Problems configuring Cisco 877w Router

[corlanb]

Hi all, I am new to Cisco and the CLI in particular. I recently acquired the 877w router for home office use. I was hoping to try and get it running using SDM but it seems the CLI is still needed. Total newbie to this stuff...I've managed to cobble together a functioning config...however I have got some key issues still:

After a few hours of use, I lose internet connectivity. It seems the DNS stops functioning. I have to power cycle the router and then it works again for another few hours.

Second in the CLI I am getting the following recurring errors:
*Mar 2 06:41:23.419: *** Not encrypted dot1x packet from 0019.1dff.02c7 has bee
n discarded
*Mar 2 06:41:23.419: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0019.1dff
.02c7 Associated SSID[T Home] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Mar 2 06:41:33.975: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0019.1dff.02c7 Reason: Sending station has left the BSS SSID[T Home]

Not sure if these errors are related to me getting booted every few hours or if it is separate.

Here is my running config (apologies in advance), if anyone knows where I went wrong I would GREATLY appreciate it. The CLI commands to fix would be awesome. Thanks.

Using 5406 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1833490412
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833490412
revocation-check none
rsakeypair TP-self-signed-1833490412
!
crypto pki certificate chain TP-self-signed-1833490412
certificate self-signed 01 nvram:IOS-Self-Sig#9.cer
dot11 syslog
!
dot11 ssid Work Remote
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0
!
dot11 ssid T Home
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
dns-server 76.10.191.198 76.10.191.199
lease 0 2
!
ip dhcp pool Internal-net
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 76.10.191.198 76.10.191.199
domain-name domain1
lease 4
!
ip dhcp pool VLAN20
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 76.10.191.198 76.10.191.199
domain-name domain2
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name yourdomain.com
ip name-server 76.10.191.198
ip name-server 76.10.191.199
!
!
!
username privilege 15 secret 5 $1$D85L$p05dp6uRqKoZe6HiBObaF0
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/33
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid Work Remote
!
ssid T Home
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan1
description Internal Network
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip address 76.10.188.115 255.255.255.0
ip access-group Internet-inbound-ACL in
ip mtu 1452
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
no cdp run
!
!
!
control-plane
!
bridge 1 route ip
banner login ^CC
-----------------------------------------------------------------------
Banner Message
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

 

[North323]

look into changing your lease time on your dhcp address
lease 4 change it something with more life

 

[corlanb]

Hmmm the router should be set for static IP, not DHCP. But it looks like both sets of commands are in there. Could that be the problem?

interface Dialer0
ip address 76.10.188.115 255.255.255.0
ip access-group Internet-inbound-ACL in
ip mtu 1452
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 0

AND

ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name yourdomain.com
ip name-server 76.10.191.198
ip name-server 76.10.191.199

The above is for static IP, correct? If so what is this for?

ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
dns-server 76.10.191.198 76.10.191.199
lease 0 2

I think it might be part of an old config. If this causes a problem, what commands to I need to get this last bit out of the CLI? Thank you very much

 

[burtsbees]

What is at this MAC

0019.1dff.02c

???

Also, do a

router#conf t
router(config)#no ip dhcp pool sdm-pool

/

 

[corlanb]

Hmm, well that Mac is a Nintendo Wii console I have connected to the Guest VLAN to download software updates. Interesting though that the Wii can get online no problem. Seems there is a bit of an authentication issue but now instead of the errors popping up every 15 seconds on the CLI it is just once after every login or reboot. I can live with that if it's not hurting anything.

Removed the extra dhcp pool line, thanks! Cleaned up the config but didn't solve my DNS problem. Here's the issue: it appears to be every 8 hours after a reboot I lose connectivity to the internet. I can ping IP addresses but cannot browse sites. I reload the router and am then good for another 8 hours. I tried loading DNS info directly into a client machine, but that doesn't help. I had a very basic config running before (ditched that config because I couldn't get the wireless going) and I didn't have this problem. So that leads me to think its a config issue and not an ISP issue. Any ideas??

 

[burtsbees]

My tired eyes do not see anything that jumps out...

You should add these two lines under the dialer interface...

ppp ipcp dns request
ppp ipcp wins request

They do not have anything to do with the disconnects.

I am also curious about the static IP address and the fact that you only have chap, and not pap. Most configs that I know of have both---uses one and fails over to the other in case the first method fails. I would add these lines under the dialer as well...

ppp authentication pap chap callin
ppp pap sent-username [username] password [password]

Did the other setup use a static ip address rather than a negotiated one?

One more thing---can the router ping the internet when everything "disconnects"? If no, then please post the outputs of the following commands AFTER it disconnects...

sh ip route
sh int
sh dsl int

I am no wireless expert, so a wireless person will have to jump in if this is wireless related and not adsl related...

/

 

[corlanb]

Hello again, I tried the
ppp ipcp dns request
ppp ipcp wins request
but I still got disconnected. I just rebooted now, I added the pap authentication as well now. My ISP had told me to just use one but no harm found in adding the PAP as well.

Yes when my router disconnects I can ping externally - for example I can hit 74.125.45.100 from the command line on my PC but I can not hit google.com. IM and my Outlook connection to Exchange Webmail stays up, so does VPN and I can continue using my VoIP phone, but I cannot hit websites. It is the strangest thing and I'm sure its something simple I have missed. My old config that I did using SDM was static IP as well with the same settings and it used the same CHAP authentication. I don't know what to do?!? Thanks for coming back and helping me all the time.

 

[burtsbees]

Under the dhcp, change the lease to infinite, post back the results. It is definitely something with DNS...also, do the "import all"...

ip dhcp pool Internal-net
import all
lease infinite

Do that for all dhcp pools. The router should get dns crap from the ipcp config under the dialer interface---"import all" will import these settings and pass them off to your internal dhcp clients.

/

 

[corlanb]

Unfortunately, still having the same problem. After 8 hours I have to reboot the router because I lose DNS completely. I am sorry to be such a bother! I really appreciate your help. Here is my running config including all the changes from this thread, perhaps this will shed some light?

Using 5397 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1833490412
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1833490412
revocation-check none
rsakeypair TP-self-signed-1833490412
!
!
crypto pki certificate chain TP-self-signed-1833490412
certificate self-signed 01 nvram:IOS-Self-Sig#9.cer
dot11 syslog
!
dot11 ssid <work>
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 <wpa key>
!
dot11 ssid <guest>
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 <wpa guest>
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 76.10.191.198 76.10.191.199
domain-name WORK
lease infinite
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 76.10.191.198 76.10.191.199
domain-name GUEST
lease infinite
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name yourdomain.com
ip name-server 76.10.191.198
ip name-server 76.10.191.199
!
!
!
username <user> privilege 15 secret 5 $1$D85L$p05dp6uRqKoZe6HiBObaF0
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/33
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid <Work>
!
ssid <Guest>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan1
description Internal Network
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip address 76.10.xxx.xxx 255.255.255.0
ip access-group Internet-inbound-ACL in
ip mtu 1452
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp dns request
ppp ipcp wins request
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip list 1
no cdp run
!
!
!
control-plane
!
bridge 1 route ip
banner login ^CC
-----------
Cisco Banner
-----------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

 

[itbycisco]

hi there, i wounder if you are on the T1 or DSL. cause your MTU is set to 1451. give me a ip route of your network. after all that check your vtp domain and if it is not Transparent try to make adjusment see if it changes. also if that did not help out, try
Router(Config)#no ip time-out http .
if this command did not work, set a vlan 1 on native.

 

[corlanb]

Hi and thank you for helping. Unfortunately I am not sure what you are asking, I am very new to these things so I apologize I am slow. I am on ADSL here. Not sure what you mean by IP route or vtp domain. Can you send me the CLI commands to try? I sure appreciate it.

I also tried the no ip time-out http but it did not work (Invalid input). Do I need to configure a specific interface before entering that command?

Thanks again for your help.

 

[itbycisco]

no interface is required for this command, however if you are on the old version of the Software this command will ot work. but just to be sure your software is uptodate give me show ver on the enable CLI. and try the CLI command line in the config mode. it might work.

 

[corlanb]

Yeah here's what I get when I try that command:

yourname(config)#no ip time-out http
^
% Invalid input detected at '^' marker.


Here is the show ver result:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T7, RE
LEASE SOFTWARE (fc3)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 14-Aug-08 07:43 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

yourname uptime is 2 hours, 36 minutes
System returned to ROM by reload
System image file is "flash:c870-advsecurityk9-mz.124-15.T7.bin"
Last reload reason: Reload Command

Cisco 877W (MPC8272) processor (revision 0x300) with 118784K/12288K bytes of mem
ory.
Processor board ID FHK1308274F
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

 

[itbycisco]

you need to upgrade the Memory. how ever i am not sure if you be able to erase some of your file from the memory.
you memory is at max. 118784K/12288K. this is not enough to save the run-conf while it is operating. because you are on the dynamic IP fro m Verizon, every time you view a web page your GW will be save to replace with the original, so system get overloaded and relase the reload command by default, which better not to stop it. to be sure of this issue. let your router running on the network with no workstation connect to it and after maybe 6 hours(since will reboot every 3 hours) check the log. if there was no reload here is the issue if not i will give you some command to erase some un neccessary file from the memory.

 

[corlanb]

Confirmed, I open the SDM and the system memory is half full or so but the 24k flash is almost maxed. Tried as you suggested, unplugged all network connections and then sent reload command. I don't know how to run logs using CLI so I came back 9 hours later, added one connection only and I was working OK. Seems actually that it was ok for 8 hours again, and then this afternoon it kicked me off again. Not sure if that confirms your suspicion or not?

And if I erase some unnecessary files from memory will it still work if I have to ever use the "reset" button on the unit? Its a company unit and I just want to make sure I don't ruin it. Thanks again for your help, sorry I'm such a novice with this stuff!

 

[corlanb]

Problem solved...

I disconnected a Cisco VoIP phone that was not configured (constantly "registering"), that was connected to the FE0 port. Now that the phone is out of hte mix I have been solid for 2-days now. My new challenge is to configure the VPN in the router for that phone but for now I will just enjoy the router working as it should! Thanks everyone for your help with this problem! You all are the best!