02-06-2007 01:55 PM - edited 03-03-2019 03:38 PM
We have a Cisco 871 router running ip advanceservices 124-11.T that is connected on int F4 to a cable modem. The ISP allocates public ip addresses via dhcp. The problem we are having is that when the router boots up, it does not get an ip address assigned by the ISP. Attempts to unplug and reconnect the cat5 cable has no affect. Oddly though, if you console/vty onto the router and preform a shut and then no shut on F4, the router gets an ip address from the ISP. I thought possibly the problem may have been an acl issue or that a client-id and/or hostname needed to be defined on the F4 interface for the ISP's DHCP server, but adding both entries (client-id fasteternet 4 and sohort1 hostname) didn't help, and pulling the access-group off int F4 had no affect either.
Anyone ever encounter this type of problem before?
Thanks,
-Scott
02-06-2007 06:34 PM
if you know acl is not blocking dhcp packets, you can try a cli command to release and renew dhcp on f4 interface.
release dhcp f4 & renew dhcp f4.
hope it helps..
02-07-2007 10:44 AM
Thanks for response. Yes I'm certain it is not the acl's because the permit for bootpc and bootps are on the acl (see below) and because the same problem occurs when the the access-group is not applied to interface F4
sohort1#sh access-lists Internet-in
Extended IP access list Internet-in
10 permit udp any any range bootps bootpc (9228 matches)
20 deny ip 10.0.0.0 0.255.255.255 any log
30 deny ip 172.16.0.0 0.15.255.255 any (1 match)
40 deny ip 192.168.0.0 0.0.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip host 255.255.255.255 any
70 permit icmp any any echo-reply
80 permit icmp any any time-exceeded
90 permit icmp any any unreachable
Additional lines truncated
Sadly I've found via acl captures that my isp is use a private 10.30.48.1 addy for it's dhcp server to hand out public 71.x.x.x addresses. Even though this is cheesey, I can ping their dhcp server from my 871 router. It is very odd that disconnecting and reconnecting the cable has no affect on getting an address, but shutting and no shutting interface F4 does the trick everytime.
Any other thoughts on this?
02-07-2007 10:58 AM
Do you have any debugs when it is unable to to get an ip address. Perhaps doing a "debug dhcp detail" to make sure it is sending a DHCP DISCOVER message and seeing a response?
02-08-2007 09:00 PM
So the best I could do was have a colleague at the remote site console onto the router, reload it, and then login as soon as available and run the debug dhcp detail command.
It appears from the debugs that the ISP has a private DHCP server at 172.24.120.60, and that the ISP routes through a private gateway at 10.30.48.1 somewhere in the path, and that this DHCP server provides a "Temp" Public DHCP ip address (see attachment) to the 871.
That's Cheesey
Prior to the shut/no shut command on int F4 to get an address, we did a show ip int bri and int F4 shows as Initializing.
Unfortuately when we did the shut/no shut to make interface Fa4 successfully get an address, the down/up event never showed in the logs, so I don't have a good demarcation point on when the DHCP didn't work and when it started working.
Please review the debug dhcp detail logs in the attachment and let me know if you have any ideas.
Thanks!
02-09-2007 03:04 PM
Anyone have any thoughts on this?
03-06-2007 01:31 PM
Scott,
I have experienced the same problem when building 871 routers for our remote users. However, the problem goes away when we add the commands shown below to the routers. Unfortunately, I have not looked at the problem more than this, since these commands are part of our default build.
ip inspect name PPO-FW tcp
ip inspect name PPO-FW udp
ip inspect name PPO-FW icmp
ip inspect name PPO-FW ftp
ip access-list extended outside_incoming
permit esp host ********** any
permit udp host ********** any eq isakmp
permit udp host ********** any eq non500-isakmp
permit tcp host ********** any eq 22
permit udp any any eq bootpc
permit udp any any eq bootps
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any log-input
int F4
ip access-group outside_incoming in
ip inspect PPO-FW out
exit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: