I guess is something related

NZSHoRtFuSe · ‎04-01-2014

Hi Guys

Hoping someone can help me with this, Have a remote Cisco 850 that keeps Freezing after a few weeks (customer has to turn it off and on again to get the internet up and running) Now i can't make it out there when it hangs so trying to work out want is wrong from afar .

The logs dont have anything leading upto the freezing.

Here is the config, Thanks!!!!

Using 5672 out of 131072 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 11:53:47 PCTime Wed Apr 2 2014
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret 5 xxxx
!
no aaa new-model
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
!
crypto pki trustpoint TP-self-signed-2561631828
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2561631828
revocation-check none
rsakeypair TP-self-signed-2561631828
!
!
crypto pki certificate chain TP-self-signed-2561631828
certificate self-signed 01 nvram:IOS-Self-Sig#C.cer
dot11 syslog
!
!
ip cef
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
login block-for 60 attempts 3 within 60
login on-failure log
login on-success log
!
!
!
username xxxx
username xxx
!
!
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 2xx.xx.x.xx 255.255.255.254
ip access-group 102 in
ip verify unicast reverse-path
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.3.250 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 210.55.3.78
ip route 192.168.4.0 255.255.255.0 192.168.3.253
ip route 192.168.5.0 255.255.255.0 192.168.3.253
ip route 192.168.201.0 255.255.255.0 192.168.3.253
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.3.5 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.3.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.3.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.3.5 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.168.3.4 53389 interface FastEthernet4 53389
ip nat inside source static tcp 192.168.3.5 3389 interface FastEthernet4 43389
!

!
logging trap debugging
logging 192.168.3.5
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.201.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny   ip xxx.xxx.xxx 0.0.0.1 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 1.nz.pool.ntp.org
access-list 102 permit udp host xxx.xxx.xxx eq ntp host xxx.xxx.xxx eq ntp
access-list 102 permit tcp any host xxx.xxx.xxx eq 43389
access-list 102 permit tcp any host xxx.xxx.xxx eq 53389
access-list 102 permit tcp any host xxx.xxx.xxx eq 4125
access-list 102 permit tcp any host xxx.xxx.xxx eq www
access-list 102 permit tcp any host xxx.xxx.xxx eq 443
access-list 102 permit tcp any host xxx.xxx.xxx eq smtp
access-list 102 deny   ip 192.168.3.0 0.0.0.255 any
access-list 102 permit icmp any host xxx.xxx.xxx echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx time-exceeded
access-list 102 permit icmp any host xxx.xxx.xxx unreachable
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq 4443
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq 22
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq cmd
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq 4443
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq 22
access-list 102 permit tcp host xxx.xxx.xxx host xxx.xxx.xxx eq cmd
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************

^C
!
line con 0
no modem enable
line aux 0
line vty 0 4

login local
!
scheduler max-task-time 5000
sntp server xxx.xxx.xxx
end

Ruben Cocheno · ‎04-02-2014

I guess is something related with the inspection you have on interface outside...

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Cisco 800 series router keeps freezing