08-26-2008 03:07 AM - edited 03-03-2019 11:16 PM
hi,
i have 3845 router having E1 link with me SP.i use this E1 link for my internet traffic and intranet traffic,some times the traffic destined to internet gets stuck but my intranet traffic shows no problem. after rebooting the router it comes to normal. can some one guide me i will be very obliged.waiting for your response.
thanks.
08-26-2008 03:10 AM
Hello Awais,
may you provide some more details ?
I guess you are using NAT for internet access, may you provide a filtered version of your wan interface config, NAT config, and if using IPSEc tunnels.
Hope to help
Giuseppe
08-26-2008 03:50 AM
hello Guiseppe,
attached is the show run of my router. serila 3/0:0 is the link with ITI SP this link fails to pass internet traffic some times and after resetting the router traffic continue to pass.Gigabitethernet0/0 is fiber wan link which also shows the same behaviour as serial 3/0:0.
thanks.
08-26-2008 09:04 AM
Hello Awais,
your router is not performing NAT and is acting as the border router.
I see you have enabled both NBAR and netflow on some interfaces I would keep only netflow that can be more scalable and you have also configured NDE export. So stats can be seen on the collector.
I have some doubts about your routing config:
You have :
Two default static routes but the first one has AD 1 it is not a floating static route.
ip route 0.0.0.0 0.0.0.0 192.168.20.57 name primary-Fiber
ip route 0.0.0.0 0.0.0.0 192.168.198.201 200 name backup-Radio
in addition to these two you have an EBGP session with your ISP peer 192.168.20.57 and you accept only the prefix 0.0.0./0 but this shouldn't be installed in your routing table but the first static route.
You have two GRE tunnels sourced by g0/0 interface
access-list 100 permit gre host 192.168.20.58 host 192.168.90.26
access-list 101 permit gre host 192.168.20.58 host 192.168.16.12
I don't understand why you have configured the crypto map under both tunnels and under the lan interface.
your ACLs 100 and 101 clearly show that you would like to transport GRE tunnels inside the IPSec packets and not the opposite.
So I would suggest to remove the crypto maps inside tunnel 3 and tunnel 4 configs.
Try this and see if the router provides internet access.
Hope to help
Giuseppe
08-26-2008 08:37 PM
hello Guiseppe,
first of all thanks for your response.
now you are right there are two default route,tell me one thing if we have two default routes and one has AD 200 and other has AD 1 then why they can not be floating static route?you meant to say that the default route having AD 1 should have AD other than 1? regarding crypto map its not under lan interface and GIG0/0 is their fiber WAN interface. last thing access-lists are passed in crypto maps. why you are suggesting to remove crypto maps inside tunnel 3 and tunnel 4.
my actual problem is my router stops internet traffic some times but most of times i can access internet with this configuration. why stopped internet traffic restores afer rebooting.please come with the actual reason i will be highly obliged.
thanks.
08-27-2008 01:34 AM
Hello Awais,
I mean the crypto-map has to be configured on G0/ only.
if you could capture packes out g0/0 they would be:
ethe II - 0x800 (IP) --- ESP --- GRE -- IP
I would remove the crypto from the tunnels because it is a wrong config and it could sometimes confuse the router and so you see the traffic to internet stopped.
I have one hundred of remote sites configured in the way I have suggested you.
To understand the reasons of the problem you may need to collect further info.
When the problem happens : if you can access the router over the IPSec VPN focus on a public network of your choice and try to verify how the router declares to forward traffic for it.
sh ip cef x.x.x.0
try from the router to ping the net x.x.x.0 and see with debug ip icmp and debug ip packet detail 112
where 112 is an acl that permit destination net x.x.x.0
log everything and post here the log file
Hope to help
Giuseppe
08-28-2008 08:28 PM
hi Guiseppe,
actually the way you suggested needs to sit in customer premises and wait for router to stuck. after analysing the configuration it appered that link towrad ITI is not for internet connectivity rather the link towards cybernet fiber at Gig0/0 is for internet.if you will see the routes then it will be exposed to you also.GIg0/0 has been configured for many things i.e internet and secure VPN etc.Now if some times their VPN tunnnels are woring fine then why internet gets disturb. and suddenly their ITI link shows no traffic at all at the same time.client is saying that the out side world connects to their internal servers thruogh ITI link which is serial 3/0:0.
imbiguity is increasing day by day.
wainting for your response.
thanks,
Awais
09-02-2008 08:27 PM
hi Guiseppe,
still waiting for your response
thanks,
Awais
09-03-2008 01:22 PM
Hello Awais,
I tried to explain you that those crypto-map references inside tunnel 3 and tunnel 4 are wrong.
I would start from removing the crypto maps inside tunnel 3 and tunnel 4 configs.
Then, give the router a week and see if the behaviour changes.
Something happens that make the router not capable of doing anything except the IPsec tunnels, so I see some correlation between a wrong config about crypto map and the strange behaviour you see.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: