URGENT!! Newly Configured Interfaces are up but fail the test

[mesagreg]

Hi,

I am in the middle of reconfiguring my 2621 router for a new isp. My new connection is hdlc, whilst my old one was a fastethernet to a dsl router. I have shut down the old interface and configured the new one using the setup command. All interfaces and protocols (with the exception of the old one, of course) are up. But when I use the Test command to test the Serial interface, it fails the test and reports a timeout error. I have set the absolute timeout, but I am not aware of any other timeouts that are to be set.

Can anyone help? I have one day to fix this.

Thanks

 

[wybnormal]

OK.. so the serial interface with the new point to point ( HDLC) is showing both the interface AND the protocol are up? what does the show interface command tell about the packet count? any CRC errors? if you run debug interface serial x, you see the keep alives for the link. Have you tried to run a loopback localy? have you tried it with a loopback connector made from an RJ45 ( pins 1-5 and 2-4), can you put the remote in loopback and check the link? I dont know how much you have in permissions but the tech on the other end should be able to help with the loopback testing. Did you specify 1-24 channels for the full T ( or however many you do have)

Just stuff off the top of my head and very late at night ;-)

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[mesagreg]

wybnormal,

Thanks for the advice...I haven't run any other tests yet. I am going to try what you suggested. I didn't configure any more parameters with respect to the hdlc, since hdlc is the default framing.

btw, I read (after I had done it) on Cisco's site that using the 'Test Interface' command on a functioning router is a no-no? Could I have screwed something up when I did that? Also, I notice that there are two dynamic translation pool entries in the NAT table. I understand that you are supposed to allow only one. Is this true?

Thanks for your help,

Greg

 

[wybnormal]

Even if test interface screwed it up somehow( normally it drops the connection), just go into the global config and interface, issue a SHUTDOWN, wait a few seconds and then NO SHUTDOWN. This effectively resets the port. Handy to know

When you say two dynamic pool entries, are you running NAT on more then one interface? Can you post the running config minus the passwords? that would help quite a bit.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[mesagreg]

There is an old dynamic pool entry for the old address space that we had from our former ISP, and I added a new pool for our new address space.

We are running nat inside on the ethernet interface, and nat outside on the serial interface.

I will get the entire running config and post it so you can look at it.

Thanks,

Greg

 

[mesagreg]

When I run debug int s0/0, it tells me Condition 1 set.

Does that mean it's looped up?

Greg

 

[mesagreg]

Here is the output of sh running and sh interfaces:

mesa-sub#sh running
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname mesa-sub
!
logging buffered 20000 debugging
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
!
!
interface FastEthernet0/0
description ### Substation group
ip address 192.168.10.2 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
speed 10
!
interface Serial0/0
description VPNtranet
bandwidth 1544
ip address 64.89.111.130 255.255.255.252
ip access-group 150 in
ip access-group 100 out
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface FastEthernet0/1
description Private Network
ip address 64.89.111.1 255.255.255.224
ip access-group 150 in
ip access-group 100 out
no ip directed-broadcast
ip nat outside
no ip mroute-cache
shutdown
timeout absolute 0 30
!
ip default-gateway 64.89.110.129
ip nat pool DYNAMIC 208.53.21.176 208.53.21.190 netmask 255.255.255.240
ip nat pool dynamic 64.89.111.7 64.89.111.31 netmask 255.255.255.224
ip nat inside source list 5 pool DYNAMIC overload
ip nat inside source static 192.168.10.150 64.89.111.2
ip nat inside source static 192.168.10.2 64.89.11.1
ip classless
ip http server
!
logging source-interface FastEthernet0/1
logging 207.203.149.231
access-list 5 deny 192.168.10.1
access-list 5 permit 192.168.10.0 0.0.0.255
access-list 10 deny 192.168.10.1
access-list 10 permit 207.203.149.192 0.0.0.63
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
access-list 110 deny ip host 192.168.10.1 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 207.203.149.192 0.0.0.63 any
access-list 110 permit ip 63.110.60.120 0.0.0.7 any
access-list 110 permit ip 63.110.60.128 0.0.0.7 any
access-list 110 permit ip 63.110.60.224 0.0.0.7 any
access-list 110 deny ip any any log-input
access-list 130 deny ip 172.16.0.0 0.15.255.255 any log
access-list 130 deny ip 192.168.0.0 0.0.255.255 any log
access-list 130 permit tcp any any established
access-list 130 deny ip 208.53.21.160 0.0.0.31 any log
access-list 130 permit icmp any 207.203.149.192 0.0.0.63 traceroute
access-list 130 permit icmp any any time-exceeded
access-list 130 permit udp any any eq domain
access-list 130 permit udp any eq domain any
access-list 130 permit udp any any eq ntp
access-list 130 permit udp any eq ntp any
access-list 130 permit udp any any eq syslog
access-list 130 permit udp any any eq tftp
access-list 130 permit tcp any host 208.53.21.163 eq www
access-list 130 permit tcp any host 208.53.21.163 eq smtp
access-list 130 permit tcp any host 208.53.21.163 eq pop3
access-list 130 permit tcp any host 208.53.21.163 eq 143
access-list 130 permit tcp any host 208.53.21.163 range ftp-data ftp
access-list 130 permit tcp any host 208.53.21.164 range ftp-data ftp
access-list 130 permit tcp any eq ftp-data any
access-list 130 permit tcp any any eq 1433
access-list 130 permit ip 207.203.149.192 0.0.0.63 any
access-list 130 deny ip any any log
access-list 145 deny ip 208.45.208.0 0.0.0.255 any log
access-list 145 deny ip 172.16.0.0 0.15.255.255 any log
access-list 145 permit ip 192.168.50.0 0.0.0.255 any
access-list 145 deny ip 192.168.0.0 0.0.255.255 any log
access-list 145 permit ip any host 208.53.21.175
access-list 145 permit ip host 208.53.21.175 any
access-list 145 permit tcp any any established
access-list 145 permit ip host 208.53.21.170 any log
access-list 145 deny ip 208.53.21.160 0.0.0.31 any log
access-list 145 permit tcp any any eq exec
access-list 145 permit tcp any eq exec any
access-list 145 permit icmp any 207.203.149.192 0.0.0.63 traceroute
access-list 145 permit icmp any any time-exceeded
access-list 145 permit udp any any eq domain
access-list 145 permit udp any eq domain any
access-list 145 permit udp any any eq ntp
access-list 145 permit udp any eq ntp any
access-list 145 permit udp any any eq syslog
access-list 145 permit udp any any eq tftp
access-list 145 permit tcp any 208.53.21.168 0.0.0.3 eq www
access-list 145 permit tcp any host 208.53.21.163 eq www
access-list 145 permit tcp any host 208.53.21.166 eq www
access-list 145 permit tcp any host 208.53.21.163 eq smtp
access-list 145 permit tcp any host 208.53.21.163 eq pop3
access-list 145 permit tcp any host 208.53.21.163 eq 143
access-list 145 permit tcp any host 208.53.21.163 range ftp-data ftp
access-list 145 permit tcp any host 208.53.21.164 range ftp-data ftp
access-list 145 permit tcp any host 208.53.21.167 eq www
access-list 145 permit tcp any host 208.53.21.167 range ftp-data ftp
access-list 145 permit tcp any eq ftp-data any
access-list 145 permit tcp any any eq 1433
access-list 145 permit ip 207.203.149.192 0.0.0.63 any
access-list 145 permit ip 63.110.60.120 0.0.0.7 any
access-list 145 permit ip 63.110.60.128 0.0.0.7 any
access-list 145 permit ip 63.110.60.224 0.0.0.7 any
access-list 145 permit tcp any 208.53.21.184 0.0.0.7 eq www
access-list 145 permit tcp any 208.53.21.180 0.0.0.3 eq www
access-list 145 permit tcp any any eq 102
access-list 145 permit tcp any eq 102 any
access-list 145 deny ip any any log
access-list 150 deny ip 208.45.208.0 0.0.0.255 any log
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
access-list 150 permit ip 192.168.50.0 0.0.0.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
access-list 150 permit ip any host 208.53.21.175
access-list 150 permit ip host 208.53.21.175 any
access-list 150 permit ip any host 208.53.21.189
access-list 150 permit ip host 208.53.21.189 any
access-list 150 permit ip any 208.53.21.168 0.0.0.1
access-list 150 permit ip 208.53.21.168 0.0.0.1 any
access-list 150 permit tcp any any established
access-list 150 permit ip host 208.53.21.170 any log
access-list 150 deny ip 208.53.21.160 0.0.0.31 any log
access-list 150 permit tcp any any eq exec
access-list 150 permit tcp any eq exec any
access-list 150 permit icmp any 207.203.149.192 0.0.0.63 traceroute
access-list 150 permit icmp any any time-exceeded
access-list 150 permit udp any any eq domain
access-list 150 permit udp any eq domain any
access-list 150 permit udp any any eq ntp
access-list 150 permit udp any eq ntp any
access-list 150 permit udp any any eq syslog
access-list 150 permit udp any any eq tftp
access-list 150 permit tcp any 208.53.21.168 0.0.0.3 eq www
access-list 150 permit tcp any host 208.53.21.163 eq www
access-list 150 permit tcp any host 208.53.21.166 eq www
access-list 150 permit tcp any host 208.53.21.163 eq smtp
access-list 150 permit tcp any host 208.53.21.163 eq pop3
access-list 150 permit tcp any host 208.53.21.163 eq 143
access-list 150 permit tcp any host 208.53.21.163 range ftp-data ftp
access-list 150 permit tcp any host 208.53.21.164 range ftp-data ftp
access-list 150 permit tcp any host 208.53.21.167 eq www
access-list 150 permit tcp any host 208.53.21.167 range ftp-data ftp
access-list 150 permit tcp any eq ftp-data any
access-list 150 permit tcp any any eq 1433
access-list 150 permit ip 207.203.149.192 0.0.0.63 any
access-list 150 permit ip 63.110.60.120 0.0.0.7 any
access-list 150 permit ip 63.110.60.128 0.0.0.7 any
access-list 150 permit ip 63.110.60.224 0.0.0.7 any
access-list 150 permit tcp any 208.53.21.184 0.0.0.7 eq www
access-list 150 permit tcp any 208.53.21.180 0.0.0.3 eq www
access-list 150 permit tcp any any eq 102
access-list 150 permit tcp any eq 102 any
access-list 150 deny ip any any log
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server engineID local 00000009020000D0BA42A940
snmp-server community public RO
snmp-server community private RW 10

banner motd ^C^C
!

mesa-sub#sh interfaces
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 00d0.ba42.a940 (bia 00d0.ba42.a940)
Description: ### Substation group
Internet address is 192.168.10.2/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 11/75, 0 drops
5 minute input rate 19000 bits/sec, 28 packets/sec
5 minute output rate 3000 bits/sec, 4 packets/sec
2105965 packets input, 199926304 bytes
Received 220061 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
136943 packets output, 9975992 bytes, 0 underruns
0 output errors, 72 collisions, 3 interface resets
0 babbles, 0 late collision, 62 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Serial0/0 is up, line protocol is up
Hardware is PowerQUICC Serial
Description: VPNtranet
Internet address is 64.89.111.130/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:01, output 00:00:02, output hang never
Last clearing of "show interface" counters 00:02:45
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 1000 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
55 packets input, 4734 bytes, 0 no buffer
Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
26 packets output, 2466 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

FastEthernet0/1 is administratively down, line protocol is down
Hardware is AmdFE, address is 00d0.ba42.a941 (bia 00d0.ba42.a941)
Description: Private Network
Internet address is 64.89.111.1/27
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 1d00h, output 1d00h, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2307 packets input, 479963 bytes
Received 2269 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
125766 packets output, 8914868 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
mesa-sub#

 

[wybnormal]

Serial0/0 is up, line protocol is up
  Hardware is PowerQUICC Serial
  Description: VPNtranet
  Internet address is 64.89.111.130/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set loopback is NOT set.. good things
  Keepalive set (10 sec)
  Last input 00:00:01, output 00:00:02, output hang never
  Last clearing of "show interface" counters 00:02:45
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 1000 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     55 packets input, 4734 bytes, 0 no buffer
     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     26 packets output, 2466 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

You have packets coming across.. more then likly it's the keep alive.. thats good, no CRC errors which tells the framing is probably good.
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up tells us the circuit is up correctly

I would dump the access lists on the interface for now.. keept things simple for troubleshooting. Do an extended ping out of the serial interface and see if you can ping the other end. It may or may not work depending on security at the other end. Traceroute is another good test.. pick a point beyond the next hop.

Extended PING is had by typing in PING and press return.
This takes you to a query session. When you get to the command asking if you want extended commands, say yes. It was ask among other items, what interface IP you want the ping to leave from .. give it the S0/0 interface. If you can ping or traceroute, the problem is with either the access-list or the NAT config.. I need to review the NAT on paper before I say anything about that. Same for the access lists.. it's hard on these little columms to read it at times.

I will ask about the default gatway.. why? Cisco's own docs say not to use it unless routing is disabled ("The ip default-gateway command differs from the other two commands, in that it should only be used when ip routing is disabled on the Cisco router.")

use IP ROUTE 0.0.0.0 0.0.0.0 (nexthop or interface)

Additional notes from Cisco "Note: IGRP doesn't understand a route to 0.0.0.0, therefore it can't propagate default routes created using the ip route 0.0.0.0 0.0.0.0 command. Use the ip default-network command to have IGRP propagate a default route. "

Complete article for your pleasure

http://www.cisco.com/warp/public/105/default.html

Mike S

PS- dump the public and private SNMP community strings.. big security hole.
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[mesagreg]

Mike,

Thanks for all your help. I got it up and running tonight. You were right, I needed to dump the access lists. I turned everything off, and it started working. I have added some simple entries for firewall protection, and plan to tighten it some more soon.

I will get rid of the public smtp groups as you suggested.

Again, thanks.

Greg