09-12-2014 06:13 AM - edited 03-04-2019 11:44 PM
Hey all!
I've run into an issue that i cant seem to figure out. For some reason i can't SSH to my router, and i also cant ping the WAN IP addresses, which i need for my monitoring service. This ones got me stuck so any help is very much appreciated. Here is my sanitized config. Thanks!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name xxxxxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
username admin privilege 0 password 7 xxxxxxxxxxxxxxxxx
!
redundancy
!
interface FastEthernet0/0
ip address xx.xx.xxx.xxx 255.255.255.240
ip access-group OutsideIn in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.100.60 255.255.0.0
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.34.1.1 255.255.240.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 10.60.0.1 255.255.252.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.31
encapsulation dot1Q 31
ip address 10.31.1.2 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.32
encapsulation dot1Q 32
ip address 10.32.1.2 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.33
encapsulation dot1Q 33
ip address 10.33.1.1 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.50
encapsulation dot1Q 50
ip address 10.50.1.2 255.255.0.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.51
encapsulation dot1Q 51
ip address 10.51.1.1 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.52
encapsulation dot1Q 52
ip address 10.52.1.1 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.53
encapsulation dot1Q 53
ip address 10.53.1.1 255.255.0.0
ip helper-address 10.34.1.7
no ip redirects
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.54
encapsulation dot1Q 54
ip address 10.54.1.1 255.255.0.0
ip helper-address 10.34.1.7
no ip redirects
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.55
encapsulation dot1Q 55
ip address 10.55.1.1 255.255.0.0
ip helper-address 10.34.1.7
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.56
encapsulation dot1Q 56
ip address 10.56.1.1 255.255.0.0
ip helper-address 10.34.1.7
no ip redirects
ip nat inside
ip virtual-reassembly in
!
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.34.1.155 8020 interface FastEthernet0/0 8020
ip nat inside source static udp 10.34.1.155 8020 interface FastEthernet0/0 8020
ip nat inside source static tcp 10.34.1.155 8025 interface FastEthernet0/0 8025
ip nat inside source static udp 10.34.1.155 8025 interface FastEthernet0/0 8025
ip nat inside source static tcp 10.34.1.165 8030 interface FastEthernet0/0 8030
ip nat inside source static tcp 10.34.1.165 8035 interface FastEthernet0/0 8035
ip nat inside source static udp 10.34.1.165 8035 interface FastEthernet0/0 8035
ip nat inside source static udp 10.34.1.165 8030 interface FastEthernet0/0 8030
ip nat inside source static tcp 10.34.1.156 8010 interface FastEthernet0/0 8010
ip nat inside source static udp 10.34.1.156 8010 interface FastEthernet0/0 8010
ip nat inside source static tcp 10.34.1.156 8015 interface FastEthernet0/0 8015
ip nat inside source static udp 10.34.1.156 8015 interface FastEthernet0/0 8015
ip nat inside source static tcp 10.34.1.3 8061 interface FastEthernet0/0 8061
ip nat inside source static udp 10.34.1.3 8061 interface FastEthernet0/0 8061
ip nat inside source static tcp 10.34.1.3 8062 interface FastEthernet0/0 8062
ip nat inside source static udp 10.34.1.3 8062 interface FastEthernet0/0 8062
ip nat inside source static tcp 10.34.1.3 8063 interface FastEthernet0/0 8063
ip nat inside source static udp 10.34.1.3 8063 interface FastEthernet0/0 8063
ip nat inside source static tcp 10.34.1.3 8064 interface FastEthernet0/0 8064
ip nat inside source static udp 10.34.1.3 8064 interface FastEthernet0/0 8064
ip nat inside source static tcp 10.34.1.3 8065 interface FastEthernet0/0 8065
ip nat inside source static udp 10.34.1.3 8065 interface FastEthernet0/0 8065
ip nat inside source static tcp 10.34.1.3 8066 interface FastEthernet0/0 8066
ip nat inside source static udp 10.34.1.3 8066 interface FastEthernet0/0 8066
ip nat inside source static tcp 10.34.1.7 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 10.34.2.87 80 interface FastEthernet0/0 80
ip nat inside source static udp 10.34.2.87 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.34.1.16 80 interface FastEthernet0/0 8045
ip nat inside source static udp 10.34.1.16 80 interface FastEthernet0/0 8045
ip nat inside source static tcp 10.34.1.17 80 interface FastEthernet0/0 8055
ip nat inside source static udp 10.34.1.17 80 interface FastEthernet0/0 8055
ip nat inside source static tcp 10.34.1.18 80 interface FastEthernet0/0 8056
ip nat inside source static udp 10.34.1.18 80 interface FastEthernet0/0 8056
ip route 0.0.0.0 0.0.0.0 (NEXT HOP)
!
ip access-list extended OutsideIn
permit ip any host xx.xx.xxx.xxx
permit ip any host xx.xx.xxx.xxx
deny udp any any eq 1723
deny tcp any any eq 1723
deny udp any any eq isakmp
deny tcp any any eq 500
deny udp any any eq non500-isakmp
deny tcp any any eq 4500
permit tcp any host (WAN IP) eq www
permit tcp any host (WAN IP) eq 8010
permit udp any host (WAN IP) eq 8010
permit tcp any host (WAN IP) eq 8015
permit udp any host (WAN IP) eq 8015
permit tcp any host (WAN IP) eq 8020
permit udp any host (WAN IP) eq 8020
permit tcp any host (WAN IP) eq 8025
permit udp any host (WAN IP) eq 8025
permit tcp any host (WAN IP) eq 8030
permit udp any host (WAN IP) eq 8030
permit tcp any host (WAN IP) eq 8035
permit udp any host (WAN IP) eq 8035
permit tcp any host (WAN IP) eq 8045
permit udp any host (WAN IP) eq 8045
permit tcp any host (WAN IP) eq 8055
permit udp any host (WAN IP) eq 8055
permit tcp any host (WAN IP) eq 8061
permit udp any host (WAN IP) eq 8061
permit tcp any host (WAN IP) eq 8062
permit udp any host (WAN IP) eq 8062
permit tcp any host (WAN IP) eq 8063
permit udp any host (WAN IP) eq 8063
permit tcp any host (WAN IP) eq 8064
permit udp any host (WAN IP) eq 8064
permit tcp any host (WAN IP) eq 8065
permit udp any host (WAN IP) eq 8065
permit tcp any host (WAN IP) eq 8066
permit udp any host (WAN IP) eq 8066
permit ip any any
ip access-list extended nat
permit ip any any
!
logging esm config
logging 10.34.1.7
access-list 50 permit (OUR WAN NETWORK) 0.0.2.255
access-list 100 permit ip any any
!
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
login local
transport input all
line vty 5 988
logging synchronous
login local
transport input all
!
scheduler allocate 20000 1000
end
09-12-2014 08:21 AM
may be your processor overloaded ? may be traffic too big ?
sh proc cpu
sh interface FastEthernet0/0
sh interface FastEthernet0/1
what is the router? 881 ? or 2811 ?
09-12-2014 08:46 AM
It is a 2811, and it does look like the processors pegged 100% a hand full of times over the last couple of hours. Can this really stop SSH and Ping from working?
09-12-2014 09:00 AM
Hardware is MV96340 Ethernet, address is 0022.551a.3b80 (bia 0022.551a.3b80)
Internet address is XX.XX.XXX.XXX/28
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 44/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/1670/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 17259000 bits/sec, 1788 packets/sec
5 minute output rate 1728000 bits/sec, 1350 packets/sec
87395905 packets input, 766557199 bytes
Received 1332539 broadcasts (0 IP multicasts)
0 runts, 0 giants, 96 throttles
25676 input errors, 0 CRC, 0 frame, 0 overrun, 25676 ignored
0 watchdog
0 input packets with dribble condition detected
126794802 packets output, 2276449807 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet0/1 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0022.551a.3b81 (bia 0022.551a.3b81)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 42/255, rxload 4/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/6376/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1701000 bits/sec, 1317 packets/sec
5 minute output rate 16522000 bits/sec, 1712 packets/sec
129134088 packets input, 3150074778 bytes
Received 1290762 broadcasts (0 IP multicasts)
0 runts, 0 giants, 383 throttles
101275 input errors, 0 CRC, 0 frame, 0 overrun, 101275 ignored
0 watchdog
0 input packets with dribble condition detected
87242554 packets output, 1114685246 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
31588 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
09-12-2014 09:03 AM
09-12-2014 07:55 PM
your processor is overloaded
you have big access-list ip access-list extended OutsideIn
and permit ip any any
in the end so this access-list is useless
you can remove it
conf t
interface FastEthernet0/0
no ip access-group OutsideIn in
exi
wr
and see again ping and ssh
and dont forget to rate posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: