100% packetloss with 871 and Frontier

jschneiter · ‎07-10-2012

Hello,

This Cisco connects to another by VPN and both are 871 Models.

Last sunday the VPN just dropped off the face of the earth and couldnt get it back. We all though it was the modem. We had teh ISP come in and check everything outa nd he swapped modems.

I got the VPN back up but it drops packets left and right.Neither router has computer data going across it, it is all radio traffic for a taxi company.

The only change I made to the router here is entered a gateway (before it was 0.0.0.0 and it worked fine) and changed teh DNS numbers (which really dont matter too much as there is no internet data).

The modem is setup as PPPOE instead of bridge with a single static IP. I do a pingplotter test out of that router to another Static ip (our own internet connection through Charter Communications) and I get 100% packetloss across all the HOPS.

On a side note I do the reverse. I pingplott INTO the router from another network and it goes allt he way through till it hits the modem.

How can I tell if its the router causing the problem or the Modem?

paolo bevilacqua · ‎07-10-2012

DId you made the configuration? Are you sure it is configured right ?

jschneiter · ‎07-10-2012

The configuration hasnt changed from when it was working.

Frontier (ISP) changed from a standard Modem to a Modem/Router with PPPOE.

The static IP didnt change

All I did was change the Gateway from 0.0.0.0 to the given gateway from the ISP. Before I did that, I was not able to access the internet from the cisco.

Prior to changing the Modem out, and having a gateway of 0.0.0.0 I was able to access the internet.

I made the change by using the IP Gateway comand line. It accepted it and therefore I now have access to the outside world. Before I did that, the VPN would not come up.

Below is the current config: ( I made comments along the way )

!This is the running config of the router: 10.10.11.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname portage
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$d2Pf$9XcHPYKJ5Ctt9PGT47EEV.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.11.5 10.10.11.254
ip dhcp excluded-address 10.10.11.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.11.0 255.255.255.0
   dns-server 4.2.2.1 8.8.8.8
   default-router 10.10.11.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 4.2.2.1
ip name-server 8.8.8.8
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
!
!
!
crypto pki trustpoint TP-self-signed-251899240
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-251899240
revocation-check none
rsakeypair TP-self-signed-251899240
!
!
crypto pki certificate chain TP-self-signed-251899240
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353138 39393234 30301E17 0D303531 32323231 39303330
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 31383939
32343030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CFBB1BD1 83F45EC5 7858F024 E8A40EB0 32EAE737 2E516D11 C65BB716 D5448DAE
931344A8 97E08AE2 4C082479 6D84A1C8 B6CE6B1C 5811569D 98A9902B 784CF04F
15978CED BB22545C E0B3B2C1 346A9CB9 7E2F7022 15EF5F19 650FC637 6429EB57
0E03826B E3935237 0FB9912D 5ACE6655 028636C0 8B744CA2 B3E18B99 6CD65FDD
02030100 01A36830 66300F06 03551D13 0101FF04 05300301 01FF3013 0603551D
11040C30 0A820870 6F727461 67652E30 1F060355 1D230418 30168014 14395E98
889AB3C9 C4CCCC22 CA891522 C6CB3C1E 301D0603 551D0E04 16041414 395E9888
9AB3C9C4 CCCC22CA 891522C6 CB3C1E30 0D06092A 864886F7 0D010104 05000381
810079D3 E6C8A611 3DAD122B 0450AD0E 222FE015 04037822 5070061A D902437F
B36CA8FF A1D95655 0B53FF68 C213C4EA B7EBC6FE 07073FAE 0C4439B9 10C3DCE2
E643E6A1 5FB71743 73919082 7AF81FD4 06FD9387 539FE166 5392FD06 BE1D7BB1
8930DE21 6606E939 921067A8 B4F2C38C D21345A7 F2899543 46D5EC14 09F74E60 ACA5
quit
username taxi2 privilege 15 secret 5 $1$VpIY$PK6vT5aYktziv3ZIW5Vzn1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key g0ttac1649hsa address 68.65.x.x no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to68.65.x.x
set peer 68.65.x.x
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip ddns update hostname comserv.dnsalias.org
ip ddns update sdm_ddns1
ip address 50.50.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 50.50.x.x                <------ ADDRESS OF MODEM 1 Digit less than Static IP
ip route 10.10.10.0 255.255.255.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.11.7 3389 interface FastEthernet4 3389
ip nat inside source static udp 10.10.11.7 3389 interface FastEthernet4 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 <----- WHY THIS ACCESS RULE WHEN YOU GOT 101 BELOW??
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 <-----DOES THIS CONFLICT WITH THE LINE BELOW
access-list 101 permit ip 10.10.11.0 0.0.0.255 any                   <-----DOES THIS CONFLICT WITH THE LINE ABOVE
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

johnlloyd_13 · ‎07-10-2012

hi jon,

firstly, are you able to ping any internet address (8.8.8.8) from both 871s? could you post the remote 871 config (remove sensitive info) as well?

ACL 100 is used to protect 'interesting' traffic for your VPN and ACL 101 is used for PAT for internet traffic.

jschneiter · ‎07-11-2012

Unfotunatly, I am un able to get to the remote Cisco. Thats a whole other issue that I will hopefully take care of tomorrow (2 hours away)

They have the cisco behind a POS netgear router and then the modem/Router.

I have the last config though that I used and should be the same that is in there now.

The remote config however is over 1 1/2 years old and highly doubt is the suspect. They changed the modem out 45 days ago over there. It did work afterwards though till last sunday.

I can ping anything from this cisco, cant test the remote obviously till I get there tomorrrow.

So basically, you dont see anythign that stand out as a problem?

Could the loss be due to this modem that Frontier (verizon) gave me to replace the old one?