Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Trouble shooting Cisco 877 and Eircom DSL
Options
-
04-12-2008 8:42pmI'm trying to hook up a Cisco 877 to eircom's DSL .
This unit will be linked back to the main office ASA via VPN tunnel over this link.
Ive already wasted a day odd because the line wasn't working properly but I'm not convinced they fixed it correctly. After eircom "fixed" the line I verified it was working with one of their own netopia boxes. Not helped by the fact my cisco knowledge is a little rusty.:)
In addition I wasted a few more hours on an incompatibility issue with the DSL firmware which I learned about in this helpful thread:).
Applying this firmware got rid of these messages when traffic acivated the dialer.*Mar 1 07:28:15: Di0: No free dialer - starting fast idle timer
Here is the basic config I tried to verify the connection with. Missing some of the boiler plate stuff.! ip subnet-zero ip name-server 213.94.190.194 ! ! vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! no ftp-server write-enable ! ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 encapsulation aal5snap pppoe-client dial-pool-number 1 ! dsl operating-mode auto ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp dialer pool 1 dialer remote-name redback dialer-group 1 ppp authentication pap chap callin ppp chap hostname eircom ppp chap password broadband1 ! ! interface Loopback0 ip address 84.47.XXX.XXX 255.255.255.255 !!Our static address!! hold-queue 100 out ! ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1
I'm fairly sure this is working as far as just getting the ATM and Dialer up.
I can see from the debug Dialer stuff that the dialer seems to be connecting.
I moved on and modified a config from one of the other branches with a similar setup. When I entered this config with all the VPN details the Dialer seems to fail again.
The CD light is on; turning on the debug messages reveals ATM is up but the Dialer is giving the same message as before.Di0: No free dialer - starting fast idle timer
There are hundreds of these a minute this time.
Strangely enough when I tested the line with one of the standard eircom modems afterwards I get DSL sync but the internet light is red.
Any ideas what the best way to trouble shoot this? Is it possible I have somehow tripped something in the exchange because of a dodgey config on my cisco router? Purple monkey dishwasher?
EDIT: Oops is this more appropriate in the broadband forum?0
Comments
-
I'm a bit confused. Di0 as referred to in the log file is Dialer 0 and you only appear to have Dialer 1 configured.
What do you see if you do a 'sho int di0' and 'sho int di1' ?0 -
I'm a bit confused. Di0 as referred to in the log file is Dialer 0 and you only appear to have Dialer 1 configured.
What do you see if you do a 'sho int di0' and 'sho int di1' ?
I'll pare the config down a bit and post it in a few mins.0 -
Here is the config. Ive omitted some of the irrelevant inspect statements and verbose ACLS.
Its similar in operation to the basic config I posted earlier with the cryto stuff added.
I fully accept I might be doing something really stupid with this config But its basicaly the same as one of the other remote offices so I dunno.! ! version 12.4 no service pad service timestamps debug datetime service timestamps log datetime service password-encryption ! hostname routername ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.XX.XX.1 172.XX.XX.10 ip dhcp excluded-address 172.XX.XX.101 172.XX.XX.254 ! ip dhcp pool sdm-pool1 network 172.XX.XX.0 255.255.255.0 dns-server 159.134.237.6 159.134.248.17 default-router 172.XX.XX.1 netbios-name-server 172.XX.XX.10 172.XX.XX.16 lease infinite ! ! ip name-server 159.134.237.6 ip name-server 159.134.248.17 ip inspect log drop-pkt ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns !! REMOVED inspect statements!! ip inspect name SDM_HIGH udp ip ips notify SDEE ! ! username usernamejoe privilege 15 password 0 XXXXXXXXXXXX ! ! class-map match-any sdm_p2p_kazaa match protocol fasttrack match protocol kazaa2 class-map match-any sdm_p2p_edonkey match protocol edonkey class-map match-any sdm_p2p_gnutella match protocol gnutella class-map match-any sdm_p2p_bittorrent match protocol bittorrent ! ! policy-map sdmappfwp2p_SDM_HIGH class sdm_p2p_gnutella drop class sdm_p2p_bittorrent drop class sdm_p2p_edonkey drop class sdm_p2p_kazaa drop ! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 crypto isakmp key XXXXXXXXXXXXXXXXXXXXX address 62.77.XXX.XXX ! ! crypto ipsec transform-set ESPNAME esp-aes 256 esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer 62.77.XX.XX set transform-set ESPNAME match address 102 ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! ! interface loopback0 ip address 84.47.XX.XX 255.255.255.255 ! interface Vlan1 description $FW_INSIDE$ ip address 172.XX.XX.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 description $FW_OUTSIDE$ ip unnumbered Loopback0 ip access-group 104 in ip mtu 1452 ip nat outside ip inspect SDM_HIGH out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 dialer string "*09#" ppp authentication chap callin ppp chap hostname eircom ppp chap password 0 broadband1 crypto map SDM_CMAP_1 service-policy input sdmappfwp2p_SDM_HIGH service-policy output sdmappfwp2p_SDM_HIGH ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.XX.XX.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 84.47.XX.XX 0.0.0.3 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark IPSec Rule access-list 101 permit ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 101 permit udp host 62.77.XX.XX host 84.47.XX.XX eq non500-isakmp access-list 101 permit udp host 62.77.XX.XX host 84.47.XX.XX eq isakmp access-list 101 permit esp host 62.77.XX.XX host 84.47.XX.XX access-list 101 permit ahp host 62.77.XX.XX host 84.47.XX.XX access-list 101 deny ip 172.XX.XX.0 0.0.0.255 any access-list 101 permit icmp any host 84.47.XX.XX echo-reply access-list 101 permit icmp any host 84.47.XX.XX time-exceeded access-list 101 permit icmp any host 84.47.XX.XX unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 102 permit ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 102 permit ip 172.XX.XX.0 0.0.0.255 192.XX.XX.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 103 deny ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 103 deny ip 172.XX.XX.0 0.0.0.255 192.XX.XX.0 0.0.0.255 access-list 103 permit ip 172.XX.XX.0 0.0.0.255 any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 permit udp host 159.134.248.17 eq domain host 84.47.XX.XX access-list 104 permit udp host 159.134.237.6 eq domain host 84.47.XX.XX access-list 104 permit ahp host 62.77.XX.XX host 84.47.XX.XX access-list 104 permit esp host 62.77.XX.XX host 84.47.XX.XX access-list 104 permit udp host 62.77.XX.XX host 84.47.XX.XX eq isakmp access-list 104 permit udp host 62.77.XX.XX host 84.47.XX.XX eq non500-isakmp access-list 104 remark IPSec Rule access-list 104 permit ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 104 permit ip 172.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 104 permit ip 192.XX.XX.0 0.0.0.255 172.XX.XX.0 0.0.0.255 access-list 104 deny ip 172.XX.XX.0 0.0.0.255 any access-list 104 permit icmp any host 84.47.XX.XX echo-reply access-list 104 permit icmp any host 84.47.XX.XX time-exceeded access-list 104 permit icmp any host 84.47.XX.XX unreachable access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any log dialer-list 1 protocol ip permit ! route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! ! line con 0 login local no modem enable line aux 0 line vty 0 4 login local transport input all ! scheduler max-task-time 5000 end
0 -
So to summarize, the CD light is lit which means you've got DSL sync, but the PPP handshake isn't happening?
I assume from the use of the loopback address you actually have a fixed IP address (84.87.xx.xx) on this particular link? If not that might be causing problems. Also double check it's the right one if it is indeed fixed. Otherwise the only odd thing that jumps out at me is the dial string .. is that necessary?
Apart from that, I can only offer the advice to start with a stripped down as possible config, without any ACL's or crypto or stuff like that, aiming to just getting DSL sync and PPP handshake completed and then to add things back one by one until it breaks. At least then you'll know what area the problem is in.
Again, I'm not an expert by any stretch. Maybe some others with a bit more knowledge can step in and offer some more useful advice.0 -
So to summarize, the CD light is lit which means you've got DSL sync, but the PPP handshake isn't happening?
I assume from the use of the loopback address you actually have a fixed IP address (84.87.xx.xx) on this particular link? If not that might be causing problems. Also double check it's the right one if it is indeed fixed. Otherwise the only odd thing that jumps out at me is the dial string .. is that necessary?
Apart from that, I can only offer the advice to start with a stripped down as possible config, without any ACL's or crypto or stuff like that, aiming to just getting DSL sync and PPP handshake completed and then to add things back one by one until it breaks. At least then you'll know what area the problem is in.
Again, I'm not an expert by any stretch. Maybe some others with a bit more knowledge can step in and offer some more useful advice.
Yeah it complains about a lack of Dial string in the debug dialer output if not. Other forums suggest it just to shut it up as its not used apparently.
Yeah we have a fixed IP and that seems to be correct.
I'm pretty stumped at this stage. I'm proabably just going to issuse a debug all to syslog and plough through that huge amount of data see if anything strange jumps out while doing as you say.
I'm still not ruling out a problem with the line as it seems to jump up and down quite a bit. Weather this is a fault of mine or a gotcha with this router I am missing I'm not sure.0 -
Advertisement
-
Yeah, the ST Micro chipset used in the 800 series doesn't seem to be one of the best when dealing with line problems, especially noise. Are you using the 3.0.33 firmware? That seems to be the best one in my experience at home, where I get dreadful noise problems, especially at night.0
-
Yeah this is the adsl firmware I'm using.
ftp://ftp.cisco.com/pub/access/800/adsl_alc_20190.3-0-33.bin
Seemed to have solved the initial problem.
Apparently eircom think there may be a line fault so an engineers supposed to be coming out. very strange all the same.0 -
What are your line stats like?
sh dsl int atm00 -
Sorted now almost.
"debug ppp" showed a shed load of errors with chap. Access denied errors with the result the session never getting established. Talking to a few people this seems to be a general eircom thing. Broadband support as unhelpful as ever.
When I rang them for the fifth time it eventually started working.
Now to get the VPN working..0 -
"debug ppp" showed a shed load of errors with chap. Access denied errors with the result the session never getting established. Talking to a few people this seems to be a general eircom thing. Broadband support as unhelpful as ever.
When I rang them for the fifth time it eventually started working.
I guess you were just unlucky and hit a period when it was misbehaving like that.
Can't help you with the VPN thing I'm afraid .. outside of my experience, on Cisco kit at any rate.0 -
Advertisement
-
All running tickedy boo now.
Some slight issues with broken ACLs blocking IKE (my f*ck up) fixed easy enough.
IPSEC was failing because the ASA was configured with with the wrong encryption; that took a while to figure out.0 -
All running tickedy boo now.Some slight issues with broken ACLs blocking IKE (my f*ck up) fixed easy enough.
http://www.winagents.com/en/products/routertweak/
A handy little FREE tool for managing Cisco configs. The real bonus for me is that it allows you to edit/add/delete individual entries in ACL's on the fly without all the tedious cutting and pasting you normally have to go through, unless you use that horrible, nasty SDM abomination Cisco provide.0 -
Great!
Bloody ACL's ... bane of my life! BTW have you tried this at all?
http://www.winagents.com/en/products/routertweak/
A handy little FREE tool for managing Cisco configs. The real bonus for me is that it allows you to edit/add/delete individual entries in ACL's on the fly without all the tedious cutting and pasting you normally have to go through, unless you use that horrible, nasty SDM abomination Cisco provide.
Downloading it now for a look. Cheers.
Yeah ACLs are a pain in the ass. I was doing most of the config through the console cable as I was using it to see the debug messages which doesn't help when pasting stuff in.
Turns out copying the config to the router via tftp didn't wipe the existing ACLs. I'm not sure why this happened. It meant I had to "erase start" reload then copy over the config via tftp to be sure it was right0 -
Can you post the final configuration that was used to successfully connect to eircom?
I am thinking about getting one of these devices and setting up something with magnet business broadband as they can give out static IP's on request and will not charge extra for them. I see the 7.6 Meg package from eircom is charging 50 Euro to assign a single static IP.
Would you recommend the 877 now that you have spent some time in its configuration?
Regards,
Dave.0 -
DjDangerousDave wrote: »Can you post the final configuration that was used to successfully connect to eircom?
I am thinking about getting one of these devices and setting up something with magnet business broadband as they can give out static IP's on request and will not charge extra for them. I see the 7.6 Meg package from eircom is charging 50 Euro to assign a single static IP.
Would you recommend the 877 now that you have spent some time in its configuration?
Regards,
Dave.
The rest of the config is up to you though. The possibilities are pretty much endless as you might expect, and there isn't one particular 'correct' way to set it up.
As an example, I have mine set up for IRB (Integrated Bridge Routing) which combines all the local interfaces (4 ethernet plus two wireless networks on separate VLAN's) into a bridge group, which means they all share the same IP address space, but you could equally as well have them all in separate IP spaces and route between them.
The only thing I would say is that the STI Micro DSL chipset in it isn't probably the best at handling noisy lines, so if your SNR margins and Attenuation aren't the best you might be best off with something else.0 -
Turns out copying the config to the router via tftp didn't wipe the existing ACLs. I'm not sure why this happened. It meant I had to "erase start" reload then copy over the config via tftp to be sure it was right
Another approach to the ACL problem is to maintain them all offline in separate files. For every ACL, put an equivalent "no access-list xxx" command at the top, and then either tftp them across, or copy and paste the contents to the command line.0 -
I have one working here (actually an 877W with wireless) on eircom and am pretty happy with it. It's not for the non tech-savvy though, and Cisco experience is pretty much required to get it up and running. Getting it connected to eircom is the easy part .. ronoc's first config was fine in that regard, it just appears that eircom were having problems at their end while he was testing that clouded the issue somewhat.
The rest of the config is up to you though. The possibilities are pretty much endless as you might expect, and there isn't one particular 'correct' way to set it up.
As an example, I have mine set up for IRB (Integrated Bridge Routing) which combines all the local interfaces (4 ethernet plus two wireless networks on separate VLAN's) into a bridge group, which means they all share the same IP address space, but you could equally as well have them all in separate IP spaces and route between them.
The only thing I would say is that the STI Micro DSL chipset in it isn't probably the best at handling noisy lines, so if your SNR margins and Attenuation aren't the best you might be best off with something else.
I have a bit of experience with cisco, I should have more if I was bothered though.
I would like to get the hands on experance setting up a cicso on a DSL line. I know I could go for the model with the ethernet WAN port and use the magnet modem with NAT and DHCP turned off but then I would loose this aspect of the setup, and that would be one more device I had to manage.
Would set up on a magnet ADSL line be similar to the config we see with the eircom line?
Where is good to buy these 800 series routers?0 -
DjDangerousDave wrote: »Would set up on a magnet ADSL line be similar to the config we see with the eircom line?Where is good to buy these 800 series routers?0
-
I don't know Magnet's setup, but pretty much, I'd imagine, with maybe different pvc values, and a different userid/password.
I actually got mine second-hand via adverts.ie, as they're pretty expensive new, but you could try ebay .. I've seen a few on there.
Do you mind if I ask how much you paid?0 -
DjDangerousDave wrote: »Do you mind if I ask how much you paid?0
-
Advertisement
-
DjDangerousDave wrote: »Can you post the final configuration that was used to successfully connect to eircom?
I am thinking about getting one of these devices and setting up something with magnet business broadband as they can give out static IP's on request and will not charge extra for them. I see the 7.6 Meg package from eircom is charging 50 Euro to assign a single static IP.
Would you recommend the 877 now that you have spent some time in its configuration?
Regards,
Dave.
Yeah they are pretty good when you do get them configured.
They are very powerful and slot nicely in with ciscos other kit. We get them because they do the site to site VPN with our ASA.
I do a fair bit of stuff on catalyst switches and other cisco routers but it is still trickey enough to get the 877 going when I wasn't familiar with them, its been a while since I sat studied for my CCNA!
Defiantly not a box for someone that hasn't got a good working knowledge of the cisco IOS. And probably overkill for home use!0 -
I am looking to replace an existing netgear adsl router with a cisco 877
My config is
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
--More-- interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Internallink
ip address 10.252.90.3 255.255.255.0
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname eircom
ppp chap password 7 15101903052E292526376462
--More-- !
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
results of debug
*Mar 8 17:56:34.709: %LINK-3-UPDOWN: Interface ATM0, changed state to up
*Mar 8 17:56:35.709: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up
*Mar 8 17:56:39.942: %DIALER-6-BIND: Interface Vi1 bound to profile Di0
*Mar 8 17:56:39.942: Vi1 PPP: Using dialer call direction
*Mar 8 17:56:39.942: Vi1 PPP: Treating connection as a callout
*Mar 8 17:56:39.942: Vi1 PPP: Session handle[61000011] Session id[0]
*Mar 8 17:56:39.942: Vi1 PPP: Authorization required
*Mar 8 17:56:39.942: Vi1 PPP: No remote authentication for call-out
*Mar 8 17:56:39.946: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Mar 8 17:56:40.422: Vi1 PPP: No authorization without authentication
*Mar 8 17:56:40.470: Vi1 CHAP: I CHALLENGE id 255 len 30 from "srl2.bras"
*Mar 8 17:56:40.470: Vi1 CHAP: Using hostname from interface CHAP
*Mar 8 17:56:40.474: Vi1 CHAP: Using password from interface CHAP
*Mar 8 17:56:40.474: Vi1 CHAP: O RESPONSE id 255 len 27 from "eircom"
*Mar 8 17:56:40.734: Vi1 CHAP: I SUCCESS id 255 len 4
*Mar 8 17:56:41.734: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
% Incomplete command.
*Mar 8 17:57:03.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 8 17:57:04.341: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up
*Mar 8 17:57:05.341: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to up
I connected a laptop to fa3 but i still can't get on to the internet. Any ideas how to resolve this.0
Advertisement