Possibile bug di IOS?
Inviato: lun 26 apr , 2010 12:57 pm
Buongiorno
ho pascolato in rete ma non ho trovato alcun riferimento al mio problema.
Premetto che questa situazione la avevo già con i seguenti modelli:
C1721 32F/128D
C2651XM 48F/256D
Entrambi con versioni 12.4 ADVSECURITY e ADVIPSERVICES rev 12.4(17) e superiori, e il problema si presenta anche con le ultime 12.4(25).
C877 52F/256D 15.0M2 ADVIPSERVICES
Questi router sono stati prima (quelli sopra) su SHDSL 4MBit e poi su ADSL 4M/512 (attualmente è su il C877); avevano una ACL sul traffico entrante, ip inspect tcp/udp/icmp in uscita attivato e NAT per 3-4 computers al massimo.
Il nat è impostato cosi:
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
vi sono 3-4 nat statici 1-1 e un nat overload per il traffico uscente.
Diciamo la classica configurazione SOHO.
PROBLEMA: se io nel router vado a fare sh ip nat trans, funziona e vedo le righe di nat.
Se vado a fare sh ip nat stat, nel 90% dei casi il router freeza totalmente (in base al router, per il tempo necessario al reboot) e poi riparte tranquillamente. Se vado a fare uno sh ver il router non si è riavviato in quanto l'uptime procede, però nel frattempo il router si ferma totalmente e le connessioni di rete muoiono. Nel 10% dei casi vedo l'output del sh ip nat stat, e nelle altre invece blocco totale e non vedo il risultato. Premetto che come voci di nat persistenti in media ho circa un 100-200 entries (ho un srv con cacti che fa delle query smtp ogni 5 minuti a host esterni).
Come utilizzo processore sono sempre inferiore al 10%, come memoria libera, ne ho attualmente 131mb liberi... e non so come risolvere il problema.
La stessa problematica la trovo anche se monto una IP-BASE
La domanda mia è se è un baco di IOS o se io sbaglio qualcosa nella conf.
qui ora allego la config che utilizzo attualmente
version 15.0
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 notifications
logging console informational
enable password 7 xxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CET 2
!
crypto pki trustpoint TP-self-signed-2148273753
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2148273753
revocation-check none
rsakeypair TP-self-signed-2148273753
!
!
crypto pki certificate chain TP-self-signed-2148273753
..... SNIP
quit
dot11 syslog
ip tcp selective-ack
ip tcp timestamp
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key xxxxx address 10.0.0.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set VPN esp-aes esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set VPN
match address 110
!
!
!
!
interface Loopback0
description hostname xxxx
ip address 77.93.xxx 255.255.255.255
no ip redirects
no ip proxy-arp
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.248
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source Vlan2
tunnel destination 10.0.0.2
!
!
interface Null0
no ip unreachables
!
interface ATM0
description xxxx
no ip address
no ip redirects
no ip proxy-arp
atm ilmi-keepalive
dsl bitswap both
!
!
interface ATM0.1 point-to-point
description Point to Point Uplink
bandwidth 512
bandwidth receive 4096
ip address xxxx .252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect OUT-IN in
ip inspect IN-OUT-GW out
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
switchport access vlan 2
!
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
!
interface Vlan2
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
crypto map VPN
!
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 101 interface Loopback0 overload
ip nat inside source static 192.168.1.7 77.93.xxxx extendable
ip nat inside source static tcp 192.168.1.250 21 77.93.xxx 21 extendable
ip nat inside source static tcp 192.168.1.100 53 77.93.xx 53 extendable
ip nat inside source static udp 192.168.1.100 53 77.93.xxx 53 extendable
ip nat inside source static tcp 192.168.1.100 80 77.93.xxx 80 extendable
ip nat inside source static udp 192.168.1.100 88 77.93.xxx 88 extendable
ip nat inside source static tcp 192.168.1.100 3074 77.93.xxx 3074 extendable
ip nat inside source static udp 192.168.1.100 3074 77.93.xxx 3074 extendable
ip nat inside source static tcp 192.168.1.8 80 77.93.235.238 8080 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.0 255.255.255.248 Vlan2
ip route 192.168.10.0 255.255.255.0 172.16.0.2
!
!
no logging trap
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 89.186.68.6 host xxx
access-list 100 deny ip 77.93.xxxx 0.0.0.7 77.93.xxx 0.0.0.7
access-list 100 permit udp host 212.97.32.2 eq domain any
access-list 100 permit udp host 212.97.32.7 eq domain any
access-list 100 deny ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit gre any any
access-list 100 permit 41 any any
access-list 100 deny tcp any any range 135 139
access-list 100 deny udp any any range 135 netbios-ss
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq 445
access-list 100 deny tcp any any range 1433 1434
access-list 100 deny udp any any range 1433 1434
access-list 100 permit tcp any host xxxxx eq 22
access-list 100 permit tcp any host xxx eq 1723
access-list 100 permit udp host 212.97.59.76 eq 5060 xxxx 0.0.0.7
access-list 100 permit tcp any host 77.93.xxxx eq smtp
access-list 100 permit tcp any host 77.93.xxxx eq ftp
access-list 100 permit tcp any host 77.93.xxxx eq www
access-list 100 permit tcp any host 77.93.xxxx eq domain
access-list 100 permit udp any host 77.93.xxxx eq domain
access-list 100 permit udp any host 77.93.xxx eq 88
access-list 100 permit tcp any host 77.93.xxxx eq 3074
access-list 100 permit udp any host 77.93.xxxx eq 3074
access-list 100 permit tcp any host 77.93.xxxx eq 8080
access-list 100 permit tcp any host 77.93.xxxx gt 1023 established
access-list 100 deny ip any any log
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip host 172.16.0.2 any
access-list 101 permit ip host 10.0.0.3 any
access-list 101 permit ip host 10.0.0.4 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit gre host 10.0.0.1 host 10.0.0.2
access-list 111 permit udp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 1812
access-list 111 permit udp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 1813
access-list 111 permit icmp 10.0.0.0 0.0.0.7 10.0.0.0 0.0.0.7
access-list 111 permit gre host 10.0.0.2 host 10.0.0.1
access-list 111 permit esp host 10.0.0.2 host 10.0.0.1
access-list 111 permit tcp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 22
access-list 111 permit udp host 10.0.0.2 eq isakmp host 10.0.0.1 eq isakmp
access-list 111 deny ip any any log
no cdp run
!
!
!
!
snmp-server community public RO
radius-server local
nas 10.0.0.3 key 7 0500510C336D69283B1014200A0A163F23
user santerno nthash 7 013157577D5C252B7018175A3F214F4A2859537F7E000E66610640544127270609
!
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813
!
control-plane
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.
THIS IS FOR AUTHORIZED USE ONLY
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.
Network Administrator: xxx
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
sntp server 193.204.114.105
end
ho pascolato in rete ma non ho trovato alcun riferimento al mio problema.
Premetto che questa situazione la avevo già con i seguenti modelli:
C1721 32F/128D
C2651XM 48F/256D
Entrambi con versioni 12.4 ADVSECURITY e ADVIPSERVICES rev 12.4(17) e superiori, e il problema si presenta anche con le ultime 12.4(25).
C877 52F/256D 15.0M2 ADVIPSERVICES
Questi router sono stati prima (quelli sopra) su SHDSL 4MBit e poi su ADSL 4M/512 (attualmente è su il C877); avevano una ACL sul traffico entrante, ip inspect tcp/udp/icmp in uscita attivato e NAT per 3-4 computers al massimo.
Il nat è impostato cosi:
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
vi sono 3-4 nat statici 1-1 e un nat overload per il traffico uscente.
Diciamo la classica configurazione SOHO.
PROBLEMA: se io nel router vado a fare sh ip nat trans, funziona e vedo le righe di nat.
Se vado a fare sh ip nat stat, nel 90% dei casi il router freeza totalmente (in base al router, per il tempo necessario al reboot) e poi riparte tranquillamente. Se vado a fare uno sh ver il router non si è riavviato in quanto l'uptime procede, però nel frattempo il router si ferma totalmente e le connessioni di rete muoiono. Nel 10% dei casi vedo l'output del sh ip nat stat, e nelle altre invece blocco totale e non vedo il risultato. Premetto che come voci di nat persistenti in media ho circa un 100-200 entries (ho un srv con cacti che fa delle query smtp ogni 5 minuti a host esterni).
Come utilizzo processore sono sempre inferiore al 10%, come memoria libera, ne ho attualmente 131mb liberi... e non so come risolvere il problema.
La stessa problematica la trovo anche se monto una IP-BASE
La domanda mia è se è un baco di IOS o se io sbaglio qualcosa nella conf.
qui ora allego la config che utilizzo attualmente
version 15.0
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 notifications
logging console informational
enable password 7 xxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CET 2
!
crypto pki trustpoint TP-self-signed-2148273753
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2148273753
revocation-check none
rsakeypair TP-self-signed-2148273753
!
!
crypto pki certificate chain TP-self-signed-2148273753
..... SNIP
quit
dot11 syslog
ip tcp selective-ack
ip tcp timestamp
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key xxxxx address 10.0.0.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set VPN esp-aes esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set VPN
match address 110
!
!
!
!
interface Loopback0
description hostname xxxx
ip address 77.93.xxx 255.255.255.255
no ip redirects
no ip proxy-arp
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.248
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source Vlan2
tunnel destination 10.0.0.2
!
!
interface Null0
no ip unreachables
!
interface ATM0
description xxxx
no ip address
no ip redirects
no ip proxy-arp
atm ilmi-keepalive
dsl bitswap both
!
!
interface ATM0.1 point-to-point
description Point to Point Uplink
bandwidth 512
bandwidth receive 4096
ip address xxxx .252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect OUT-IN in
ip inspect IN-OUT-GW out
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
switchport access vlan 2
!
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
!
interface Vlan2
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
crypto map VPN
!
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 100
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation icmp-timeout 120
ip nat inside source list 101 interface Loopback0 overload
ip nat inside source static 192.168.1.7 77.93.xxxx extendable
ip nat inside source static tcp 192.168.1.250 21 77.93.xxx 21 extendable
ip nat inside source static tcp 192.168.1.100 53 77.93.xx 53 extendable
ip nat inside source static udp 192.168.1.100 53 77.93.xxx 53 extendable
ip nat inside source static tcp 192.168.1.100 80 77.93.xxx 80 extendable
ip nat inside source static udp 192.168.1.100 88 77.93.xxx 88 extendable
ip nat inside source static tcp 192.168.1.100 3074 77.93.xxx 3074 extendable
ip nat inside source static udp 192.168.1.100 3074 77.93.xxx 3074 extendable
ip nat inside source static tcp 192.168.1.8 80 77.93.235.238 8080 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.0 255.255.255.248 Vlan2
ip route 192.168.10.0 255.255.255.0 172.16.0.2
!
!
no logging trap
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 89.186.68.6 host xxx
access-list 100 deny ip 77.93.xxxx 0.0.0.7 77.93.xxx 0.0.0.7
access-list 100 permit udp host 212.97.32.2 eq domain any
access-list 100 permit udp host 212.97.32.7 eq domain any
access-list 100 deny ip any any fragments
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit gre any any
access-list 100 permit 41 any any
access-list 100 deny tcp any any range 135 139
access-list 100 deny udp any any range 135 netbios-ss
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq 445
access-list 100 deny tcp any any range 1433 1434
access-list 100 deny udp any any range 1433 1434
access-list 100 permit tcp any host xxxxx eq 22
access-list 100 permit tcp any host xxx eq 1723
access-list 100 permit udp host 212.97.59.76 eq 5060 xxxx 0.0.0.7
access-list 100 permit tcp any host 77.93.xxxx eq smtp
access-list 100 permit tcp any host 77.93.xxxx eq ftp
access-list 100 permit tcp any host 77.93.xxxx eq www
access-list 100 permit tcp any host 77.93.xxxx eq domain
access-list 100 permit udp any host 77.93.xxxx eq domain
access-list 100 permit udp any host 77.93.xxx eq 88
access-list 100 permit tcp any host 77.93.xxxx eq 3074
access-list 100 permit udp any host 77.93.xxxx eq 3074
access-list 100 permit tcp any host 77.93.xxxx eq 8080
access-list 100 permit tcp any host 77.93.xxxx gt 1023 established
access-list 100 deny ip any any log
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip host 172.16.0.2 any
access-list 101 permit ip host 10.0.0.3 any
access-list 101 permit ip host 10.0.0.4 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit gre host 10.0.0.1 host 10.0.0.2
access-list 111 permit udp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 1812
access-list 111 permit udp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 1813
access-list 111 permit icmp 10.0.0.0 0.0.0.7 10.0.0.0 0.0.0.7
access-list 111 permit gre host 10.0.0.2 host 10.0.0.1
access-list 111 permit esp host 10.0.0.2 host 10.0.0.1
access-list 111 permit tcp 10.0.0.0 0.0.0.7 host 10.0.0.1 eq 22
access-list 111 permit udp host 10.0.0.2 eq isakmp host 10.0.0.1 eq isakmp
access-list 111 deny ip any any log
no cdp run
!
!
!
!
snmp-server community public RO
radius-server local
nas 10.0.0.3 key 7 0500510C336D69283B1014200A0A163F23
user santerno nthash 7 013157577D5C252B7018175A3F214F4A2859537F7E000E66610640544127270609
!
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813
!
control-plane
!
!
banner login ^C
You are connected to $(hostname).$(domain) on line $(line).
If you are not authorized to access this system, disconnect now.
THIS IS FOR AUTHORIZED USE ONLY
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.
Network Administrator: xxx
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
sntp server 192.43.244.18
sntp server 193.204.114.105
end