Removing LOG statement from ACL stops DHCP on WAN Interface (2651) ?

[Nimroduk]

Hi all.

I've been trying to streamline the amount of syslog messages being kicked out by my router and I've decided that I really don't need to see the BOOTPS/PC conversation anymore as DHCP on the WAN interface is working fine.

However upon removing the LOG from the following ACL statements (applied to the WAN interface), said interface is no longer able to pickup an IP via DHCP ! If I replace the LOG keyword, DHCP instantly assigns an IP ?

These are the statements that work:

access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc log
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any log
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc log
access-list 101 permit icmp host 62.253.96.20 any log
access-list 101 permit udp host 192.168.100.1 eq bootps any eq bootpc log
access-list 101 permit udp host 0.0.0.0 eq bootps any eq bootpc log

This is what appears to stop DHCP from assigning:

no access-list 101
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc
access-list 101 permit icmp host 62.253.96.20 any
access-list 101 permit udp host 192.168.100.1 eq bootps any eq bootpc
access-list 101 permit udp host 0.0.0.0 eq bootps any eq bootpc
 <remainder of ACL chopped for simplicity>

I have the ACL in a txt file on a TFTP server and I am copying the new ACL onto the router via TFTP (directly into the running config).

Any ideas whats happening ? I have filter the syslog message on the syslog server but it'd be better to not have them broadcast at all...

 

[jneiberger]

If you're 100% sure that the only difference is the presence of the log keyword then this must be a bug. However, it probably isn't a bug. Do you still have the log keyword on your deny statements? If so, are you seeing specifically that DHCP is being blocked?

 

[GM2005]

Wierd. t is definitely either a bug or a problem with the tftp config. Could you post the tftp config?

 

[Nimroduk]

ok, here's the entire config

(if there are other problems, please feel free to point them out )

!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname 7Six2600
!
no logging buffered
logging rate-limit all 10
no logging console
no logging monitor
enable secret 5 <snip>
enable password <snip>
!
clock timezone GMT 0
clock summer-time BST recurring
ip subnet-zero
no ip source-route
ip cef
!
!
ip nbar port-map gnutella tcp 6346 6347 6348 6349 6455 
ip nbar port-map custom-10 tcp 10001 10003 
ip nbar port-map custom-02 udp 3389 
ip nbar port-map custom-02 tcp 3389 
ip nbar port-map custom-01 udp 39183 
ip nbar port-map custom-01 tcp 39183 
ip nbar port-map pcanywhere udp 22 5631 5632 5633 5634 5635 5636 65301 
ip nbar port-map pcanywhere tcp 5631 5632 5633 5634 5635 5636 65301 
ip tcp mss 1460
no ip domain-lookup
ip name-server 4.2.2.1
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.237
!
ip dhcp pool 7sixLAN
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.3 
   domain-name 7six
   netbios-node-type h-node
   lease 5
!
ip inspect max-incomplete high 600
ip inspect one-minute high 600
ip inspect udp idle-time 300
ip inspect dns-timeout 30
ip inspect tcp idle-time 1800
ip inspect tcp synwait-time 60
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect name Ethernet0_0 sip
ip inspect name Ethernet0_0 realaudio
ip inspect name Ethernet0_0 sqlnet
ip inspect name Ethernet0_0 ftp
ip inspect name Ethernet0_0 fragment maximum 256 timeout 10
ip inspect name Ethernet0_0 tcp timeout 1800
ip inspect name Ethernet0_0 udp timeout 600
ip audit notify log
ip audit po max-events 100
no ip dhcp-client broadcast-flag
!
!
class-map match-any TLCTransfers
  match protocol custom-10
class-map match-any WebEmail
  match protocol http
  match protocol secure-http
  match protocol smtp
  match protocol pop3
  match protocol imap
class-map match-any VIPIM
  match access-group name IMSkype
  match protocol custom-01
class-map match-any RDProtocols
  match protocol pcanywhere
  match protocol custom-02
class-map match-any vpnconx
  match access-group name VPNout
  match protocol pptp
class-map match-any onlinegames
  match access-group name gaming
!
!
policy-map 7sixQoS
  class onlinegames
   set ip dscp ef
   bandwidth remaining percent 30
  class VIPIM
   set ip dscp ef
   bandwidth remaining percent 20
  class vpnconx
   bandwidth remaining percent 12
  class RDProtocols
   set ip dscp af21
   bandwidth remaining percent 12
  class WebEmail
   bandwidth remaining percent 20
  class class-default
   bandwidth remaining percent 6
   random-detect
!
!
!
interface FastEthernet0/0
 description WAN Connection (NTL)
 mac-address 0004.e22a.99f9
 bandwidth 760
 ip address dhcp hostname NTLGW1
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nbar protocol-discovery
 ip inspect Ethernet0_0 out
 service-policy output 7sixQoS
 duplex auto
 speed auto
 no cdp enable
 hold-queue 32 in
 hold-queue 16 out
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 description LAN Connection
 ip address 192.168.1.3 255.255.255.0
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
 hold-queue 16 in
 hold-queue 8 out
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 1800
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 500
ip nat translation port-timeout tcp 3074 36000
ip nat translation port-timeout udp 3074 36000
ip nat translation port-timeout tcp 88 3600
ip nat translation port-timeout udp 88 3600
ip nat translation port-timeout tcp 39183 37200
ip nat translation port-timeout udp 39183 37200
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.1.237 5060 interface FastEthernet0/0 5060
ip nat inside source static tcp 192.168.1.237 5060 interface FastEthernet0/0 5060
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723
ip nat inside source static tcp 192.168.1.10 88 interface FastEthernet0/0 88
ip nat inside source static udp 192.168.1.10 88 interface FastEthernet0/0 88
ip nat inside source static tcp 192.168.1.10 3074 interface FastEthernet0/0 3074
ip nat inside source static udp 192.168.1.10 3074 interface FastEthernet0/0 3074
ip classless
no ip http server
!
!
ip access-list extended IMSkype
 permit tcp any eq 1863 any
 permit udp any eq 1863 any
ip access-list extended VPNout
 permit ip any host 81.149.1.165
 permit gre any any
ip access-list extended gaming
 remark Counter-Strike
 permit tcp any any range 27030 27039
 permit tcp any any range 27015 27020
 permit udp any any range 27000 27015
 permit udp any any eq 1200
 remark Xbox Live
 permit udp any gt 1026 any eq 88
 permit tcp any gt 1026 any eq 88
 permit tcp any gt 1026 any eq 3074
 permit udp any gt 1026 any eq 3074
 permit udp any eq 88 any
 permit tcp any eq 3074 any
 permit udp any eq 3074 any
logging trap debugging
logging 192.168.1.11
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
no access-list 101
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc log
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any log
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc log
access-list 101 permit icmp host 62.253.96.20 any log
access-list 101 permit udp host 192.168.100.1 eq bootps any eq bootpc log
access-list 101 permit udp host 0.0.0.0 eq bootps any eq bootpc log
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit udp any gt 1026 any eq 88
access-list 101 permit tcp any gt 1026 any eq 88
access-list 101 permit tcp any gt 1026 any eq 3074
access-list 101 permit udp any gt 1026 any eq 3074
access-list 101 permit udp any eq 88 any
access-list 101 permit tcp any eq 88 any
access-list 101 permit tcp any eq 3074 any
access-list 101 permit udp any eq 3074 any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo log
access-list 101 deny   icmp any any information-request log
access-list 101 permit icmp any any log
access-list 101 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 169.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny   ip any any log
access-list 101 deny   icmp any any log
access-list 101 deny   gre any any log
no access-list 102
access-list 102 permit tcp any any established
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit icmp any 192.168.1.0 0.0.0.255
access-list 102 permit gre any 192.168.1.0 0.0.0.255
access-list 102 deny   ip any any log
no cdp run
!
line con 0
line aux 0
line vty 0 4
 session-timeout 15 
 access-class 1 in
 password <snip>
 login
!
ntp clock-period 17207856
ntp source FastEthernet0/0
ntp peer 192.43.244.18
end

 

[jneiberger]

Can you post the other access list that doesn't have the log keywords in it? I realize that it's probably the same as this one except without that keyword, but I want to see it anyway. Maybe one of us will spot a typo or something.

Also, what IOS are you running?

 

[Nimroduk]

ok, here is the other ACL:

no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
no access-list 101
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc
access-list 101 permit icmp host 62.253.96.20 any
access-list 101 permit udp host 192.168.100.1 eq bootps any eq bootpc
access-list 101 permit udp host 0.0.0.0 eq bootps any eq bootpc
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit udp any gt 1026 any eq 88
access-list 101 permit tcp any gt 1026 any eq 88
access-list 101 permit tcp any gt 1026 any eq 3074
access-list 101 permit udp any gt 1026 any eq 3074
access-list 101 permit udp any eq 88 any
access-list 101 permit tcp any eq 88 any
access-list 101 permit tcp any eq 3074 any
access-list 101 permit udp any eq 3074 any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo log
access-list 101 deny   icmp any any information-request log
access-list 101 permit icmp any any log
access-list 101 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 169.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny   ip any any log
access-list 101 deny   icmp any any log
access-list 101 deny   gre any any log
no access-list 102
access-list 102 permit tcp any any established
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit icmp any 192.168.1.0 0.0.0.255
access-list 102 permit gre any 192.168.1.0 0.0.0.255
access-list 102 deny   ip any any log

Here is the version information:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(28c), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Mon 15-Aug-05 22:34 by pwade
Image text-base: 0x8000808C, data-base: 0x80A6EFDC

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

7Six2600 uptime is 3 days, 20 hours, 44 minutes
System returned to ROM by reload at 12:42:17 BST Fri Jul 13 2007
System restarted at 12:43:18 BST Fri Jul 13 2007
System image file is "flash:c2600-io3-mz.122-28c.bin"

cisco 2651 (MPC860P) processor (revision 0x200) with 27648K/5120K bytes of memory.
Processor board ID JAB05040E6N (3844233856)
M860 processor: part number 5, mask 1
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2101

 

[plshlpme]

when you enter the access0list without the log statements.. does it take it without any errors?

when you do a show access-list 101. do all the lines match what you pasted in?

when you make that change in your access-list did you clear the nat table?

 

[Nimroduk]

No errors when it is applied.
It all matches up (with the exception of the NAT rules).

Whats the command for clearing the NAT table ?

 

[plshlpme]

clear ip nat trans *

 

[Nimroduk]

clearing the nat table doesn't make any difference

I guess I'm going to have to cope with the additional logging

 

[burtsbees]

Does it make a difference if you take the syslog server out of the equation and log to the buffer of the router? I know this is not ideally what you want---just a troubleshooting technique.

Burt