Cisco Router Troubleshooting – Multiple Error Types on Cisco 861

ciscoerrorsroutertroubleshootingwan

I have a connection that users complain is really slow at times. My SNMP graphs from Observium don't show the bandwidth being fully used or high latency. They show a lot of errors on the WAN port of the router though. None of my other WAN connections show any errors on the WAN port via Observium. The LAN ports on the router don't show any errors either.

Picture of WAN port errors in the past month

Below are the interface statistics on the uplink port to the cable modem. The cable modem has been swapped out already without any improvement. I've attempted various configurations with the duplex settings and none seemed to improve the situation.

  5 minute output rate 198000 bits/sec, 56 packets/sec
 157099395 packets input, 3610517494 bytes
 Received 1 broadcasts, 76 runts, 0 giants, 655 throttles
 338 input errors, 0 CRC, 0 frame, 149 overrun, 189 ignored
 0 watchdog
 0 input packets with dribble condition detected
 274553466 packets output, 1939513782 bytes, 0 underruns
 0 output errors, 0 collisions, 4 interface resets
 0 unknown protocol drops
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out

show mem stat

  Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor   83590CC4   186053436    37257760   148795676   144860192   139092136
      I/O    E700000    26214400     8448092    17766308    17753216    17734940

sh ip nat trans

Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:32971 10.0.2.104:32971 157.56.17.247:443 157.56.17.247:443
tcp MY IP:33834 10.0.2.104:33834 208.54.46.98:5061 208.54.46.98:5061
tcp MY IP:34931 10.0.2.104:34931 184.51.108.19:443 184.51.108.19:443
tcp MY IP:34932 10.0.2.104:34932 23.203.168.248:443 23.203.168.248:443
tcp MY IP:36366 10.0.2.104:36366 31.13.73.129:443  31.13.73.129:443
tcp MY IP:39199 10.0.2.104:39199 54.217.202.157:5223 54.217.202.157:5223
tcp MY IP:42646 10.0.2.104:42646 69.171.245.49:443 69.171.245.49:443
tcp MY IP:42736 10.0.2.104:42736 50.22.240.164:443 50.22.240.164:443
tcp MY IP:43689 10.0.2.104:43689 63.116.58.175:80  63.116.58.175:80
tcp MY IP:50866 10.0.2.104:50866 184.51.126.41:443 184.51.126.41:443
tcp MY IP:54009 10.0.2.104:54009 31.13.73.113:443  31.13.73.113:443
tcp MY IP:55067 10.0.2.104:55067 74.125.22.188:5228 74.125.22.188:5228
tcp MY IP:55569 10.0.2.104:55569 69.171.235.48:443 69.171.235.48:443
tcp MY IP:59083 10.0.2.104:59083 31.13.73.113:443  31.13.73.113:443
tcp MY IP:34734 10.0.2.105:34734 74.125.226.52:443 74.125.226.52:443
tcp MY IP:34790 10.0.2.105:34790 74.125.226.82:80  74.125.226.82:80
tcp MY IP:35504 10.0.2.105:35504 74.125.226.80:443 74.125.226.80:443
tcp MY IP:35578 10.0.2.105:35578 74.125.29.95:443  74.125.29.95:443
tcp MY IP:36974 10.0.2.105:36974 176.32.100.68:80  176.32.100.68:80
tcp MY IP:38267 10.0.2.105:38267 74.125.226.32:80  74.125.226.32:80
tcp MY IP:38559 10.0.2.105:38559 74.125.29.95:443  74.125.29.95:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:39506 10.0.2.105:39506 74.125.226.64:80  74.125.226.64:80
tcp MY IP:43789 10.0.2.105:43789 74.125.226.67:443 74.125.226.67:443
tcp MY IP:46489 10.0.2.105:46489 74.125.226.67:443 74.125.226.67:443
tcp MY IP:49855 10.0.2.105:49855 74.125.226.82:443 74.125.226.82:443
tcp MY IP:53860 10.0.2.105:53860 54.192.36.122:443 54.192.36.122:443
tcp MY IP:54184 10.0.2.105:54184 74.125.226.40:443 74.125.226.40:443
tcp MY IP:55252 10.0.2.105:55252 64.233.171.188:5228 64.233.171.188:5228
tcp MY IP:55530 10.0.2.105:55530 74.125.29.95:443  74.125.29.95:443
tcp MY IP:55530 10.0.2.105:55530 74.125.226.71:80  74.125.226.71:80
tcp MY IP:55753 10.0.2.105:55753 74.125.226.32:80  74.125.226.32:80
tcp MY IP:55942 10.0.2.105:55942 54.215.210.43:80  54.215.210.43:80
tcp MY IP:57670 10.0.2.105:57670 205.251.243.57:80 205.251.243.57:80
tcp MY IP:57700 10.0.2.105:57700 54.201.136.198:80 54.201.136.198:80
tcp MY IP:59269 10.0.2.105:59269 74.125.228.41:443 74.125.228.41:443
tcp MY IP:53292 10.0.2.108:53292 17.172.233.110:5223 17.172.233.110:5223
tcp MY IP:53293 10.0.2.108:53293 31.13.73.134:443  31.13.73.134:443
tcp MY IP:53294 10.0.2.108:53294 31.13.73.134:443  31.13.73.134:443
tcp MY IP:53305 10.0.2.108:53305 31.13.73.129:443  31.13.73.129:443
tcp MY IP:53306 10.0.2.108:53306 31.13.73.129:443  31.13.73.129:443
tcp MY IP:53307 10.0.2.108:53307 31.13.73.113:443  31.13.73.113:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:53308 10.0.2.108:53308 31.13.73.113:443  31.13.73.113:443
tcp MY IP:53328 10.0.2.108:53328 107.14.41.80:443  107.14.41.80:443
tcp MY IP:53329 10.0.2.108:53329 31.13.73.129:443  31.13.73.129:443
tcp MY IP:53330 10.0.2.108:53330 31.13.73.129:443  31.13.73.129:443
tcp MY IP:1975 10.0.2.113:1975  75.146.212.122:5721 75.146.212.122:5721
tcp MY IP:2225 10.0.2.113:2225  78.108.117.250:443 78.108.117.250:443
tcp MY IP:2226 10.0.2.113:2226  68.64.13.250:443   68.64.13.250:443
tcp MY IP:2227 10.0.2.113:2227  68.64.24.250:443   68.64.24.250:443
tcp MY IP:2228 10.0.2.113:2228  68.64.24.250:443   68.64.24.250:443
tcp MY IP:2229 10.0.2.113:2229  68.64.13.250:443   68.64.13.250:443
tcp MY IP:2230 10.0.2.113:2230  78.108.117.250:443 78.108.117.250:443
tcp MY IP:2231 10.0.2.113:2231  68.64.24.250:443   68.64.24.250:443
tcp MY IP:2232 10.0.2.113:2232  68.64.13.250:443   68.64.13.250:443
tcp MY IP:2233 10.0.2.113:2233  78.108.117.250:443 78.108.117.250:443
tcp MY IP:2234 10.0.2.113:2234  68.64.24.250:443   68.64.24.250:443
tcp MY IP:2235 10.0.2.113:2235  68.64.13.250:443   68.64.13.250:443
tcp MY IP:2236 10.0.2.113:2236  78.108.117.250:443 78.108.117.250:443
tcp MY IP:2237 10.0.2.113:2237  68.64.24.250:443   68.64.24.250:443
tcp MY IP:2238 10.0.2.113:2238  68.64.13.250:443   68.64.13.250:443
tcp MY IP:2239 10.0.2.113:2239  78.108.117.250:443 78.108.117.250:443
tcp MY IP:59995 10.0.2.114:59995 17.110.224.227:5223 17.110.224.227:5223
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:60290 10.0.2.114:60290 157.56.52.15:40001 157.56.52.15:40001
tcp MY IP:60292 10.0.2.114:60292 91.190.218.57:12350 91.190.218.57:12350
tcp MY IP:60300 10.0.2.114:60300 137.116.40.106:443 137.116.40.106:443
udp MY IP:33645 10.0.2.117:33645 111.221.74.22:40024 111.221.74.22:40024
udp MY IP:33645 10.0.2.117:33645 111.221.77.176:40011 111.221.77.176:40011
udp MY IP:33645 10.0.2.117:33645 157.55.235.150:40024 157.55.235.150:40024
udp MY IP:33645 10.0.2.117:33645 157.55.235.176:40006 157.55.235.176:40006
udp MY IP:33645 10.0.2.117:33645 157.56.52.22:40024 157.56.52.22:40024
udp MY IP:33645 10.0.2.117:33645 213.199.179.145:40004 213.199.179.145:40004
tcp MY IP:51846 10.0.2.117:51846 17.172.233.95:5223 17.172.233.95:5223
tcp MY IP:51847 10.0.2.117:51847 157.55.130.161:80 157.55.130.161:80
tcp MY IP:33190 10.0.2.148:33190 184.51.126.8:443  184.51.126.8:443
tcp MY IP:34585 10.0.2.148:34585 31.13.73.145:443  31.13.73.145:443
tcp MY IP:35229 10.0.2.148:35229 74.125.29.95:443  74.125.29.95:443
tcp MY IP:35895 10.0.2.148:35895 184.28.17.235:443 184.28.17.235:443
tcp MY IP:37401 10.0.2.148:37401 173.252.103.16:443 173.252.103.16:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:37809 10.0.2.148:37809 74.125.29.95:443  74.125.29.95:443
tcp MY IP:41132 10.0.2.148:41132 31.13.71.23:443   31.13.71.23:443
tcp MY IP:41428 10.0.2.148:41428 74.125.29.95:443  74.125.29.95:443
tcp MY IP:41893 10.0.2.148:41893 31.13.73.145:443  31.13.73.145:443
tcp MY IP:42088 10.0.2.148:42088 31.13.73.145:443  31.13.73.145:443
tcp MY IP:43062 10.0.2.148:43062 184.51.126.8:443  184.51.126.8:443
tcp MY IP:45688 10.0.2.148:45688 107.14.41.202:80  107.14.41.202:80
tcp MY IP:45738 10.0.2.148:45738 107.14.41.202:80  107.14.41.202:80
tcp MY IP:46457 10.0.2.148:46457 74.125.29.95:443  74.125.29.95:443
tcp MY IP:46730 10.0.2.148:46730 184.51.126.41:443 184.51.126.41:443
tcp MY IP:47424 10.0.2.148:47424 31.13.71.7:80     31.13.71.7:80
tcp MY IP:47840 10.0.2.148:47840 107.14.41.163:443 107.14.41.163:443
tcp MY IP:48932 10.0.2.148:48932 64.233.171.188:5228 64.233.171.188:5228
tcp MY IP:50549 10.0.2.148:50549 74.125.226.66:443 74.125.226.66:443
tcp MY IP:51863 10.0.2.148:51863 31.13.71.7:443    31.13.71.7:443
tcp MY IP:52322 10.0.2.148:52322 31.13.73.145:443  31.13.73.145:443
tcp MY IP:53313 10.0.2.148:53313 74.125.29.95:443  74.125.29.95:443
tcp MY IP:53419 10.0.2.148:53419 31.13.73.150:443  31.13.73.150:443
tcp MY IP:53451 10.0.2.148:53451 31.13.71.7:443    31.13.71.7:443
tcp MY IP:53583 10.0.2.148:53583 74.125.29.95:443  74.125.29.95:443
tcp MY IP:54490 10.0.2.148:54490 173.252.102.16:443 173.252.102.16:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:55095 10.0.2.148:55095 31.13.71.7:80     31.13.71.7:80
tcp MY IP:57577 10.0.2.148:57577 184.51.126.179:443 184.51.126.179:443
tcp MY IP:57856 10.0.2.148:57856 74.125.29.95:443  74.125.29.95:443
tcp MY IP:50197 10.0.2.149:50197 134.170.0.199:443 134.170.0.199:443
tcp MY IP:50200 10.0.2.149:50200 184.51.126.106:80 184.51.126.106:80
tcp MY IP:50209 10.0.2.149:50209 134.170.0.199:443 134.170.0.199:443
tcp MY IP:50220 10.0.2.149:50220 134.170.0.199:443 134.170.0.199:443
tcp MY IP:3520 10.0.2.154:3520  78.108.119.250:443 78.108.119.250:443
tcp MY IP:3521 10.0.2.154:3521  216.219.116.244:443 216.219.116.244:443
tcp MY IP:3523 10.0.2.154:3523  78.108.119.250:443 78.108.119.250:443
tcp MY IP:3525 10.0.2.154:3525  78.108.119.250:443 78.108.119.250:443
tcp MY IP:3527 10.0.2.154:3527  78.108.119.250:443 78.108.119.250:443
tcp MY IP:3529 10.0.2.154:3529  78.108.119.250:443 78.108.119.250:443
tcp MY IP:41043 10.0.2.158:41043 134.170.25.33:443 134.170.25.33:443
tcp MY IP:54026 10.0.2.179:54026 75.146.212.122:5721 75.146.212.122:5721
tcp MY IP:62736 10.0.2.179:62736 216.219.117.244:443 216.219.117.244:443
tcp MY IP:54265 10.0.2.183:54265 75.146.212.122:5721 75.146.212.122:5721
tcp MY IP:58413 10.0.2.183:58413 202.173.28.250:443 202.173.28.250:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:58414 10.0.2.183:58414 54.249.66.39:443  54.249.66.39:443
tcp MY IP:58415 10.0.2.183:58415 216.219.117.244:443 216.219.117.244:443
tcp MY IP:58416 10.0.2.183:58416 54.249.66.39:443  54.249.66.39:443
tcp MY IP:58417 10.0.2.183:58417 202.173.28.250:443 202.173.28.250:443
tcp MY IP:58418 10.0.2.183:58418 54.249.66.39:443  54.249.66.39:443
tcp MY IP:58419 10.0.2.183:58419 202.173.28.250:443 202.173.28.250:443
tcp MY IP:58420 10.0.2.183:58420 54.249.66.39:443  54.249.66.39:443
tcp MY IP:58421 10.0.2.183:58421 202.173.28.250:443 202.173.28.250:443
tcp MY IP:58422 10.0.2.183:58422 54.249.66.39:443  54.249.66.39:443
tcp MY IP:58423 10.0.2.183:58423 202.173.28.250:443 202.173.28.250:443
tcp MY IP:58424 10.0.2.183:58424 216.219.117.244:443 216.219.117.244:443
tcp MY IP:59037 10.0.2.183:59037 64.94.18.140:443  64.94.18.140:443
tcp MY IP:34308 10.0.2.191:34308 124.170.204.20:33090 124.170.204.20:33090
tcp MY IP:35600 10.0.2.191:35600 89.212.17.133:16881 89.212.17.133:16881
tcp MY IP:37958 10.0.2.191:37958 173.252.102.16:443 173.252.102.16:443
tcp MY IP:41931 10.0.2.191:41931 74.125.22.95:443  74.125.22.95:443
tcp MY IP:43135 10.0.2.191:43135 74.125.226.50:443 74.125.226.50:443
tcp MY IP:45848 10.0.2.191:45848 112.196.138.40:30412 112.196.138.40:30412
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:49857 10.0.2.191:49857 39.54.206.182:41822 39.54.206.182:41822
tcp MY IP:54963 10.0.2.191:54963 74.125.226.40:80  74.125.226.40:80
tcp MY IP:55121 10.0.2.191:55121 98.23.93.16:27697 98.23.93.16:27697
tcp MY IP:59098 10.0.2.191:59098 74.125.22.188:5228 74.125.22.188:5228
tcp MY IP:59654 10.0.2.191:59654 74.125.226.52:443 74.125.226.52:443
tcp MY IP:59712 10.0.2.191:59712 69.245.6.109:37498 69.245.6.109:37498
tcp MY IP:59015 10.0.2.192:59015 216.115.208.199:8200 216.115.208.199:8200
tcp MY IP:49821 10.0.2.201:49821 173.252.102.16:443 173.252.102.16:443
tcp MY IP:55018 10.0.2.202:55018 17.151.226.32:443 17.151.226.32:443
udp MY IP:3150 10.0.2.217:3150  108.168.212.234:5060 108.168.212.234:5060
tcp MY IP:33998 10.0.2.234:33998 69.171.248.65:443 69.171.248.65:443
tcp MY IP:34309 10.0.2.234:34309 74.125.226.46:443 74.125.226.46:443
tcp MY IP:35985 10.0.2.234:35985 216.115.110.118:443 216.115.110.118:443
tcp MY IP:37960 10.0.2.234:37960 74.125.226.50:443 74.125.226.50:443
tcp MY IP:37961 10.0.2.234:37961 74.125.226.50:443 74.125.226.50:443
tcp MY IP:41525 10.0.2.234:41525 64.233.171.188:5228 64.233.171.188:5228
tcp MY IP:45184 10.0.2.234:45184 31.13.73.97:443   31.13.73.97:443
Pro Inside global      Inside local       Outside local      Outside global
tcp MY IP:50237 10.0.2.234:50237 176.32.99.133:443 176.32.99.133:443
tcp MY IP:52159 10.0.2.234:52159 74.125.29.95:443  74.125.29.95:443
tcp MY IP:52171 10.0.2.234:52171 74.125.29.95:443  74.125.29.95:443
tcp MY IP:53343 10.0.2.234:53343 74.125.226.39:443 74.125.226.39:443
tcp MY IP:55318 10.0.2.234:55318 74.125.226.9:443  74.125.226.9:443
tcp MY IP:57411 10.0.2.234:57411 66.196.116.132:8996 66.196.116.132:8996
tcp MY IP:58455 10.0.2.234:58455 31.13.73.129:443  31.13.73.129:443

sh run

Current configuration : 8041 bytes
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
no logging on
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3973140985
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3973140985
 revocation-check none
 rsakeypair TP-self-signed-3973140985
!
!
crypto pki certificate chain TP-self-signed-3973140985
 certificate self-signed 01
 XXXXXXXXXXXXXXX
    quit
no ip source-route
!
!
ip dhcp excluded-address 10.0.2.1 10.0.2.100
!
ip dhcp pool ccp-pool
   network 10.0.2.0 255.255.255.0
default-router 10.0.2.13 
   dns-server 10.0.5.44 8.8.8.8 
   lease 8
!
!
ip cef
ip inspect log drop-pkt
no ip bootp server
no ip domain lookup
ip domain name company.com
ip name-server 10.0.5.44
!
!
license udi pid CISCO861-K9 sn FTX151603YG
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all icmp
 match access-group name icmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol rtsp
 match protocol sql-net
 match protocol tftp
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all out_in
 match access-group 115
class-map type inspect match-all icmp_test
 match protocol icmp
class-map type inspect match-all REMOTE_ACCESS
 match access-group name REMOTE_ACCESS
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp
class-map type inspect match-all ccp-protocol-http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect icmp
 class type inspect icmp
  inspect 
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect icmp_test
 inspect 
 class class-default
  drop
policy-map type inspect out_in
 class type inspect out_in
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect REMOTE_ACCESS
  inspect 
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security ccp-zp-out-in source out-zone destination in-zone
 service-policy type inspect out_in
! 
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXX address VPN END POINT IP
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
!
crypto map mymap 10 ipsec-isakmp 
 set peer VPN END POINT IP
 set security-association lifetime seconds 36000
 set transform-set myset 
 match address 102
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address MY IP 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex full
 speed 100
 crypto map mymap
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.0.2.13 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list no-nat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 MY IP
!
ip access-list extended REMOTE_ACCESS
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any eq telnet
 permit icmp any any
ip access-list extended icmp
 permit icmp any any
ip access-list extended no-nat
 deny   ip 10.0.2.0 0.0.0.255 10.0.100.0 0.0.0.255
 deny   ip 10.0.2.0 0.0.0.255 10.0.5.0 0.0.0.255
 deny   ip any host MY IP
 deny   ip host MY IP any
 deny   ip any host 10.0.2.13
 deny   ip host 10.0.2.13 any
 deny   ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255
 permit ip any any
!
ip access-list log-update threshold 1
no logging trap
logging 10.0.2.153
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip MY IP 10.0.0.3 any
access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255
access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 101 deny   ip 10.0.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.0.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 115 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 115 permit ip 10.0.0.0 0.0.255.255 10.0.2.0 0.0.0.255
access-list 199 permit ip host 10.0.2.7 host 10.0.5.120
access-list 199 permit ip host 10.0.5.120 host 10.0.2.7
no cdp run

snmp-server community public RO
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Best Answer

@PHLiGHT, hello there!

your cisco 861, imho, has overloaded by ingress traffic. Lets look on your cisco iface counters:

 5 minute output rate 198000 bits/sec, 56 packets/sec
 157099395 packets input, 3610517494 bytes
 Received 1 broadcasts, 76 runts, 0 giants, 655 throttles
 338 input errors, 0 CRC, 0 frame, 149 overrun, 189 ignored

you have 655 throttles, so there is two major reasons: cpu overload, buffers overload.

and you have 338 errors ("149 overruns" + "189 ignored"), i guess this is (too) caused by overload of your router. details: overruns, ignored and userfull cisco pdf about drops troubleshooting

it is very interesting for me, to see output these commands:

 sh interfaces fa4  | i que  
 sh interfaces fa4 switching
 sh proc cpu sort

ps very strange is to see 76 runts, as usually, it caused by collisions(can be only in simplex mode), but in config we have "duplex full". imho, clean counters, do not change duplex mode, wait some time, runts are shouldnt increase.

pps i guess, this situiatuion cant cause serious problems, because you have "only" 1 error on each ~500000 packets, it is not too bad in most cases, really ;-)

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco VPN IPsec – Phase 2 Unable to Come Up

I changed the original acl of:

access-list 153 permit icmp 192.168.30.0 0.0.0.255 any

To:

access-list 153 permit icmp 192.168.30.0 0.0.0.255 2.2.2.2 0.0.0.0

As soon as that was changed the maps matched on both ends and the tunnels came up. I've since added an eth0:0 on the openswan side with an address in the 192.168.10.0 range changing the acl to

access-list 153 permit 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

Tunnel came right up, this just made some things a little easier, now if follows the standard "lan-to-lan" model.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco VPN IPsec – Phase 2 Unable to Come Up

Related Topic