SERVER
permit ip host 172.17.1.8 any
ip access-list extended MHC-NAT
deny ip 172.17.8.0 0.0.3.255 192.168.10.0 0.0.0.255
deny ip 172.17.1.0 0.0.0.255 172.17.117.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 172.17.8.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 172.17.1.0 0.0.0.255 172.17.16.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 172.17.3.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 192.168.0.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 192.168.31.0 0.0.0.255
deny ip 172.17.1.0 0.0.0.255 172.17.116.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 172.17.0.0 0.0.0.255 log
deny ip 172.17.1.0 0.0.0.255 192.168.250.0 0.0.0.255
deny ip 172.17.1.0 0.0.0.255 192.168.36.0 0.0.0.255
permit ip 172.17.8.0 0.0.3.255 any
permit ip 172.17.1.0 0.0.0.255 any
ip access-list extended MSA-VPN
remark MSA-VPN TRAFFIC
permit ip 172.17.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
ip access-list extended OPENVIEW
permit ip 172.17.1.0 0.0.0.255 192.168.10.0 0.0.0.255 log
permit ip 172.17.8.0 0.0.3.255 192.168.10.0 0.0.0.255
ip access-list extended VIT-VPN
remark VIT-VPN TRAFFIC
permit ip 172.17.1.0 0.0.0.255 172.17.0.0 0.0.0.255 log
ip access-list extended spam-test
permit tcp 172.17.1.0 0.0.0.255 any eq smtp log
permit ip any any
!
ip access-list logging interval 100000
logging 172.17.1.83
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 55 remark SDM-ACL
access-list 55 permit 41.220.123.138
access-list 55 permit 196.200.26.42
access-list 55 permit 41.220.125.74
access-list 55 permit 172.17.1.0 0.0.0.255 log
access-list 55 permit 196.207.31.0 0.0.0.255 log
access-list 55 permit 196.200.16.0 0.0.0.255 log
access-list 55 deny any log
access-list 150 permit ip 172.17.1.0 0.0.0.255 any
access-list 150 permit icmp 172.17.1.0 0.0.0.255 any
access-list 150 remark CAR-UDP ACL
access-list 150 permit udp any any
access-list 160 remark ICMP-ACL
access-list 160 permit icmp any any
access-list 2010 remark ANTI-BOGON ACL
access-list 2010 permit ip host 10.255.255.250 any
access-list 2010 deny ip 10.0.0.0 0.255.255.255 any
access-list 2010 deny ip 192.168.0.0 0.0.255.255 any
access-list 2010 deny ip host 41.206.48.74 any
access-list 2010 deny ip 196.200.19.104 0.0.0.7 any
access-list 2010 deny ip 196.200.19.224 0.0.0.15 any
access-list 2010 permit ip 172.16.99.0 0.0.0.255 any log-input
access-list 2010 permit ip 172.16.100.0 0.0.0.255 any
access-list 2010 deny ip 172.16.0.0 0.15.255.255 any
access-list 2010 deny ip 0.0.0.0 0.255.255.255 any
access-list 2010 deny icmp any any fragments
access-list 2010 permit tcp host 41.220.123.138 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 41.220.125.74 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 41.220.125.70 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 41.206.45.218 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 196.207.31.61 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 196.200.28.62 host 196.200.19.110 eq 8080
access-list 2010 permit tcp 196.200.16.0 0.0.0.255 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 196.207.28.234 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 196.207.31.56 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 196.207.23.182 host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 41.215.18.34 host 196.200.19.110 eq 8080
access-list 2010 deny tcp any host 196.200.19.110 eq 8080
access-list 2010 permit tcp host 41.220.123.138 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 41.220.125.74 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 41.220.125.70 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 41.206.45.218 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 196.207.31.61 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 196.200.28.62 host 196.200.19.225 eq 8082
access-list 2010 permit tcp 196.200.16.0 0.0.0.255 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 196.207.28.234 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 196.207.31.56 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 196.207.23.182 host 196.200.19.225 eq 8082
access-list 2010 permit tcp host 41.215.18.34 host 196.200.19.225 eq 8082
access-list 2010 deny tcp any host 196.200.19.225 eq 8082
access-list 2010 permit ip any any
snmp-server community xxxx RO SNMP-ACL
no cdp run

!
!
!
route-map MHC-NAT permit 1
match ip address MHC-NAT
!
!
!
control-plane
!
alias exec proc show proc cpu | excl 0.00%__0.00%__0.00
alias exec traffic sh ip nbar protocol-discovery stats bit top-n 10
alias exec lc sh arch l c a
alias exec top sh ip f t
!
line con 0
line aux 0
line vty 0 4
access-class TELNETACCESS in
exec-timeout 30 0
privilege level 15
logging synchronous
exec prompt timestamp
transport input telnet
line vty 5 10
access-class TELNETACCESS in
exec-timeout 30 0
privilege level 15
logging synchronous
exec prompt timestamp
transport input ssh
line vty 11 15
access-class 23 in
privilege level 15
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp authentication-key 5 md5
ntp authenticate
ntp trusted-key 5
ntp update-calendar
ntp server 196.200.16.253
end

============================================================

Any ideas?
 
Sort by date Sort by votes
An amazing mate found the problem so I thought to share. NAT translations apparently have a limit and if exceeded will kill the CPU/memory usage. So Max translations per user must be set for rate limiting how much traffic is being processed at any one time by the router.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rizga
  • Locked
  • Question
Hello I have a problem on MD110 TS
Replies
1
Views
190
dagwoodsystems
dagwoodsystems
Didake
  • Locked
  • Question
Contact id protocol alarm
Replies
0
Views
529
Didake
Didake
Franck Louis
  • Locked
  • Question
Connecting Kompete Kontrol S61 to Home Cinema Amplifier Yamaha RX-A4A using RJ-45 cable
Replies
0
Views
298
Franck Louis
Franck Louis
Askim
  • Locked
  • Question
AC-WIN5
Replies
1
Views
200
sbcsu
sbcsu
Mouafy
  • Locked
  • Question
Cisco Physical Access Manager CPAM
Replies
0
Views
186
Mouafy
Mouafy

Part and Inventory Search

Sponsor

Back
Top