Problem : WAN state DOWN every day please help me

Unanswered Question
Jul 3rd, 2010
User Badges:

WAN status :


Dedicated WAN (IPv4) Optional WAN (IPv4)   
Connection Time : 0 Days 22:31:43
Connection Type : PPPOE
Connection State : Connected
Link State : LINK UP
WAN State : DOWN
IP Address : 0.0.0.0
Subnet Mask : 0.0.0.0
Gateway : 0.0.0.0
DNS Server : 0.0.0.0

it happens every day when after 24 of hours connection then it downs I must reboot box for new internet connection.i have problem about 2 weeks everyday i must reboot box in the morning before business hours,it's so sad. But when it down i can use web mgmt via internet form home by the fix ip of box,but the clients behind this box can't access internet until i reboot SA540. please help me for this case.  if you want config file of SA540 please tell me.


i can't find restart bottom in webui , now when i want to reboot i must power on/off in hardware.


thank you for best support.


the firewall SA540 its behind cisco 877 adsl router (it's use bridge mode RFC1483)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SIRIPHAN SONMANEE Sun, 07/04/2010 - 01:05
User Badges:

after 24 hours , now i can't access webui from internet. tomorrow i must go at the office early for restart box again. please help me.

SIRIPHAN SONMANEE Wed, 07/07/2010 - 01:46
User Badges:

i'm not strong in english and i can't listening clear please answer via webboard.


now i install it in the another site but i have same problem,please help me.

David Hornstein Wed, 07/07/2010 - 05:25
User Badges:
  • Gold, 750 points or more

Hi Siriphan,



I have no guess as to why the link fails to negotiate.

From the information you show, i can't understand how you can remotely access the SA500.





You did mention "But when it down i can use web mgmt via internet form home by the fix ip of box," so it could be that NAT services go down...maybe


Without error log information obtainable from the SA500  or wireshark capture mirroring the WAN interface it's hard to figure why the PPPoE connection goes down.


One interesting thing to try is to set the idle timer to say 60 (see picture below), so that after 60 minutes of inactivity on the PPPoE line the link will go down.


Idle timer sets up Dial on demand functionality for the PPPoE link, so that any activity trying to go out over the wan link, will cause the PPPoE link to trying to negotiate PPPoE with the service providers PPPoE Access Concentrator.  The result is that the SA520 will try to negotiate PPPoE again with your service provider.


It's worth a try.  It would be useful to paste or attach the error logs.


regards David




SIRIPHAN SONMANEE Wed, 07/07/2010 - 11:35
User Badges:

Thank you for best support dhornste


                  In my profile the connectivity Type,its has set Keep Connected. and when the clients behind SA500 can't access internet i can user webui via internet into SA500's real IP and it show


Dedicated WAN (IPv4) Optional WAN (IPv4)   
Connection Time : 0 Days 22:31:43
Connection Type : PPPOE
Connection State : Connected  >> connected
Link State : LINK UP >> UP

WAN State : DOWN  >> Down
IP Address : 0.0.0.0
Subnet Mask : 0.0.0.0
Gateway : 0.0.0.0
DNS Server : 0.0.0.0


i so confuse when we use fox the connectivity type in idle time ? but we don't use keep connected same the older model such sa RVxx series.


Thank you for your support again.i will try to fix to idle timeout for connectivity again.

David Hornstein Wed, 07/07/2010 - 12:23
User Badges:
  • Gold, 750 points or more

Hi Siriphan,


It would be very good to see and capture;


  • all  the error log on the SA500.(tell us what might be going wrong)
  • Also good to see information such as a screen shot from the  Status > device status tab. .
    • see attached screen shot, good to see  what version software you are running. I hope you are running  version 1.1.42 code.


My suggestion  in my previous message is just a suggestion, at this point there isn't enough information to say exactly what the problem might be.


regards Dave

Attachment: 
SIRIPHAN SONMANEE Wed, 07/07/2010 - 18:44
User Badges:


System Info
System Name:
Primary Firmware Version:1.1.42
Secondary Firmware Version:1.0.15
Latest Image AvailableCurrent (no upgrade required)   
Link to Release notes:http://www.cisco.com/en/US/products/ps9932/tsd_products_support_series_home.html
Time at which last query was made:Thu Jul 8 08:01:21 2010
ProtectLink License Info
  Cisco ProtectLink Gateway License has not been activated.
  Cisco ProtectLink Endpoint License has not been activated.



thank you for best support

i will send log and config with u.

David Hornstein Thu, 07/08/2010 - 07:39
User Badges:
  • Gold, 750 points or more

Hi Seriphan,


Thank you for allowing me to access your SA500.  I noticed lots of ethernet WAN errors (eth1) in your error log, like the ones that follow;



WARN Kernel eth1: Using 10Mbps with software preamble removal

WARN Kernel eth1: Using 10Mbps with software preamble removal


WARN Kernel size of this packet is lesser than minimum length


I also noticed that you manually set the WAN speed to 100 Full duplex. This means that any autonegotiation process between the Service providers xDSL modem and my SA520 will fail.


The service providers modem seems to be running at 10meg probably half duplex and you have manually set your WAN port speed to a  fixed speed of  100 meg and  full duplex, as per your screen capture below.

By setting a port  to a fixed speed you without knowing it turn off the autonegotiate process.  Unless you configure the xDSL modem to 100 full duplex you will have WAN connection issues.


Please select auto in the SA520  and allow the SA500 to autonegotiate with the ethernet peer, which just happens to be a xDSL modem..


regards dave

SIRIPHAN SONMANEE Thu, 07/08/2010 - 09:43
User Badges:

thank you for your the nice support.


In the past, I got this problem when I set the autonegotiate and I did as you advice but it was not work. Then, I fix the speed delicate'wan port like the cisco 877 (it was set to bridge mode) but the problem still happen. Therefore, I will do as your advice below again, and monitor for 24 hours. The monitor log will be captured to you again.


However, if you can fix this problem, please kindly do it and advise me what the things you do for my reference.


Siriphan.

David Hornstein Thu, 07/08/2010 - 11:02
User Badges:
  • Gold, 750 points or more

Hi Siriphan


I have been looking at a lot of different things over the last two days.. My apologies for forgetting you have a Cisco 877 in front of the SA520.


I am thinking,  why is it that you are getting a 10 meg link from the Cisco 877 router in bridge mode...hmmmm


Or is there is a issue with auto negotiation.


You mention you have had trouble in the past between these two Cisco devices when speed was set to auto.


If you set the port speeds on both devices there will be no auto-negotiation of speed or duplex occurring between these two devices.


I suspect that the 877 is set to autonegotiate  as the link speed seen  by  the SA520 log was 10meg on eth1 (WAN port).


The 877 is try to negotiate  at 100 full, 100 half then maybe 10 full and half   and give up on auto negotiation because it never got a response from the SA520 to it's attempt to autonegotiate speed and duplex.


The 877 settles for a speed  10 megabit, but i'm guessing half duplex.


To me is sure sounds like  there is a autonegotiation issue between the Cisco 877 and the Cisco  SA520.


This problem I observed will  be fixed by manually setting the  the Cisco 877 ethernet port to 100M Full Duplex.  I cannot get access to the Cisco 877  and I am unwilling to alter a machine without you in a webex desktop share and your customer informed about what we are doing. Sorry


When you have fixed the Cisco 877 speed to 100 meg Full Duplex,  we should see those bad error messages that I pasted before taken from your SA520 error log not reappear in the SA520 error log.


regards Dave

SIRIPHAN SONMANEE Wed, 07/14/2010 - 21:34
User Badges:

thank you for best support dhornste but now i can't access cisco 877 via lan it connect to SA540 becuase i set it is bridge port ?. Now i want to connect Cisco 877 i must connect via console to 877 directly . you have the other solution to connect with cisco 877 via bridge connection, becuase now it diffical to connect cisco 877 for monitor via internet i must console 877 only. by the way now i must set speed and duplex on cisco 877 and cisco sa500 how ?

speed 100 and half duplex it ok ?. it must fix it .


Thank you for best support again.

SIRIPHAN SONMANEE Wed, 07/14/2010 - 23:16
User Badges:

I'm afraid that maybe you will confuse my message above because there are many details, my questions are summarized below :-


1. Since Cisco 877 and SA540 were connected with the bridge port. Is it the reason why we could not access them via lan?


2. Do you have the solution to access Cisco 877 via bridge connection? I could not monitor Cisco 877 via internet now.


3. I will set Cisco 877 speed to 100 meg Full Duplex as your advice, and let you know the reslut later. What's about SA540?


Thank you in advance for your kindly support

abdiel.pema Mon, 07/21/2014 - 21:32
User Badges:

Hi,i have a problem with the model Cisco SB SF302-08PP Switch , i connect a cable rj45 to my pc and configure the adapter local area connection (ip address:192.168.1.252), the LEDs blink green, and go to the address bar and get the IP by default, which according to the manual is 192.168.1.254 and the result is: page not found. Is there any way to change the web utility? How do I access the web utility?

Hugues ROCHIN Tue, 07/20/2010 - 14:06
User Badges:

The only way I found to resolve the problem of instability of PPPOE (for me, it crash definitivly after 2 or 4 hours) is to use a modem as routeur.

(Same pb with 1.1.42 or 1.1.56 firmware)


You have an independant modem router, and you plug behind the SA.


A little static route, and some port redirection to the SA, and you can "hope" find a more stable solution....


What a shame for a 500$ unit, stamped CISCO....



Now the question is: What was smoking the service in charge launching the product.... before selling this shh....t... When you get a machine which stuck 2 hours, everytimes, on one of the most basic service you can ask on this kind of machine, how can you decide to sell it to users, specially when you are CISCO...

World change...

David Hornstein Tue, 07/20/2010 - 21:14
User Badges:
  • Gold, 750 points or more

Hi hughes,


It would have been good to see a TAC case number and;


1. error log to better understand what might have been going wrong.


2. Built in packet capturing tool  to capture and diagnose a PPPoE issue either with the Service providers access concentrator or the security appliance.


but


Good luck  David