cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8062
Views
0
Helpful
25
Replies

Losing WAN Internet Connection on Wrvs4400n

tomwallin
Level 1
Level 1

The WAN internet connection on my Wrvs4400n router about twice a day. I can't figure out what is causing it. I reboot the router and I get the internet back. I called Cisco support and the tech was helpful once bcause I am no longer in warrenty. He had me change the DNS addresses that I got from my ISP to the 4.2.2.1 and 4.2.2.2 public DNSs. That allowed internet again when it had quit  But after some time the connection cut again. It SEEMs that it quit around 1PM every day. But after today's 1PM loss and reboot the connection quit again around 2:30PM.

I turned on logs and I am getting alot of the following msg -"eth0: received packet with  own address as source address" and  - "delete<00:13:CC:88:FF:AA> from ARL table" - and "Reply packet was to small. Ignoring reply from (dns address) and  - unexpected server: (DNS address) -

Any help will be appreciated.

I did turn off IPS.

Tom Wallin

2 Accepted Solutions

Accepted Solutions

It shuts off to prevent any intrusion with that enabled.  If there is a way of you possibly capturing packets and seeing what kind of activity is be captured then we might have a better feel of what is going on.  But yeah if that is enabled if it senses any anomaly it will shut down the wan.

View solution in original post

I would try the http one at least and anything above that would be at your discrection.  But at least that one.

View solution in original post

25 Replies 25

bmereby
Level 1
Level 1

What version of firmware do you have installed on the router?

Is the routers hardware version a 1.0, 1.1, or 2.0?

Also what type of connection do you have from your ISP or better known as Service Provider?

Can you please gather the following information for me so I can help diagnose the issue?

Thanks,

Blake Mereby

tomwallin
Level 1
Level 1

The Hardware 1.1 and the FW is 1.1.13. Also I updated the IPS signature, reset the router back to the defaults and ran the upgrade to v1.1.13 again. Before I did this I noticed in the logs what I have come to realize is some DoS looking listings. i.e. "ICMP_SMURF" and "Possible DoS HGOD SynKiller Flooding". The listings also made me look at one computer on the network and I disabled it's connection.

After the Above listed actions I've seen the following in the logs -

"eth2: received packet with  own address as source address"

"ipt_tcpmss_target: bad length (1500 bytes)"

"delete<00:13:CE:84:7F:2A> from ARL table" and alot of these -

" [Access Log]O UDP Packet - 192.168.1.59:1031 --> 192.168.2.28:161"

Under the firewall tab, is DoS Protection enabled?

Yes.

It is very possible that the Dos is shutting down the wan connection to prevent an attack.  If you want to, disable the dos prevention and see if the wan shuts down today.

I will turn off DoS service and see.

The WAN did not shut off. I will turn it on again tomorrow and see if the WAN shuts off again. If it shuts off, what criteria does the router use to think there is an attack?

It shuts off to prevent any intrusion with that enabled.  If there is a way of you possibly capturing packets and seeing what kind of activity is be captured then we might have a better feel of what is going on.  But yeah if that is enabled if it senses any anomaly it will shut down the wan.

I have a sniffer on at the same place, electrically, as the router's switch. I can capture the packets. Do you want the capture file? or a msg with the predominant msgs?

David, can you shed some light on the following log entry - Sep 29 10:22:38  - eth0: received packet with  own address as source address

Not sure, with just log, i would have to see the pattern and maybe can decipher it.

Do you want the capture file? or a msg with the predominant msgs?

Anything you can get will help with the case.  If you can do both that will be fine.  If only a snap shot that will be fine too.

Attached is a .txt file with some logs. Also a WireShark capture file. Hope this shows you

Yeah, the text file with it stating that received packet with own address as source address, kinda makes me think that someone might be trying to spoof your network to access it.  Like intercepting the traffic posing as your ip address.  That is all i can get from it.  Did the dos protection keep the wan from shutting down?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: