Pagina 1 di 2
%SYS-2-LINKED: Bad enqueue
Inviato: ven 19 dic , 2008 12:04 pm
da alfnetx
Ciao a tutti,
sapete da cosa vengono generati questi messaggi d'errore critical?
Codice: Seleziona tutto
Dec 19 05:54:03.625: %SYS-2-LINKED: Bad enqueue of 0 in queue 8393AC7C -Process=
"Per-minute Jobs", ipl= 6, pid= 44, -Traceback= 0x808DA290 0x8002389C 0x8003D8
D0 0x80307A7C 0x81982BEC 0x80332F58 0x80367D2C 0x8036B178
Dec 19 05:54:03.625: %SYS-2-LINKED: Bad enqueue of 0 in queue 8393AC7C -Process=
"Per-minute Jobs", ipl= 6, pid= 44, -Traceback= 0x808DA290 0x8002389C 0x8003D8
D0 0x80307A7C 0x81982BEC 0x80332F58 0x80367D2C 0x8036B178
Dec 19 05:54:03.625: %SYS-2-LINKED: Bad enqueue of 0 in queue 8393AC7C -Process=
"Per-minute Jobs", ipl= 6, pid= 44, -Traceback= 0x808DA290 0x8002389C 0x8003D8
D0 0x80307A7C 0x81982BEC 0x80332F58 0x80367D2C 0x8036B178
Spesso si verifica un freeze del router (Cisco 877W) e non vi si accede nemmeno da console.
Su Cisco suggeriscono di rivolgersi all'assistenza.
mmmmmmm
Inviato: ven 19 dic , 2008 7:56 pm
da Helix
Prova a leggere
qui e
qui
Che IoS hai?
Inviato: ven 19 dic , 2008 10:09 pm
da alfnetx
Codice: Seleziona tutto
%SYS-2-LINKED : Bad [chars] of [hex] in queue [hex]
Explanation An internal software error has occurred.
Recommended Action If this message recurs, copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.
mmmmmmmmm
Il mio ios è 12.4(22)T (c870-advipservicesk9-mz.124-22.T.bin)...ditemi che dipende da questo e nel caso consigliatemi una buona versione.
ah, dimenticavo...CISCO 877W
Inviato: ven 19 dic , 2008 11:55 pm
da Helix
A me dava un pò di problemi con la 12.4.20T...ma con la .22 va alla grande (un 877)...
ci puoi postare la configurazione dell'apparato?
Inviato: ven 19 dic , 2008 11:59 pm
da alfnetx
Posto la configurazione messa in un altro topic...
Non badare all'ordine delle ACL, le ho sistemate.
Codice: Seleziona tutto
!
hostname CiscoNet
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-22.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable password xxxx
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid WIFI
vlan 1
authentication open
guest-mode
!
dot11 ssid WIFI_DMZ
vlan 2
authentication open
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 10.2.88.1
ip dhcp excluded-address 10.2.88.254
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 10.1.88.1
ip dhcp excluded-address 10.1.88.254
!
ip dhcp pool Pool1
import all
network 10.1.88.0 255.255.255.0
default-router 10.1.88.1
dns-server 208.67.222.222 208.67.220.220
lease infinite
!
ip dhcp pool Pool2
import all
network 10.2.88.0 255.255.255.0
default-router 10.2.88.1
dns-server 208.67.222.222 208.67.220.220
lease infinite
!
ip dhcp pool client
network 192.168.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.1.1
lease infinite
!
ip dhcp pool mio
host 192.168.1.3 255.255.255.0
client-identifier 0100.1921.c922.ed
lease infinite
!
ip cef
ip domain name libero.it
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
username xxx privilege 15 secret 5 yyyyy
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
bundle-enable
dsl operating-mode adsl2+
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid WIFI
!
ssid WIFI_DMZ
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
no autostate
bridge-group 1
!
interface Vlan2
no ip address
ip tcp adjust-mss 1452
no autostate
bridge-group 2
!
interface Vlan100
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
bridge-group 3
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp pap sent-username xxxx password 0 xxxxx
!
interface Dialer1
no ip address
!
interface BVI1
ip address 10.1.88.1 255.255.255.0
ip access-group 102 in ------------------> per ora non è ancora definita
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI2
ip address 10.2.88.1 255.255.255.0
ip access-group DMZ in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in ------------------> per ora non è ancora definita
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
ip nat translation timeout 600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 2500
ip nat inside source static udp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static tcp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static udp 192.168.1.3 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.1.3 4662 interface Dialer0 4662
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 103 interface Dialer0 overload
!
ip access-list extended DMZ
deny ip 10.2.88.0 0.0.0.255 10.1.88.0 0.0.0.255 log
deny ip 10.2.88.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark *** ACL PER PAT E NAT ***
access-list 1 permit 10.1.88.0 0.0.0.255
access-list 1 permit 10.2.88.0 0.0.0.255
access-list 101 remark Traffico abilitato ad entrare nel router da internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp host 63.208.196.96 eq www any log
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 207.46.197.32 eq ntp any
access-list 101 permit tcp any host 192.168.1.3 eq 4662
access-list 101 permit udp any host 192.168.1.3 eq 4672
access-list 101 permit tcp any host 192.168.1.3 eq 1755
access-list 101 permit udp any host 192.168.1.3 eq 1755
access-list 103 remark *** ACL PER NAT DMZ ***
access-list 103 permit ip 10.2.88.0 0.0.0.255 any
access-list 700 permit 0014.daaf.cbf4 0000.0000.0000
access-list 700 permit 0016.6f3d.1f93 0000.0000.0000
access-list 700 permit 000c.f607.306f 0000.0000.0000
access-list 700 permit 001d.d939.0ad4 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxx
login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
Inviato: sab 20 dic , 2008 12:11 am
da Helix
Guarda che dice
qui
facendo la prova sul mio router (877) ottengo questo:
Codice: Seleziona tutto
sh processes memory
PID TTY Allocated Freed Holding Getbufs Retbufs Process
....
....
....
44 0 1804 3880 7244 756 0 Per-minute Jobs
a te che valori restituisce?
controlli anche uno
verificando che non ci siano picchi di CPU continui?
Inviato: sab 20 dic , 2008 12:13 am
da Helix
Fai inoltre una prova a disabilitare l'inspect sulla dialer0...giusto per prova...forse è una "cavolata" ciò che dico...ma provare non fa mai male!
Inviato: sab 20 dic , 2008 12:44 am
da alfnetx
Codice: Seleziona tutto
PID TTY Allocated Freed Holding Getbufs Retbufs Process
44 0 310544 0 48772 130032 0 Per-minute Jobs
poi
Codice: Seleziona tutto
CiscoNet#sh proc cpu hist
CiscoNet 12:43:05 AM Saturday Dec 20 2008 MET
11111
2222211111 11111
100
90
80
70
60
50
40
30
20
10 *****
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
111111 1 1 1111 1 11 11 111111111 111111 11111111111 1
200000806180100108661058107110201000910010091221112110178078
100
90
80
70
60
50
40
30
20
10 *************** ********************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
111211111111111131111111332163111111112
245913222122222262232233565936121226210
100
90
80
70
60 *
50 *
40 * ** **
30 * * *** **
20 ** * ****** * *
10 **************************###**********
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Inviato: sab 20 dic , 2008 12:48 am
da Helix
Hai provato a disabilitare l'inspect?
Inviato: sab 20 dic , 2008 12:57 am
da alfnetx
si ho provato, ma poi non navigo...come mai?
Inviato: lun 22 dic , 2008 2:34 pm
da alfnetx
Allora, il problema è ancora presente.
Ho provato ad eliminare sia le definizioni ip inspect name... che la loro applicazione nella dialer (ip inspect Firewall out), ma in questo modo non riesco ad accedere ad internet.
Tuttavia ho analizzato meglio la problematica ed accade questo:
Il router si freeza
solo se c'è attivo un programma che fa p2p (io uso azureus);
Durante l'esecuzione di tale programma p2p si susseguono centinaia dei seguenti drop
Codice: Seleziona tutto
Dec 22 11:31:59.105: %FW-6-DROP_PKT: Dropping tcp session 82.61.136.166:51413 192.168.1.3:3447 due
to SYN inside current window with ip ident 22873 tcpflags 0x7012 seq.no 1363142110 ack 42566706
Dec 22 11:32:39.177: %FW-6-DROP_PKT: Dropping tcp session 87.15.161.237:6881 192.168.1.3:1996 due t
o Stray Segment with ip ident 28634 tcpflags 0x5004 seq.no 2003081270 ack 2003081270
Dec 22 11:33:15.504: %FW-6-DROP_PKT: Dropping tcp session 151.23.129.250:2806 87.7.48.129:6881 due
to RST inside current window with ip ident 49410 tcpflags 0x5014 seq.no 282168144 ack 2002135881
Dec 22 11:33:45.652: %FW-6-DROP_PKT: Dropping tcp session 79.0.190.18:11130 192.168.1.3:3497 due to
Stray Segment with ip ident 9773 tcpflags 0x5011 seq.no 4263792322 ack 621236437
Dec 22 11:34:18.337: %FW-6-DROP_PKT: Dropping tcp session 79.45.50.174:50001 192.168.1.3:2404 due t
o RST inside current window with ip ident 14234 tcpflags 0x5014 seq.no 4157798057 ack 1468074203
Dec 22 11:34:48.821: %FW-6-DROP_PKT: Dropping tcp session 151.47.78.48:57168 192.168.1.3:3160 due t
o RST inside current window with ip ident 6055 tcpflags 0x5014 seq.no 506765260 ack 788591351
Dec 22 12:55:47.208: %FW-6-DROP_PKT: Dropping tcp session 87.248.211.144:80 192.168.1.3:3540 due to
SYN inside current window with ip ident 15102 tcpflags 0x7012 seq.no 666117137 ack 3435313926
Inoltre, come già noto in questo topic, vi sono continui errori software di questo tipo
Codice: Seleziona tutto
Dec 22 11:30:42.868: %SYS-2-LINKED: Bad enqueue of 85895E04 in queue 83986438 -Process= "<interrupt
level>", ipl= 6, -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E170BC 0x80E18A54 0x80
9F33CC 0x80068E40 0x8006B6FC 0x801D6A48 0x80088C1C 0x80369148 0x8008590C 0x8008590C 0x80369208 0x803
6B4D0
Dec 22 11:30:45.816: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8417E704, count=0, -Traceb
ack= 0x808DA290 0x8030919C 0x8141424C 0x81416394 0x80367D2C 0x8036B178
Dec 22 11:30:45.868: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8576B760, count=0, -Traceb
ack= 0x808DA290 0x8030919C 0x8141424C 0x81416394 0x80367D2C 0x8036B178
Dec 22 11:30:54.932: %SYS-2-LINKED: Bad enqueue of 84190794 in queue 83986438 -Process= "<interrupt
level>", ipl= 6, -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E165B4 0x81414CFC 0x81
415364 0x81415C6C 0x8141750C 0x80C3A2C4 0x80C3AAF8 0x80C3A2C4 0x80C3A4D0 0x80069BD0 0x8006B6FC 0x801
D6A48
Dec 22 11:30:54.936: %SYS-2-LINKED: Bad enqueue of 8589566C in queue 83986438 -Process= "<interrupt
level>", ipl= 6, -Traceback= 0x808DA290 0x80023D28 0x81953028 0x80332BE0 0x80E170BC 0x80E18A54 0x80
9F33CC 0x80068E40 0x8006B6FC 0x801D6A48 0x80088C1C 0x80369148 0x8008590C 0x8008590C 0x80369208 0x819
4BA00
Dec 22 11:31:34.677: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8565D41C, count=0, -Traceb
ack= 0x808DA290 0x8030919C 0x8141424C 0x81416394 0x80367D2C 0x8036B178
Questi errori però sono presenti anche senza programmi in esecuzione e con tutti i pc spenti.
Riposto la configurazione attuale nella speranza che riusciate a farmi venir fuori da questa spirale.
Codice: Seleziona tutto
hostname CiscoNet
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-22.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 50000
enable password xxxxx
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
dot11 vlan-name WiFi vlan 1
!
dot11 ssid WIFI
vlan 1
authentication open
guest-mode
!
dot11 ssid WIFI_DMZ
vlan 2
authentication open
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 10.2.88.1
ip dhcp excluded-address 10.2.88.254
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 10.1.88.1
ip dhcp excluded-address 10.1.88.254
!
ip dhcp pool Pool2
import all
network 10.2.88.0 255.255.255.0
default-router 10.2.88.1
dns-server 208.67.222.222 208.67.220.220
lease infinite
!
ip dhcp pool client
network 192.168.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.1.1
lease infinite
!
ip dhcp pool xxxxxxxxxx
host 192.168.1.3 255.255.255.0
client-identifier 0100.1921.c922.ed
lease infinite
!
ip dhcp pool xxxxxx
host 10.1.88.100 255.255.255.0
client-identifier 0100.166f.3d1f.93
lease infinite
!
ip dhcp pool xxxxx
host 10.1.88.101 255.255.255.0
client-identifier 0100.0cf6.0730.6f
lease infinite
!
ip dhcp pool xxxx
host 10.1.88.102 255.255.255.0
client-identifier 0100.1dd9.390a.d4
lease infinite
!
ip dhcp pool Pool1
import all
network 10.1.88.0 255.255.255.0
default-router 10.1.88.1
dns-server 208.67.222.222 208.67.220.220
lease infinite
!
!
ip cef
ip domain name libero.it
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall tcp
ip inspect name Firewall udp
!
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
username xxx privilege 15 secret 5 xxxx
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
bundle-enable
dsl operating-mode adsl2+
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
switchport access vlan 100
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid WIFI
!
ssid WIFI_DMZ
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country IT both
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
bridge-group 1
!
interface Vlan2
no ip address
ip tcp adjust-mss 1452
no autostate
bridge-group 2
!
interface Vlan100
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
bridge-group 3
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect Firewall out
ip virtual-reassembly max-reassemblies 256
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password 0 xxx
ppp pap sent-username xxxx password 0 xxxx
!
interface Dialer1
no ip address
!
interface BVI1
ip address 10.1.88.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI2
ip address 10.2.88.1 255.255.255.0
ip access-group DMZ in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
ip nat translation timeout 600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 2500
ip nat inside source static udp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static tcp 192.168.1.3 1755 interface Dialer0 1755
ip nat inside source static udp 192.168.1.3 4672 interface Dialer0 4672
ip nat inside source static tcp 192.168.1.3 4662 interface Dialer0 4662
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 103 interface Dialer0 overload
!
ip access-list extended DMZ
deny ip 10.2.88.0 0.0.0.255 10.1.88.0 0.0.0.255 log
deny ip 10.2.88.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip any any
!
access-list 1 remark *** ACL PER PAT E NAT ***
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.1.88.0 0.0.0.255
access-list 1 permit 10.2.88.0 0.0.0.255
access-list 101 remark #############################################################
access-list 101 remark ### ACL PER TRAFFICO DA INTERNET AL ROUTER ##################
access-list 101 remark *** VARI ****************************************************
access-list 101 permit tcp any any established
access-list 101 permit tcp host 192.168.1.3 any eq telnet
access-list 101 remark *** RISOLUZIONE NOMI DNS ************************************
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 remark *** ICMP ****************************************************
access-list 101 permit icmp host 192.168.1.3 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 remark *** EMULE ***************************************************
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 remark *** TORRENT *************************************************
access-list 101 permit tcp any any eq 1755
access-list 101 permit udp any any eq 1755
access-list 101 remark *** NTP ************************************
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 103 remark *** ACL PER NAT DMZ ***
access-list 103 permit ip 10.2.88.0 0.0.0.255 any
access-list 700 permit xxxx.daaf.xxxx 0000.0000.0000
access-list 700 permit xxxx.6f3d.xxxx 0000.0000.0000
access-list 700 permit xxxx.f607.xxxx 0000.0000.0000
access-list 700 permit xxxx.d939.xxxx 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxx
login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
Inviato: lun 22 dic , 2008 7:12 pm
da Helix
dico una boiata... ma avevo problemi di traceback tempo fa...
prova a togliere il
non mi bastonate vi prego!
Inviato: mar 23 dic , 2008 10:02 am
da alfnetx
Helix ha scritto:dico una boiata... ma avevo problemi di traceback tempo fa...
prova a togliere il
non mi bastonate vi prego!
Questa riga l'avevo aggiunta nella speranza di risolvere quindi anche togliendola non risolverei.
Inviato: mar 23 dic , 2008 1:10 pm
da Helix
è strano che togliendo l'inspect non navighi più...guarda la mia conf...
Codice: Seleziona tutto
interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username aliceadsl password 7 XXXXXXXXXX
crypto map remotemap
end
occhio che l'acl 101 è l'acl di filtraggio lato WAN / LAN
Inviato: mar 23 dic , 2008 1:12 pm
da Helix
altra prova che puoi fare è togliere i vari timer del nat:
Codice: Seleziona tutto
ip nat translation timeout 600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 2500