I have a 1721 with ios 12.3(7)T (image c1700-k9o3sy7-mz.123-7.T.bin) which works wonderfully well... for awhile. With no warning, outward signs or periodicity it suddenly starts sending tcp resets to clients attempting to connect to port 80 from the outside.
This router is configured to do a lot of things and all other functionality tests out fine while it is killing port 80 connections. Amongst the many other things it is doing successfully: port-mapping tftp traffic, port-mapping smtp traffic, port-mapping sntp traffic, port-mapping syslog traffic, site-to-site vpn tunnel with an 827 over an adsl connection, vpn client connections, acl's, split vpn tuneling, etc.
I've exhausted all the troubleshooting tricks I know. Basically:
o "sh access-lists" shows that the incoming client connection requests for port 80 are permitted by the acl on the d0 interface.
o Port mapping to the web server is configured in the customary manner:
ip nat inside source static tcp 10.0.0.5 80 interface dialer0 80 !www
o cbac is being used, but NOT for port 80 traffic:
! following rem'd - reported problems with java - rely on tcp inspection
! ip inspect name my-out-rules http alert on timeout 3600
o Logs files on the destination web server show no http requests or other evidence of the connection attempt.
o Running snort on the same network as the web server shows no http requests or other evidence of the connection attempt.
o The only debugging output I've examined is "debug ip packets detail" which yields:
Mar 30 10:52:25: IP: s=184.108.40.206 (Dialer0), d=220.127.116.11 (Dialer0), len 48, rcvd 3
Mar 30 10:52:25: TCP src=3575, dst=80, seq=2003803651, ack=0, win=16384 SYN
Mar 30 10:52:25: IP: s=18.104.22.168 (local), d=22.214.171.124 (Dialer0), len 40, sending
Mar 30 10:52:25: TCP src=80, dst=3575, seq=0, ack=2003803652, win=0 ACK RST
Is this possibly a hardware problem? An ios bug perhaps? Could cbac be the culprit? Can anyone offer some suggestions?