RE: Cisco 1841 & Windows Update Error 2

[Hel27n]

Hello,

I have recently purchased a new Cisco 1841 Router. I have it setup so that it connects via ADSL to the internet. The computers on my network go through a ProxyServer & the the Cisco Router to access the Internet.

All seems to be ok apart from when tryng to logon to hotmail and when running Windows Update.

When running Windows Update an Error 0x800A138F is returned. I thought that the Router may be blocking Port 443 but when I check the Routers 'SDM Default Rules' there alreay is an entry forpremitting any source - any destination - dest:443/tcp.

Can anyone help me with this as I am quite lost as what to do next.

 

[themut]

Windows Update access your PC directly but since you have a proxy this step is not performed as Windows Update expects

 

[Hel27n]

I have always had the computers in my network joined through a proxyserver and runnig windows update was never a problem.

However I have also tried bypassying the proxy but I still get the same error 0x8000A138f. This is why I know that the problem lies at the Router.

Thanks,

 

[themut]

That being the case there is not enough info on the router's configuration. Try to post your configuration safely

 

[Hel27n]

Thanks, I shall post the config tomorrow.

 

[ADB100]

Are you allowing SSL connections from the Proxy & also through the router? I had some issues a while ago with an ACL stopping Windows Update working. I had quite a restrictive ACL configured and my first guess was SSL (TCP port 443) and I was right - I allowed this and Windows Update kicked into life.

Andy

 

[Hel27n]

Below is the current config of the Router. Please note that when I use SDM web interface feature of the router I see the following even though I can't see the equivalent to this when viewing the config via HyperTerminal:
ACL Editor -> SDM Default Rules -> SDM_Default_194 = Permit Source, any - Destination, any -dest:443/tcp.

HyperTerminal Config:-

Current configuration : 4610 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx@xxx.xxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxxxxx
!
--More—
username administrator privilege 15 secret xxxxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
--More—
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip tcp synwait-time 10
!
ip ips po max-events 100
no ip bootp server
ip name-server 213.120.62.103
ip name-server 213.120.62.104
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
--More—
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$INTF-INFO-FE 0$
ip address 217.46.x.x 255.255.255.x
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
--More—
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.6 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer4
description $FW_OUTSIDE$
ip unnumbered FastEthernet0/0
ip access-group 101 in
ip mtu 1452
--More—
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx
ppp chap password xxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer4
ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 217.46.x.x any eq pop3
access-list 100 permit tcp host 217.156.x.x any eq pop3
access-list 100 permit tcp host 217.156.x.x any eq smtp
--More—
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 217.46.x.x eq pop3
access-list 101 permit tcp any host 217.46.x.x eq pop3
access-list 101 permit tcp any host 217.46.x.x eq smtp
access-list 101 permit udp host 213.120.62.104 eq domain host 217.46.x.x
access-list 101 permit udp host 213.120.62.103 eq domain host 217.46.x.x
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
--More—
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end

 

[plshlpme]

try adding
ip tcp adjust-mss 1452
to your dialer

 

[Hel27n]

Am I thick if I ask what this command will do?

 

[Hel27n]

Hi,

I added 'ip tcp adjust-mass 1452' to Dialer4 and I am still getting the same 0x800A138F Error.

I have also added rules to both the Inbound & Outbound interfaces to allow Any Source - Any Dest dest:443/tcp.

All this has ho no effect.

Any further ideas?

 

[ADB100]

Have you tried removing all ACL's and the IP Inspection rules from your interfaces just to make sure it will work without them?

Andy

 

[Hel27n]

I have used the SDM to remove all rules from the firewall and I still get the error. There are default rules which the SDM will not allow me to edit, can I change these if I use the HyperTerminal. If so can you tell me (from the config listed above) which I should remove and what command I should use to remove them?

 

[ADB100]

Remove the 'ip access-group xxxx' commands from FastEthernet0/0 & Dialer4, also remove the 'ip inspect DEFAULT100 out' from the Dialer4 interface.

I have a very similar setup to you, albeit an MS Proxy Server (ISA) and a smaller router (1720) but Windows Update works a treat. Looking at your configuration it may be that the ACL on your FastEthernet0/0 interface isn't opening triggering the IP Inspection rules and therefore opening the ports. You could try changing your outbound ACL to be:

access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 217.46.x.x any eq pop3
access-list 100 permit tcp host 217.156.x.x any eq pop3
access-list 100 permit tcp host 217.156.x.x any eq smtp

access-list 100 permit tcp 217.156.x.x 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any

You will need to change the new line to fit your subnet, or use 'tcp any any' instead.

Andy

 

[Hel27n]

Hi Andy,

Thanks for you're suggestions. I have tried this and I am still gettin the same error. Is there anything else that could be causing the problem, e.g. timeout etc?

Thanks,

Helen

 

[ADB100]

If you take the ACL's and the Inspection rules off then it should work as you will be blocking nothing. What version of Windows are you running? I know Windows XP must be either SP1 or SP2 to work now since MS changed things. Is the clock more or less correct on the PC as I know there are issues if it is too far out?

After that I am struggling..... How about trying the PC via dialup just to make sure Windows Update works over that?

Andy

 

[Hel27n]

Hi Andy,

I am runnig Windows Server 2003 & Windows 2k Pro. I used to have a BT / 2Wire Router in place and the Updates worked fine. I only started having problems when the Cisco Router was installed.

Planning on spending a full day on this 2moro evening and I will get back to you then.

Thanks for you're help,

Helen.

 

[Hel27n]

Hi,

I have tried all of the above and I am still gett in the same error message when runnig windows update and not getting access to hotmail when I enter my logon details.

When I had the BT/2Wire Router in place all I had to do was set the Private Network IP Address of the Router 192.168.1.1
and
set the Public Network IP Address of the Router to 217.46.x.x, 255.255.255.248
and
the proxy had an ext. IP of 192.168.1.2
--------------------------------------------------
Here is my current setup:-

Internal Network:
192.168.9.x
192.168.10.x

ProxyServer:
Internal: 192.168.10.x, 255.255.255.252
External: 217.46.x.x, 255.255.255.248

Router: 217.46.x.x, 255.255.255.248

Does this help the situation any? Perhaps NAT is required between the 217.46.x.x & 192.168.x.x addresses????

 

[ADB100]

I just noticed that the NAT statements are missing, add the following to global configuration and see if this makes a difference:

ip access-list standard Internal-Networks
permit 192.168.9.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
!
ip nat inside source list Internal-Networks interface dialer4

Andy

 

[Hel27n]

Thanks for this Andy. I have just one question.

Saying all computers on the network access the internet via the proxy will I have to change these settings again or will the ext. IP of 217.46.x.x & the Int. IP of 192.168.10.x(see above)still be ok???

Helen.

 

[ADB100]

Hang on I think I may be a bit confused here....

Your FE interface is 217.46.x.x/29. Your Proxy has 2 interfaces - inside and outside (outside being a public IP address - 217.46.x.y). Does your Proxy Route IP or is it purely a Proxy? If it doesn't route you shouldn't need NAT and you can remove the 'ip nat inside' & 'ip nat outside' statements from the FE and Dialer interfaces.

So remove the ACL's from the interfaces, remove the IP inspection rules from the interfaces and remove the IP nat statements from the interfaces and try that...... If that works re-apply the ACLs and IP inspection rules and test it again.

Andy