odd issues with cisco 881w

R

R3d

Limp Gawd
Joined
Apr 3, 2006
Messages
271
Hey guys,

I have a Cisco 881w that I picked up in october. The issue i'm having is whenever the power goes out in my neighborhood (doesn't happen very often) the router will reboot with the config loaded but i'll be unable to get a DHCP address from my provider.

The only way that i've been able to get this resolved is to login through CCP and reset the router to the default config and then re-setup everything which is a pain in the ass. (and my fiance has no idea what to do when i'm not home)

The access point in the router is fine when it reboots and i never have to change the config for that.

I also have an asa5505 sitting around for some ccna security practice that i'm tempted to setup and see how it goes with that, but then I'll need to kill most of the settings on the 881w to keep the AP running for my wireless.

I haven't contacted the TAC yet but i'm close to doing so, just wondering if anyone's seen this type of issue before.

Thanks in advance for your time :)
 
Comcast does the same thing to me. What does your provider facing interface config look like on the 881W.

I have to login and disable all the basic security settings (on that interface) in order for it to obtain a lease properly. Not sure why but "ip verify unicast reverse path" seems to be the culprit.
 
yeah, post up the config of your outside interface and any ACLs . Ive seen issues where people would need to remove an ACL everytime on a reboot and not realizing that you need to allow bootps/pc and then reapply their ACL all over again.
 
alright, i'll get the info posted when i get home from work today.

Thanks for the quick reply guys :)
 
xphil3 said:
yeah, post up the config of your outside interface and any ACLs . Ive seen issues where people would need to remove an ACL everytime on a reboot and not realizing that you need to allow bootps/pc and then reapply their ACL all over again.
Click to expand...

Nice.

I'd say it's a config issue, your modem, or the remote possibility of a bug.
 
alright.. well here's the current config on the router

Building configuration...

Current configuration : 8264 bytes
!
! Last configuration change at 18:17:11 PCTime Tue Mar 9 2010 by xxxxxx
! NVRAM config last updated at 18:19:58 PCTime Tue Mar 9 2010 by xxxxxx
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -6
!
crypto pki trustpoint TP-self-signed-1344017299
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1344017299
revocation-check none
rsakeypair TP-self-signed-1344017299
!
!
crypto pki certificate chain TP-self-signed-1344017299
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333434 30313732 3939301E 170D3130 30333039 32333531
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343430
31373239 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009443 5508CF08 260A115A 7B7A24CE 4835F1F9 3B210170 B5DA251A E8DBEC27
03366A60 B98DFAC5 74D165DE 2156A3E0 723FC42E 3D5B056A E9EA0347 8EF89A3A
7149B94B 3AB65C56 3AE0B3BA CF5347C5 2A5FE7DC F7CA659E FF46402D F5D1974C
9280C145 31B2F956 0AB68F84 5C168CBF 6A80B2DC 8EA7EE50 BEE5B1F6 0132C983
EAF50203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 145D5126 678EBCE1 581C28B5 C3F64415 28773452
CA301D06 03551D0E 04160414 5D512667 8EBCE158 1C28B5C3 F6441528 773452CA
300D0609 2A864886 F70D0101 04050003 81810026 2E546602 1D72DC96 448D48AF
8B3BF623 33273AD2 75141C77 F475E830 F746F7E5 4AD0A20E D110CFD6 C1F9633B
903BCAE6 E65C0DB5 5492F7AC A9ECB300 A74681BB 4A1BE8B3 75E844B0 00359773
B4A7E23F BA3E9AC1 5EA5F186 9CA5DD5B BB985F8C 225660B2 226E9E31 0A002C1A
13BA736C 10B47108 99E773B1 E5EA7DBC E8DD35
quit
no ip source-route
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool ccp-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 8
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxx.com
!
!
!
!
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxx
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run

!
!
!
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------
Authorized users only
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

let me know if you guys have any ideas

thanks again
 
wow dude, your config is terrible. You really need to clean it up as you have a TON of nested class-maps that you're not even using. The problem appears to be in your ZBF config, which explains why it works when you the config away it works.

The source selfs are referencing ICMP and class default.. but you're dropping it. Add your SDM_BOOTPC class to policy-map type inspect ccp-permit-icmpreply to make it easy and test. If that works, make another policy-map and add all the specific classes manually so you know what you're administratively controlling everything.

Also, remote the client-id from the dhcp line as its 100% not needed.

* as an aside, it looks like you're trying to learn cisco.... my advice is to stay away from gui's as much as possible. Using them makes configs sloppy, hard to troubleshoot and bascially... crappy.
 
ya i'm just starting out on learning the cisco ways.. so ya been trying to use the gui and the cli at the same time.. i'll see what all i can weed out

thanks xphil3
 
You must log in or register to reply here.
Back
Top