06-26-2002 02:16 PM - edited 03-01-2019 10:54 PM
We have remote pc's dialing into our
internal network via a 3620 over a T1. We are having a problem where
software on the pc's is continually
attempting to make a connection to some
internet site to check for updates or
something of the sort. This traffic is
causing the idle timer to get reset and
as a result these calls never time out.
We have had calls stay on idling for
over 4 hours. I have set an access list
on both incoming and outgoing traffic
that only permits traffic bound to/from
addresses on our network. But I cannot
find the right configuration to keep
these unsolicited traffic from resetting
the idle-timer. Here are some snippets
from our config -
interface Group-Async1
ip unnumbered FastEthernet0/0
ip access-group 101 in
ip access-group 102 out
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer in-band
dialer idle-timeout 600 either
dialer-group 1
async default routing
async mode interactive
peer default ip address pool dialup
fair-queue 64 16 0
no cdp enable
ppp authentication chap
group-range 33 56
hold-queue 60 in
....
access-list 101 permit ip any 172.0.0.0 0.255.255.255
access-list 101 permit ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any any log-input
access-list 102 deny icmp host 172.25.11.11 any log
access-list 102 deny icmp host 172.16.1.2 any log
access-list 102 permit ip 172.0.0.0 0.255.255.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip list 101
...line 33 56
session-timeout 15
logout-warning 180
autoselect during-login
autoselect ppp
absolute-timeout 480
session-disconnect-warning 15
modem InOut
modem autoconfigure type GFB
transport input all
We are at IOS 12.0(7)T
06-26-2002 02:16 PM
Make sure you understand that if you
don't care where the remotes connect
to, but you don't want that traffic to
be considered interesting (reset the idle
timer), then you only need specify this
with an access-list associated with the
dialer-list. If you don't want that
traffic to be allowed at all in the first
place, then you should simply use an
inbound access-list on the ingress
interface.
For interesting traffic, you are permitting
any source, dest 172.0.0.0 or 10.0.0.0.
"debug dialer packet" would show you
what dialer packets there are, and whether
they are interesting or not. "sh dialer"
would show you the state of the idle timer
(you should see that go to 0 if there is
no interesting traffic). And the logged
access-lists should also show where the
hits are.
Your config looks OK, assuming that all
the interesting traffic is destined to
172.0.0.0 or 10.0.0.0. If the idle timer
is still not resetting a call, this may be
a bug. I would then suggest you try
upgrading to latest 12.1 code.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide