cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1105
Views
0
Helpful
4
Replies

Cisco 2851 ISR problems

khayes1984
Level 1
Level 1

Hi,

I'm working on a client site and for some reason when I try and download a 100MB file from the ftp.hp.com website the download times out right at 20%.

Building configuration...

Current configuration : 18153 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PHRD-2851
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
no logging console
enable secret 5 ..........................................

!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1159540406
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1159540406
revocation-check none
rsakeypair TP-self-signed-1159540406
!
!
crypto pki certificate chain TP-self-signed-1159540406
certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313539 35343034 3036301E 170D3130 30313234 31343533
  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353935
  34303430 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C6A6 9A4DDEB5 09A2D751 A584DD45 4D8E88FD EBB3DD52 FE85C478 588BDB1E
  0D0362BB B72C65F6 4349F24D F33865D2 1C35E2BA 97BB7EC4 6444D4DB 6036D55F
  8278D367 8DA8D20F 35188A4C 462F54AC CB03000D 1C789AC8 00E58D81 15C0F7AD
  18F56CA8 D433A117 37617F7C CB89700D EB74ACBC 7F1624BE A5B174E8 276A6E6B
  914B0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
  551D1104 0D300B82 09504852 442D3238 3531301F 0603551D 23041830 168014D3
  0C67D42A CDD8ABBB B51B7044 ECD5F1B4 5DBDCC30 1D060355 1D0E0416 0414D30C
  67D42ACD D8ABBBB5 1B7044EC D5F1B45D BDCC300D 06092A86 4886F70D 01010405
  00038181 00A356E9 7A9F86DE 1CA65D06 83655E1E 2B8DD004 FD6213DB AAA2ABAC
  54FF5AC4 D49B2DA5 F9EF3CFB ED79F8E5 B0367D0F 695D3AD1 B2D544A4 EF25EC21
  D93F5053 ECDD633D 4A1C1EF3 FE5B524D 8ED29531 E9F3A206 20600F9E C9ED120E
  6FDDBDE8 0557D8A2 EB29F7E7 E9B5458A D47E04AD 7DF0E8A1 9750643D 5DD5421B
  AEFD25A4 A3
   quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key phrdadmin address ............................

crypto isakmp keepalive 30
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to....................

set peer ..................

set transform-set ESP-3DES-SHA1
match address 100
!
!
!
ip cef
!
!
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 pop3
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 ftp
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny myspace.com
!
appfw policy-name SDM_LOW
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

archive
log config
  hidekeys
!
!
no ip ftp passive
!
track 123 rtr 1 reachability
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_LOW
class sdm_p2p_edonkey
   drop
class sdm_p2p_gnutella
   drop
class sdm_p2p_kazaa
   drop
class sdm_p2p_bittorrent
!
!
!
!
!
interface GigabitEthernet0/0
description Internal PHRD LAN$FW_INSIDE$$ETH-LAN$
ip address 172.20.20.1 255.255.0.0
ip access-group gigabitethernet0/0_in in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect sdm_ins_in_100 in
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description External COGENT 100MB$FW_OUTSIDE$$ETH-WAN$
ip address .............................

ip access-group gigabitethernet0/1_in in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex full
speed 100
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface FastEthernet0/0/0
description External PAETEC 1.5MB$ETH-WAN$
ip address ......................

ip access-group fastethernet0/0/0_in in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface Content-Engine1/0
no ip address
!
router rip
network .............

network .................

!
ip local policy route-map LOCAL-POLICY
ip route 0.0.0.0 0.0.0.0...................permanent
ip route 10.10.10.0 255.255.255.0 172.20.20.108
!
ip flow-top-talkers
top 5
sort-by bytes
cache-timeout 1000
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static 172.20.20.9 38.101.235.251
ip nat inside source static 172.20.22.5 38.101.235.252
ip nat inside source static 172.20.20.20 38.101.235.253
ip nat inside source static 172.20.20.26 207.59.138.193
ip nat inside source static 172.20.20.85 207.59.138.197
ip nat inside source static 172.20.22.6 207.59.138.199
ip nat inside source static 172.20.20.25 207.59.138.200
!
ip access-list extended fastethernet0/0/0_in
remark SDM_ACL Category=17
remark Paetec8
permit tcp ..................... host ..................eq smtp log
remark Paetec7
permit tcp ......................host ................... eq smtp log
remark Paetec6
permit tcp ......................host ..................eq smtp log
remark Paetec5
permit tcp...................... host ...........................eq smtp log
remark Paetec4
permit tcp ..................... host ....................... eq smtp log
remark Paetec3
permit tcp ......................host .........................eq smtp log
remark Paetec2
permit tcp ........................ host .........................eq smtp log
remark Paetec1
permit tcp .................... host ...................eq smtp log
remark Bank of America for email
permit tcp .........................eq smtp host 172.20.20.28 eq smtp log
permit tcp any host ................... eq smtp log
remark VPN In - ATLTERM  (PPTP)
permit tcp any eq 1723 172.20.0.0 0.0.255.255 eq 1723 log
remark VPN In - ATLTERM  (PPTP)
permit gre any any log
remark Blackberry Service
permit tcp any host 172.20.20.27 eq 3101 log
permit tcp any host ................... eq www log
remark OWA
permit tcp any host...................... eq www
deny   tcp any host...................... eq ftp log
remark Terminal Server RDP Client
permit tcp any host ..................... eq 3389 log
remark VPN
permit tcp any host ..................... eq 1723 log
remark VPN
permit tcp any host ..................... eq 1723 log
permit tcp any host ..................... eq 20005 log
permit tcp any host ..................... eq 20006 log
permit tcp any host ..................... eq 20007 log
permit icmp any host .................... echo-reply
permit icmp any host .................... time-exceeded
permit icmp any host .................... unreachable
permit tcp any host........................ eq 443
remark https
deny   tcp any host........................ eq 443
permit tcp any host ....................... eq 22
permit tcp any host ....................... eq cmd
deny   ip 172.20.0.0 0.0.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
deny   ip any any log
ip access-list extended gigabitethernet0/0_in
remark SDM_ACL Category=17
remark VPN In - ATLTERM  (PPTP)
permit tcp any eq 1723 172.20.0.0 0.0.255.255 eq 1723 log
remark Imap4 for iPhones
permit tcp any eq 143 any eq 143
remark Imap4 for iPhones
permit tcp any eq 993 any eq 993
remark Imap4 for iPhones
permit tcp any eq 587 any eq 587
remark Allow SMTP from Exchange Servers
permit tcp host 172.20.20.18 eq smtp any log
remark Allow SMTP from Exchange Servers
permit tcp host 172.20.20.161 eq smtp any log
remark Allow SMTP from Exchange Servers
permit tcp host 172.20.20.162 eq smtp any log
remark VPN In - ATLTERM  (PPTP)
permit gre any any log
deny   tcp any any eq 69 log
deny   udp any any eq 6347 log
deny   udp any any eq 6346 log
deny   tcp any any eq 1214 log
deny   udp any any eq 1214 log
deny   tcp any any eq 1755 log
deny   tcp any any eq 2234 log
deny   tcp any any eq 2694 log
deny   tcp any any eq 5050 log
deny   tcp any any eq 6347 log
deny   tcp any any eq 6346 log
deny   ip ............................... any
deny   ip ............................... any
deny   ip host 255.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended gigabitethernet0/1_in
remark SDM_ACL Category=17
remark IPSec Rule
permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
remark IPSec Rule
permit ip 172.30.0.0 0.0.255.255 10.10.10.0 0.0.0.255 log
remark IPSec Rule
permit ip 10.10.11.0 0.0.0.255 172.20.0.0 0.0.255.255 log
remark IPSec Rule
permit ip 172.30.0.0 0.0.255.255 172.20.0.0 0.0.255.255 log
permit udp host ............. host ............eq non500-isakmp
permit udp host ............. host ............... eq isakmp
permit esp host ............. host ...............

permit ahp host ............. host ........ remark Paetec_1
permit tcp ................eq smtp host 172.20.20.28 eq smtp log
remark Paetec_2
permit tcp ................ eq smtp host 172.20.20.28 eq smtp log
remark Paetec_3
permit tcp .................eq smtp host 172.20.20.28 eq smtp log
remark Paetec_4
permit tcp ................ eq smtp host 172.20.20.28 eq smtp log
remark Paetec_5
permit tcp ................ eq smtp host 172.20.20.28 eq smtp log
remark Paetec_6
permit tcp ................ eq smtp host 172.20.20.28 eq smtp log
remark Paetec_7
permit tcp ................ eq smtp host 172.20.20.28 eq smtp log
remark Paetec_8
permit tcp ................. eq smtp host 172.20.20.28 eq smtp log
remark queue.uslec.net
permit tcp ................. eq smtp host 172.20.20.28 eq smtp log
remark Bank of America for email
permit tcp ..................eq smtp host 172.20.20.28 eq smtp log
remark Blackberry Service
permit tcp any host 172.20.20.27 eq 3101 log
remark IMap4 for iPhones
permit tcp any host 172.20.20.28 eq 587
remark IMap4 for iPhones
permit tcp any host 172.20.20.28 eq 585
remark IMap4 for iPhones
permit tcp any host 172.20.20.28 eq 143
permit tcp any host ...................... eq www log
permit tcp any host .......................eq www log
deny   tcp any host ...................... eq ftp log
remark Terminal Server RDP Client
permit tcp any host ................eq 3389 log
remark VPN
permit tcp any host ............... eq 1723 log
remark VPN
permit gre any any log
permit tcp any host ..............eq 20005 log
permit tcp any host ..............eq 20006 log
permit tcp any host ............. eq 20007 log
permit tcp any host ............. eq smtp log
permit tcp any host ..............eq 443
deny   gre any any
deny   ip 172.20.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
deny   ip any any log
remark SMTP for iPhones
permit tcp any eq 587 any eq 587
!
ip sla 1
icmp-echo..............

timeout 3000
threshold 10
frequency 15
ip sla schedule 1 life forever start-time now
logging facility local0
logging 172.20.20.25
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.20.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.255.255 172.30.0.0 0.0.255.255 log
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255 log
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 172.30.0.0 0.0.255.255 log
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255 log
access-list 101 permit icmp any host 38.101.235.249 echo
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 103 permit ip 172.20.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255 log
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.10.10.0 0.0.0.255 172.30.0.0 0.0.255.255 log
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255 log
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.20.0.0 0.0.255.255 172.30.0.0 0.0.255.255 log
access-list 104 permit ip 172.20.0.0 0.0.255.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 105 permit ip 172.20.0.0 0.0.255.255 any
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 106 permit ip 172.20.0.0 0.0.255.255 any
access-list 107 remark SDM_ACL Category=2
access-list 107 remark IPSec Rule
access-list 107 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 107 permit ip 172.20.0.0 0.0.255.255 any
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 108 permit ip 172.20.0.0 0.0.255.255 any
access-list 109 remark SDM_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 109 permit ip 172.20.0.0 0.0.255.255 any
access-list 110 remark SDM_ACL Category=2
access-list 110 remark IPSec Rule
access-list 110 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 110 permit ip 172.20.0.0 0.0.255.255 any
access-list 111 remark SDM_ACL Category=2
access-list 111 remark IPSec Rule
access-list 111 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 111 permit ip 172.20.0.0 0.0.255.255 any
access-list 112 remark SDM_ACL Category=2
access-list 112 remark IPSec Rule
access-list 112 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 112 permit ip 172.20.0.0 0.0.255.255 any
access-list 113 remark SDM_ACL Category=2
access-list 113 remark IPSec Rule
access-list 113 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 113 permit ip 172.20.0.0 0.0.255.255 any
access-list 114 remark SDM_ACL Category=2
access-list 114 remark IPSec Rule
access-list 114 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 114 permit ip 172.20.0.0 0.0.255.255 any
access-list 115 remark SDM_ACL Category=2
access-list 115 remark IPSec Rule
access-list 115 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 115 permit ip 172.20.0.0 0.0.255.255 any
access-list 116 remark SDM_ACL Category=2
access-list 116 remark IPSec Rule
access-list 116 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 116 permit ip 172.20.0.0 0.0.255.255 any
access-list 117 remark SDM_ACL Category=2
access-list 117 remark IPSec Rule
access-list 117 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 117 permit ip 172.20.0.0 0.0.255.255 any
access-list 118 remark SDM_ACL Category=2
access-list 118 remark IPSec Rule
access-list 118 deny   ip 172.20.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 118 permit ip 172.20.0.0 0.0.255.255 any
snmp-server community Public RO
!
!
!
route-map MAP-Cogent permit 10
match ip address 1
match interface GigabitEthernet0/1
set ip next-hop .............

!
route-map MAP-Paetec permit 10
match ip address 1
match interface FastEthernet0/0/0
set ip next-hop .........

!
route-map LOCAL-POLICY permit 10
match ip address 101
set ip next-hop ........

set interface Null0
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar

!
webvpn cef
!
end

Here's the config, but we're not sure why this is happening. We can go to DELL and download drivers that are 100MB and not get timed out, but for some reason we can't download a 100MB file from hp's site? Please help.

4 Replies 4

spremkumar
Level 9
Level 9

Hi

Few queries on your download problem!!!

Are you trying to download from the same machine or using different machines?

Have you tried any other websites to download except HP/Dell ? have you tried something out of microsoft or sun ?

did u check the utilisation pattern when you are downloading from both the sites (HP/Dell) ?

Have you observed any connection related issues or any logs with respect to the connection in the router when downloading from HP ?

regds

Are  you trying to download from the same machine or using different  machines? Yes we've tired from different machines, and even servers. It still times out.

Have  you tried any other websites to download except HP/Dell ? have you  tried something out of microsoft or sun ? Other sites will download fine only HP's site won't. I downloaded Exchange Server 2007 SP2 which is 800MB and was able to complete the download.

did u check the utilisation pattern  when you are downloading from both the sites (HP/Dell) ? Check utilization pattern? I see acknowledgments from source and destination, but times out after 20% from HP, Dell and every other manufacture downloads will download successfully.

Have you  observed any connection related issues or any logs with respect to the  connection in the router when downloading from HP ? We have debugging turned off due to production network can't be bogged down. I thought about it, but when I tried to go through the logs with the SDM it wouldn't show me anything because debugging was turned off, however I used a FTP client and saw the logs. IT would time out at their FTP public IP/ port 21 and that would be it.

Bump

Hi Kenneth,

You may have to add this to your internal facing vlan and see if it helps

ip tcp adjust-mss 1452

ip mtu 1492

Have a look at command reference guide:

http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_i2.html#wp1070058

HTH

Reza

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco