Intermittant connectivity problems with cisco 1811 3

[overmodulation]

Hello,

I recently configured and installed a cisco 1811 router at the office.

It works great except when I try to access some web sites (i.e. gmail, amazon, etc). Sometimes I can get to these sites fine and other times I can't at all. Meanwhile I have no issues at all accessing other sites.

Has anyone encountered this or something similar?

I don't have the firewall capabilities enabled in the router at all. I simply have a DSL coming into FastEthernet0 and a VLAN coming out into a switch and in turn to a few computers.

 

[whykap]

Sounds like a possible DNS issue to me. I would start there.

 

[overmodulation]

I thought so too but my DSN config is the same as it was with my previous router ... or so I'm pretty sure... will look some more..

 

[overmodulation]

It's definitely a DNS issue but I'm not sure how to fix it...

I have a local DNS server (had for several years) and it's the primary. The router has it as an ip name-server listing as well as an element of DHCP.

Additionally I have internet DNS servers specified as both

ip name-server xx.xx.xx.xx

and as part of my DHCP config

dns-server 192.168.1.11 xx.xx.xx.xx

Like I said, I get to this and many other sites just fine. It's sites like Gmail, Amazon and Ebay that I'm having issues with.

Obviously I shouldn't be going to these sites at work anyway *wink* but The Boss does and will ask about it sometime soon.

I got no choice but to make it work.

I'm not sure what else I am missing.

Should I add the router address as the secondary DNS server instead? I know the cheaper ones have that capability.. (this is my first cisco)

 

[Alterac]

Since you are running internal DNS,
1) ip name-server should be just your ISP DNS.
2) the DHCP dns-server should be just 192.168.1.11

If you mix your internal and external servers some clients act really weird.

 

[overmodulation]

Cool. Should I lose the ip name-server lines too and just have the local DNS server entered?

I mean, do I keep the lines that say

ip domain name mydomain.com
ip name-server 192.168.1.11
ip name-server [public dns1]
ip name-server [public dns2]

in addition to the

ip dhcp pool myDhcpPool
 dns-server 192.168.1.11

lines?

 

[Alterac]

I would remove the internal here, but it should be fine to leave in.

Like so:

ip domain name mydomain.com
ip name-server [public dns1]
ip name-server [public dns2]

 

[burtsbees]

This is also an indication of an MTU issue, so if it still happens, post a config, or drop the MTU to 1492 on the WAN interface.

Burt

 

[overmodulation]

I'm still having issues with DNS.

How do I change the MTU size?

Here's my running config:

Current configuration : 5288 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$.8O2$xwTpXCzYO9TcLUdFqU0lO0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.11
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxx.com
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3410901997
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3410901997
revocation-check none
rsakeypair TP-self-signed-3410901997
!
!
crypto pki certificate chain TP-self-signed-3410901997
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343130 39303139 3937301E 170D3037 31303139 31343536
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313039
30313939 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9E4 4A1370D4 FC0B195C 1E13622C B3AD28AE 3E842AF1 9194E11A D3D0A84F
67878EF6 6AEA6929 A755D992 4C004193 4094BD6E F933BF1D CD8F76D8 6F4D4ACE
059FA2C9 240BEA01 4C9D1151 E5C97E3E 9371AA68 A551591A 19F59807 30C2EABA
8CBDBFB9 9DF6AD90 55A59B61 7A66C5B1 5EB34DAE 48214DD2 EB95D8B7 0CC4139F
36FD0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A636973 636F3138 31312E4F 6E486F6C 644D6564 6961302E
636F6D30 1F060355 1D230418 30168014 2967373F BAD6B1C0 1B5FAA2F D16D3E48
F1EE7E20 301D0603 551D0E04 16041429 67373FBA D6B1C01B 5FAA2FD1 6D3E48F1
EE7E2030 0D06092A 864886F7 0D010104 05000381 81008F81 228EE003 854B0245
B5616954 A662E9F6 01B8AFE2 0C95FC65 B45B1409 E85A3031 AD4E87E1 5C0A3759
726D574F 57F739D3 6916932F 798FC6D5 A6A07AE9 359F02DB 65B6F972 457DB7DA
032BACB1 E4A09AE8 E30D77EF 2E26DAF2 1E60C730 FFBAA32D 267802B3 396D2D39
216BA803 234AD5D0 2EF06C14 5BF06AAC FE4CA47D C7E3
quit
username OhMyGoodness privilege 15 secret 5 $1$PJiv$y2KyJOEh2Yjm0Y34BeJhJ0
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xx.xx 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xx.xx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.11 1433 interface FastEthernet0 1433
ip nat inside source static tcp 192.168.1.8 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.1.8 119 interface FastEthernet0 119
ip nat inside source static tcp 192.168.1.8 65531 interface FastEthernet0 65531
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Please note that I have 2 WANs configured but only one connected (FastEthernet0). I will eventually try to incorporate loadbalancing but for now, just want to get internet access tightened up.

 

[burtsbees]

on int fa0...
ip mtu 1492
and I would also add...
ip tcp adjust-mss 1452

Burt

 

[overmodulation]

Thank you Burtsbees.

I entered the config and ran a reload and it appears to be behaving nicely.

 

[burtsbees]

Great! I had the same problem when I first fired up my C837 for ADSL, and the page that would not load was Cisco.com! Glad it's working.

Burt

 

[overmodulation]

I spoke too soon. It's still doing it.

Gmail comes and goes. So do a couple other sites...

Any other thoughts?

 

[burtsbees]

Try extended ping with sweep ranges, df bit off...perhaps lower mtu...post the new config. Any VLANs with ISL trunking?

Burt

 

[baddos]

I see a problem

ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0

It looks like you are using 2 equal cost default routes for WAN connections, but I only see 1 NAT translation....

ip nat inside source list 1 interface FastEthernet0 overload

Is this intended? If so you will certainly need a NAT command for your link on fa1.

 

[Alterac]

I agree with Baddos, but as you said F1 is not connected at the moment. So I would take the route to it down until this current issue is resolved.

int f1
shut

no route 0.0.0.0 0.0.0.0 int F1

then see if the issues clear up.

 

[baddos]

Ah didn't read that part

 

[baddos]

Something that would help though would be a better defined default route. Get the IP address of the neighbor router on fa0 and replace:

ip route 0.0.0.0 0.0.0.0 FastEthernet0

with

ip route 0.0.0.0 0.0.0.0 ip.of.my.neighbor

Maybe your router is having troubles finding a router on that /24 subnet. Also what kind of device is on that ethernet port? A DSL/Cable modem or is an actual LAN link?

 

[burtsbees]

He says that some sites he has problems getting to, and others always work fine. If it's not an MTU issue (try lowering ip mtu to 1452 and ip tcp adjust-mss to 1412), then it could be a black hole route...time to do a traceroute to gmail and amazon.

Burt

 

[overmodulation]

Thank you all for your input. I will certainly be making these changes when I get back to the office Monday. I took the device down temporarily while I am out of state for the weekend.

To Baddos, I don't have fa1 up right now, just fa0. Both are ADSLs. I want to be able to use both though but haven't messed with load balancing or configuring use of both. I will shutdown fa1 though while it's not in use.

Eventually when the 2 ADSLs are connected to the 1811, I'm going to run it into a Cisco ASA 5510 which I have barely messed with yet. I want to run both the 1811 and a T1 into the ASA and then have my servers in a DMZ and 1 or 2 VLANs with DHCP distributed through the ASA. Then I'll move all the internal traffic to the ASA.

I'm just trying to get used to using and configuring the Cisco equipment. The 1811 was the better of the two to get my hands wet on I suppose.

I'm in an office with 15 people and have only 5 comps running through it (including that SQL Server). I'm an all purpose IT guy with a specialty in web programming who needs to become a Cisco guy haha. It's cool though. I like this Cisco stuff.