×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SSH and Ping to WAN IP not working correctly.

Unanswered Question
Sep 12th, 2014
User Badges:

Hey all!

I've run into an issue that i cant seem to figure out. For some reason i can't SSH to my router, and i also cant ping the WAN IP addresses, which i need for my monitoring service. This ones got me stuck so any help is very much appreciated. Here is my sanitized config. Thanks!

 


version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name xxxxxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
username admin privilege 0 password 7 xxxxxxxxxxxxxxxxx
!
redundancy
!
interface FastEthernet0/0
 ip address xx.xx.xxx.xxx 255.255.255.240
 ip access-group OutsideIn in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.10.100.60 255.255.0.0
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.34.1.1 255.255.240.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.30
 encapsulation dot1Q 30
 ip address 10.60.0.1 255.255.252.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.31
 encapsulation dot1Q 31
 ip address 10.31.1.2 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.32
 encapsulation dot1Q 32
 ip address 10.32.1.2 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.33
 encapsulation dot1Q 33
 ip address 10.33.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.50
 encapsulation dot1Q 50
 ip address 10.50.1.2 255.255.0.0
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.51
 encapsulation dot1Q 51
 ip address 10.51.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.52
 encapsulation dot1Q 52
 ip address 10.52.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.53
 encapsulation dot1Q 53
 ip address 10.53.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.54
 encapsulation dot1Q 54
 ip address 10.54.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.55
 encapsulation dot1Q 55
 ip address 10.55.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1.56
 encapsulation dot1Q 56
 ip address 10.56.1.1 255.255.0.0
 ip helper-address 10.34.1.7
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
!
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.34.1.155 8020 interface FastEthernet0/0 8020
ip nat inside source static udp 10.34.1.155 8020 interface FastEthernet0/0 8020
ip nat inside source static tcp 10.34.1.155 8025 interface FastEthernet0/0 8025
ip nat inside source static udp 10.34.1.155 8025 interface FastEthernet0/0 8025
ip nat inside source static tcp 10.34.1.165 8030 interface FastEthernet0/0 8030
ip nat inside source static tcp 10.34.1.165 8035 interface FastEthernet0/0 8035
ip nat inside source static udp 10.34.1.165 8035 interface FastEthernet0/0 8035
ip nat inside source static udp 10.34.1.165 8030 interface FastEthernet0/0 8030
ip nat inside source static tcp 10.34.1.156 8010 interface FastEthernet0/0 8010
ip nat inside source static udp 10.34.1.156 8010 interface FastEthernet0/0 8010
ip nat inside source static tcp 10.34.1.156 8015 interface FastEthernet0/0 8015
ip nat inside source static udp 10.34.1.156 8015 interface FastEthernet0/0 8015
ip nat inside source static tcp 10.34.1.3 8061 interface FastEthernet0/0 8061
ip nat inside source static udp 10.34.1.3 8061 interface FastEthernet0/0 8061
ip nat inside source static tcp 10.34.1.3 8062 interface FastEthernet0/0 8062
ip nat inside source static udp 10.34.1.3 8062 interface FastEthernet0/0 8062
ip nat inside source static tcp 10.34.1.3 8063 interface FastEthernet0/0 8063
ip nat inside source static udp 10.34.1.3 8063 interface FastEthernet0/0 8063
ip nat inside source static tcp 10.34.1.3 8064 interface FastEthernet0/0 8064
ip nat inside source static udp 10.34.1.3 8064 interface FastEthernet0/0 8064
ip nat inside source static tcp 10.34.1.3 8065 interface FastEthernet0/0 8065
ip nat inside source static udp 10.34.1.3 8065 interface FastEthernet0/0 8065
ip nat inside source static tcp 10.34.1.3 8066 interface FastEthernet0/0 8066
ip nat inside source static udp 10.34.1.3 8066 interface FastEthernet0/0 8066
ip nat inside source static tcp 10.34.1.7 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 10.34.2.87 80 interface FastEthernet0/0 80
ip nat inside source static udp 10.34.2.87 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.34.1.16 80 interface FastEthernet0/0 8045
ip nat inside source static udp 10.34.1.16 80 interface FastEthernet0/0 8045
ip nat inside source static tcp 10.34.1.17 80 interface FastEthernet0/0 8055
ip nat inside source static udp 10.34.1.17 80 interface FastEthernet0/0 8055
ip nat inside source static tcp 10.34.1.18 80 interface FastEthernet0/0 8056
ip nat inside source static udp 10.34.1.18 80 interface FastEthernet0/0 8056
ip route 0.0.0.0 0.0.0.0 (NEXT HOP)
!
ip access-list extended OutsideIn
 permit ip any host xx.xx.xxx.xxx
 permit ip any host xx.xx.xxx.xxx
 deny   udp any any eq 1723
 deny   tcp any any eq 1723
 deny   udp any any eq isakmp
 deny   tcp any any eq 500
 deny   udp any any eq non500-isakmp
 deny   tcp any any eq 4500
 permit tcp any host (WAN IP) eq www
 permit tcp any host (WAN IP) eq 8010
 permit udp any host (WAN IP) eq 8010
 permit tcp any host (WAN IP) eq 8015
 permit udp any host (WAN IP) eq 8015
 permit tcp any host (WAN IP) eq 8020
 permit udp any host (WAN IP) eq 8020
 permit tcp any host (WAN IP) eq 8025
 permit udp any host (WAN IP) eq 8025
 permit tcp any host (WAN IP) eq 8030
 permit udp any host (WAN IP) eq 8030
 permit tcp any host (WAN IP) eq 8035
 permit udp any host (WAN IP) eq 8035
 permit tcp any host (WAN IP) eq 8045
 permit udp any host (WAN IP) eq 8045
 permit tcp any host (WAN IP) eq 8055
 permit udp any host (WAN IP) eq 8055
 permit tcp any host (WAN IP) eq 8061
 permit udp any host (WAN IP) eq 8061
 permit tcp any host (WAN IP) eq 8062
 permit udp any host (WAN IP) eq 8062
 permit tcp any host (WAN IP) eq 8063
 permit udp any host (WAN IP) eq 8063
 permit tcp any host (WAN IP) eq 8064
 permit udp any host (WAN IP) eq 8064
 permit tcp any host (WAN IP) eq 8065
 permit udp any host (WAN IP) eq 8065
 permit tcp any host (WAN IP) eq 8066
 permit udp any host (WAN IP) eq 8066
 permit ip any any
ip access-list extended nat
 permit ip any any
!
logging esm config
logging 10.34.1.7
access-list 50 permit (OUR WAN NETWORK) 0.0.2.255
access-list 100 permit ip any any
!
!
control-plane
!
mgcp profile default
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 logging synchronous
 login local
 transport input all
line vty 5 988
 logging synchronous
 login local
 transport input all
!
scheduler allocate 20000 1000
end

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tagir Temirgaliyev Fri, 09/12/2014 - 08:21
User Badges:
  • Silver, 250 points or more

may be your processor overloaded ? may be traffic too big ?

 

sh proc cpu

sh interface FastEthernet0/0

sh interface FastEthernet0/1

 

what is the router? 881 ? or 2811 ?

Benjamin Crites Fri, 09/12/2014 - 08:46
User Badges:

It is a 2811, and it does look like the processors pegged 100% a hand full of times over the last couple of hours. Can this really stop SSH and Ping from working? 

Benjamin Crites Fri, 09/12/2014 - 09:00
User Badges:

  Hardware is MV96340 Ethernet, address is 0022.551a.3b80 (bia 0022.551a.3b80)
  Internet address is XX.XX.XXX.XXX/28
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 4/255, rxload 44/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/1670/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 17259000 bits/sec, 1788 packets/sec
  5 minute output rate 1728000 bits/sec, 1350 packets/sec
     87395905 packets input, 766557199 bytes
     Received 1332539 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 96 throttles
     25676 input errors, 0 CRC, 0 frame, 0 overrun, 25676 ignored
     0 watchdog
     0 input packets with dribble condition detected
     126794802 packets output, 2276449807 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

 

FastEthernet0/1 is up, line protocol is up
  Hardware is MV96340 Ethernet, address is 0022.551a.3b81 (bia 0022.551a.3b81)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 42/255, rxload 4/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  1., loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/6376/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1701000 bits/sec, 1317 packets/sec
  5 minute output rate 16522000 bits/sec, 1712 packets/sec
     129134088 packets input, 3150074778 bytes
     Received 1290762 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 383 throttles
     101275 input errors, 0 CRC, 0 frame, 0 overrun, 101275 ignored
     0 watchdog
     0 input packets with dribble condition detected
     87242554 packets output, 1114685246 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     31588 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     1 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

 

 

Tagir Temirgaliyev Fri, 09/12/2014 - 19:55
User Badges:
  • Silver, 250 points or more

your processor is overloaded

you have big access-list ip access-list extended OutsideIn

and  permit ip any any

in the end so this access-list is useless

you can remove it

 

conf t 

interface FastEthernet0/0
 no ip access-group OutsideIn in

exi

wr

 

and see again ping and ssh

 

and dont forget to rate posts

Actions

This Discussion