cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
541
Views
0
Helpful
8
Replies

3845 stops internet traffic

awais-hassan
Level 1
Level 1

hi,

i have 3845 router having E1 link with me SP.i use this E1 link for my internet traffic and intranet traffic,some times the traffic destined to internet gets stuck but my intranet traffic shows no problem. after rebooting the router it comes to normal. can some one guide me i will be very obliged.waiting for your response.

thanks.

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Awais,

may you provide some more details ?

I guess you are using NAT for internet access, may you provide a filtered version of your wan interface config, NAT config, and if using IPSEc tunnels.

Hope to help

Giuseppe

hello Guiseppe,

attached is the show run of my router. serila 3/0:0 is the link with ITI SP this link fails to pass internet traffic some times and after resetting the router traffic continue to pass.Gigabitethernet0/0 is fiber wan link which also shows the same behaviour as serial 3/0:0.

thanks.

Hello Awais,

your router is not performing NAT and is acting as the border router.

I see you have enabled both NBAR and netflow on some interfaces I would keep only netflow that can be more scalable and you have also configured NDE export. So stats can be seen on the collector.

I have some doubts about your routing config:

You have :

Two default static routes but the first one has AD 1 it is not a floating static route.

ip route 0.0.0.0 0.0.0.0 192.168.20.57 name primary-Fiber

ip route 0.0.0.0 0.0.0.0 192.168.198.201 200 name backup-Radio

in addition to these two you have an EBGP session with your ISP peer 192.168.20.57 and you accept only the prefix 0.0.0./0 but this shouldn't be installed in your routing table but the first static route.

You have two GRE tunnels sourced by g0/0 interface

access-list 100 permit gre host 192.168.20.58 host 192.168.90.26

access-list 101 permit gre host 192.168.20.58 host 192.168.16.12

I don't understand why you have configured the crypto map under both tunnels and under the lan interface.

your ACLs 100 and 101 clearly show that you would like to transport GRE tunnels inside the IPSec packets and not the opposite.

So I would suggest to remove the crypto maps inside tunnel 3 and tunnel 4 configs.

Try this and see if the router provides internet access.

Hope to help

Giuseppe

hello Guiseppe,

first of all thanks for your response.

now you are right there are two default route,tell me one thing if we have two default routes and one has AD 200 and other has AD 1 then why they can not be floating static route?you meant to say that the default route having AD 1 should have AD other than 1? regarding crypto map its not under lan interface and GIG0/0 is their fiber WAN interface. last thing access-lists are passed in crypto maps. why you are suggesting to remove crypto maps inside tunnel 3 and tunnel 4.

my actual problem is my router stops internet traffic some times but most of times i can access internet with this configuration. why stopped internet traffic restores afer rebooting.please come with the actual reason i will be highly obliged.

thanks.

Hello Awais,

I mean the crypto-map has to be configured on G0/ only.

if you could capture packes out g0/0 they would be:

ethe II - 0x800 (IP) --- ESP --- GRE -- IP

I would remove the crypto from the tunnels because it is a wrong config and it could sometimes confuse the router and so you see the traffic to internet stopped.

I have one hundred of remote sites configured in the way I have suggested you.

To understand the reasons of the problem you may need to collect further info.

When the problem happens : if you can access the router over the IPSec VPN focus on a public network of your choice and try to verify how the router declares to forward traffic for it.

sh ip cef x.x.x.0

try from the router to ping the net x.x.x.0 and see with debug ip icmp and debug ip packet detail 112

where 112 is an acl that permit destination net x.x.x.0

log everything and post here the log file

Hope to help

Giuseppe

hi Guiseppe,

actually the way you suggested needs to sit in customer premises and wait for router to stuck. after analysing the configuration it appered that link towrad ITI is not for internet connectivity rather the link towards cybernet fiber at Gig0/0 is for internet.if you will see the routes then it will be exposed to you also.GIg0/0 has been configured for many things i.e internet and secure VPN etc.Now if some times their VPN tunnnels are woring fine then why internet gets disturb. and suddenly their ITI link shows no traffic at all at the same time.client is saying that the out side world connects to their internal servers thruogh ITI link which is serial 3/0:0.

imbiguity is increasing day by day.

wainting for your response.

thanks,

Awais

hi Guiseppe,

still waiting for your response

thanks,

Awais

Hello Awais,

I tried to explain you that those crypto-map references inside tunnel 3 and tunnel 4 are wrong.

I would start from removing the crypto maps inside tunnel 3 and tunnel 4 configs.

Then, give the router a week and see if the behaviour changes.

Something happens that make the router not capable of doing anything except the IPsec tunnels, so I see some correlation between a wrong config about crypto map and the strange behaviour you see.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco