Cisco SR520w FE - WAN Port Stops Working
- by Mike Hanley
I have setup a Cisco SR520W and everything appears to be working. After about 1-2 days, it looks like the WAN port stops forwarding traffic to the Internet gateway IP of the device.
If I unplug and then plug in the network cable connecting the WAN port of the SR520W to my Comcast Cable Modem, traffic startings flowing again. Also, if I restart the SR520W, the traffic will flow again.
Any ideas?
Here is the running config:
Current configuration : 10559 bytes
!
version 12.4
no service pad
no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname hostname.mydomain.com
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging rate-limit
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint TP-self-signed-334750407
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-334750407
revocation-check none
rsakeypair TP-self-signed-334750407
!
!
crypto pki certificate chain TP-self-signed-334750407
certificate self-signed 01
<removed>
quit
dot11 syslog
!
dot11 ssid <removed>
vlan 75
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 <removed>
!
ip source-route
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool inside
import all
network 172.16.0.0 255.240.0.0
default-router 172.16.0.1
dns-server 10.0.0.15 10.0.0.12
domain-name mydomain.com
!
!
ip cef
ip domain name mydomain.com
ip name-server 68.87.76.178
ip name-server 66.240.48.9
ip port-map user-ezvpn-remote port udp 10000
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type inspect z1-z2-pmap
audit-trail on
password encryption aes
!
!
username admin privilege 15 secret 5 <removed>
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
<removed>
quit
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key <removed>
mode client
peer 64.1.208.90
virtual-interface 1
username admin password <removed>
xauth userid mode local
!
!
archive
log config
logging enable
logging size 600
hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match access-group 101
class-map type inspect match-any Easy_VPN_Remote_VT
match access-group 102
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any L4-inspect-class
match protocol icmp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-permit_VT
class type inspect Easy_VPN_Remote_VT
pass
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
pass
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 75.149.48.76 255.255.255.240
ip nat outside
ip ips sdm_ips_rule out
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Virtual-Template1 type tunnel
no ip address
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
!
interface Dot11Radio0
no ip address
!
encryption vlan 75 mode ciphers aes-ccm
!
ssid <removed>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.75
encapsulation dot1Q 75 native
ip virtual-reassembly
bridge-group 75
bridge-group 75 subscriber-loop-control
bridge-group 75 spanning-disabled
bridge-group 75 block-unknown-source
no bridge-group 75 source-learning
no bridge-group 75 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan75
no ip address
ip virtual-reassembly
bridge-group 75
bridge-group 75 spanning-disabled
!
interface BVI1
no ip address
ip nat inside
ip virtual-reassembly
!
interface BVI75
description $FW_INSIDE$
ip address 172.16.0.1 255.240.0.0
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security in-zone
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.149.48.78 2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 75.149.48.64 0.0.0.15 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 64.1.208.90 any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
!
!
!
!
snmp-server community <removed> RO
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 75 route ip
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
I also ran some diagnostics when the WAN port stopped working:
1. show interface fa4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0026.99c5.b434 (bia 0026.99c5.b434)
Description: $FW_OUTSIDE$
Internet address is 75.149.48.76/28
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 01:08:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/23/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
336446 packets input, 455403158 bytes
Received 23 broadcasts, 0 runts, 0 giants, 37 throttles
41 input errors, 0 CRC, 0 frame, 0 overrun, 41 ignored
0 watchdog
0 input packets with dribble condition detected
172529 packets output, 23580132 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2. show ip route
Gateway of last resort is 75.149.48.78 to network 0.0.0.0
C 192.168.75.0/24 is directly connected, BVI75
64.0.0.0/32 is subnetted, 1 subnets
S 64.1.208.90 [1/0] via 75.149.48.78
S 192.168.10.0/24 is directly connected, BVI75
75.0.0.0/28 is subnetted, 1 subnets
C 75.149.48.64 is directly connected, FastEthernet4
S* 0.0.0.0/0 [2/0] via 75.149.48.78
3. show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 75.149.48.65 69 001e.2a39.7b08 ARPA FastEthernet4
Internet 75.149.48.76 - 0026.99c5.b434 ARPA FastEthernet4
Internet 75.149.48.78 93 0022.2d6c.ae36 ARPA FastEthernet4
Internet 192.168.75.1 - 0027.0d58.f5f0 ARPA BVI75
Internet 192.168.75.12 50 7c6d.62c7.8c0a ARPA BVI75
Internet 192.168.75.13 0 001b.6301.1227 ARPA BVI75
4. sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 75.149.48.78 FastEthernet4
0.0.0.0/8 drop
0.0.0.0/32 receive
64.1.208.90/32 75.149.48.78 FastEthernet4
75.149.48.64/28 attached FastEthernet4
75.149.48.64/32 receive FastEthernet4
75.149.48.65/32 attached FastEthernet4
75.149.48.76/32 receive FastEthernet4
75.149.48.78/32 attached FastEthernet4
75.149.48.79/32 receive FastEthernet4
127.0.0.0/8 drop
192.168.10.0/24 attached BVI75
192.168.75.0/24 attached BVI75
192.168.75.0/32 receive BVI75
192.168.75.1/32 receive BVI75
192.168.75.12/32 attached BVI75
192.168.75.13/32 attached BVI75
192.168.75.255/32 receive BVI75
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
Thanks in advance,
-Mike
