Cisco SR520w FE-WAN 端口停止工作

Cisco SR520w FE-WAN 端口停止工作

我已经设置了 Cisco SR520W,一切似乎都正常。大约 1-2 天后,WAN 端口似乎停止将流量转发到设备的 Internet 网关 IP。

如果我拔下再插入连接 SR520W WAN 端口和 Comcast 有线调制解调器的网线,流量又会开始流动。此外,如果我重新启动 SR520W,流量也会再次流动。

有任何想法吗?

这是运行配置:

Current configuration : 10559 bytes
!
version 12.4
no service pad
no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname hostname.mydomain.com
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging rate-limit
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint TP-self-signed-334750407
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-334750407
revocation-check none
rsakeypair TP-self-signed-334750407
!
!
crypto pki certificate chain TP-self-signed-334750407
certificate self-signed 01
<removed>
   quit
dot11 syslog
!
dot11 ssid <removed>
vlan 75
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 <removed>
!
ip source-route
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.10
!
ip dhcp pool inside
   import all
   network 172.16.0.0 255.240.0.0
   default-router 172.16.0.1
   dns-server 10.0.0.15 10.0.0.12
   domain-name mydomain.com
!
!
ip cef
ip domain name mydomain.com
ip name-server 68.87.76.178
ip name-server 66.240.48.9
ip port-map user-ezvpn-remote port udp 10000
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type inspect z1-z2-pmap
audit-trail on
password encryption aes
!
!
username admin privilege 15 secret 5 <removed>
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
  key-string
  <removed>
  quit
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key <removed>
mode client
peer 64.1.208.90
virtual-interface 1
username admin password <removed>
xauth userid mode local
!
!
archive
log config
  logging enable
  logging size 600
  hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match access-group 101
class-map type inspect match-any Easy_VPN_Remote_VT
match access-group 102
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any L4-inspect-class
match protocol icmp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
  pass
class type inspect sdm-cls-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-permit_VT
class type inspect Easy_VPN_Remote_VT
  pass
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
  pass
class type inspect sdm-cls-insp-traffic
  inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-protocol-http
  inspect z1-z2-pmap
class class-default
  pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
  pass
class class-default
  drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
  pass
class type inspect dhcp_out_self
  pass
class class-default
  drop
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 75.149.48.76 255.255.255.240
ip nat outside
ip ips sdm_ips_rule out
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Virtual-Template1 type tunnel
no ip address
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
!
interface Dot11Radio0
no ip address
!
encryption vlan 75 mode ciphers aes-ccm
!
ssid <removed>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.75
encapsulation dot1Q 75 native
ip virtual-reassembly
bridge-group 75
bridge-group 75 subscriber-loop-control
bridge-group 75 spanning-disabled
bridge-group 75 block-unknown-source
no bridge-group 75 source-learning
no bridge-group 75 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan75
no ip address
ip virtual-reassembly
bridge-group 75
bridge-group 75 spanning-disabled
!
interface BVI1
no ip address
ip nat inside
ip virtual-reassembly
!
interface BVI75
description $FW_INSIDE$
ip address 172.16.0.1 255.240.0.0
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security in-zone
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.149.48.78 2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 75.149.48.64 0.0.0.15 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 64.1.208.90 any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
!
!
!
!
snmp-server community <removed> RO
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 75 route ip
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end

当 WAN 端口停止工作时,我还运行了一些诊断程序:

1.显示接口fa4

 FastEthernet4 is up, line protocol is up 
  Hardware is PQUICC_FEC, address is 0026.99c5.b434 (bia 0026.99c5.b434)
  Description: $FW_OUTSIDE$
  Internet address is 75.149.48.76/28
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 01:08:15, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/23/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 1000 bits/sec, 0 packets/sec
     336446 packets input, 455403158 bytes
     Received 23 broadcasts, 0 runts, 0 giants, 37 throttles
     41 input errors, 0 CRC, 0 frame, 0 overrun, 41 ignored
     0 watchdog
     0 input packets with dribble condition detected
     172529 packets output, 23580132 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

2. 显示 ip 路由

Gateway of last resort is 75.149.48.78 to network 0.0.0.0
C    192.168.75.0/24 is directly connected, BVI75
     64.0.0.0/32 is subnetted, 1 subnets
S       64.1.208.90 [1/0] via 75.149.48.78
S    192.168.10.0/24 is directly connected, BVI75
     75.0.0.0/28 is subnetted, 1 subnets
C       75.149.48.64 is directly connected, FastEthernet4
S*   0.0.0.0/0 [2/0] via 75.149.48.78

3. 显示 IP 地址

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  75.149.48.65           69   001e.2a39.7b08  ARPA   FastEthernet4
Internet  75.149.48.76            -   0026.99c5.b434  ARPA   FastEthernet4
Internet  75.149.48.78           93   0022.2d6c.ae36  ARPA   FastEthernet4
Internet  192.168.75.1            -   0027.0d58.f5f0  ARPA   BVI75
Internet  192.168.75.12          50   7c6d.62c7.8c0a  ARPA   BVI75
Internet  192.168.75.13           0   001b.6301.1227  ARPA   BVI75

4. 启动 cef

Prefix               Next Hop             Interface
0.0.0.0/0            75.149.48.78         FastEthernet4
0.0.0.0/8            drop
0.0.0.0/32           receive              
64.1.208.90/32       75.149.48.78         FastEthernet4
75.149.48.64/28      attached             FastEthernet4
75.149.48.64/32      receive              FastEthernet4
75.149.48.65/32      attached             FastEthernet4
75.149.48.76/32      receive              FastEthernet4
75.149.48.78/32      attached             FastEthernet4
75.149.48.79/32      receive              FastEthernet4
127.0.0.0/8          drop
192.168.10.0/24      attached             BVI75
192.168.75.0/24      attached             BVI75
192.168.75.0/32      receive              BVI75
192.168.75.1/32      receive              BVI75
192.168.75.12/32     attached             BVI75
192.168.75.13/32     attached             BVI75
192.168.75.255/32    receive              BVI75
224.0.0.0/4          drop
224.0.0.0/24         receive              
240.0.0.0/4          drop
255.255.255.255/32   receive

提前致谢,

-麦克风

答案1

我遇到了自动协商与 ISP 设备不兼容的问题。我会打电话给 Comcast,确保您的端口速度和设置匹配。

相关内容