[cisco-nas] As5300 crashes

Adam Greene maillist at webjogger.net
Sat Nov 1 08:45:13 EST 2003 

One issue I see with your configuration is that although you have defined an
ACL

access-list 110 permit tcp any any established
access-list 110 deny   icmp any any echo log
access-list 110 deny   icmp any any echo-reply log
access-list 110 permit ip any any

I don't see that you have actually applied it to any interface, so I think
it is not doing anything.

I suggest the following:

interface Group-Async1
 ip access-group 110 in
 ip access-group 110 out

After configuring this kind of ACL on my own AS5396, it stopped locking up.

You can gauge the effectiveness also by issuing a "show access-list
command":

Extended IP access list 110
    deny icmp any any echo (34882010 matches)
    deny icmp any any echo-reply (17507 matches)
    ...
    (various additional deny commands)
    ...
    permit ip any any (396308442 matches)

The link Mark provided goes into further detail, too...

Hope that helps,
Adam


----- Original Message ----- 
From: "John Lord" <lord at allturbo.com>
To: <cisco-nas at puck.nether.net>
Sent: Friday, October 31, 2003 10:51 AM
Subject: [cisco-nas] As5300 crashes


> Is anyone still having problems with worms crashing their nas's I have
> an as5300 that is still locking up every couple weeks , ive added no ip
> route-cache and ip cef to it but if I don't watch my network and kill
> off infected users it will lockup every day , is there a fix or
> something I need to add to my config? Here is my config below
>
> As5300-Oc#sh conf
> Using 4638 out of 124920 bytes
> !
> version 12.2
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> !
> hostname As5300-Oc
> !
> boot system flash:c5300-i-mz.122-15.T1.bin
> logging queue-limit 100
> logging buffered 10000 debugging
> no logging console
> enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> !
> username xxxxx password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> spe 1/0 1/7
>  firmware location bootflash:mica-modem-pw.2.9.4.0.bin
> spe 2/0 2/7
>  firmware location bootflash:mica-modem-pw.2.9.4.0.bin
> !
> !
> resource-pool disable
> !
> modem link-info poll time 10
> aaa new-model
> !
> !
> aaa authentication login default local group radius
> aaa authentication login consoleport none
> aaa authentication ppp default if-needed group radius
> aaa authorization network default group radius
> aaa accounting delay-start
> aaa accounting update periodic 5
> aaa accounting exec default start-stop group radius
> aaa accounting network default start-stop group radius
> aaa session-id common
> ip subnet-zero
>
> ip cef
> ip finger
> ip name-server 65.xxx.xxx.xxx
> !
> async-bootp dns-server 65.xxx.xxx.xxx 65.xxx.xxx.xxx
> !
> isdn switch-type primary-dms100
> isdn voice-call-failure 0
> modemcap entry
> mica-nokflex:MSC=&F&D2S54=16584S0=0S29=12S21=15S62=8S63=3S34=18000S40=10
> S10=50
> !
> !
> controller T1 0
>  framing esf
>  clock source line primary
>  linecode b8zs
>  pri-group timeslots 1-24 nfas_d primary nfas_int 0 nfas_group 0
> !
> controller T1 1
>  framing esf
>  clock source line secondary 1
>  linecode b8zs
>  pri-group timeslots 1-24 nfas_d backup nfas_int 1 nfas_group 0
> !
> controller T1 2
>  framing esf
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> controller T1 3
>  framing esf
>  linecode b8zs
>  pri-group timeslots 1-24
> !
> controller T1 4
>  shutdown
>  framing sf
>  linecode ami
> !
> controller T1 5
>  shutdown
>  framing sf
>  linecode ami
> !
> controller T1 6
>  shutdown
>  framing sf
>  linecode ami
> !
> controller T1 7
>  shutdown
>  framing sf
>  linecode ami
> !
> !
> interface Loopback0
>  ip address 65.xxx.xxx.xxx 255.255.255.128
> !
> interface Serial0:23
>  ip unnumbered Loopback0
>  encapsulation ppp
>  no ip route-cache
>  dialer-group 1
>  isdn switch-type primary-dms100
>  isdn incoming-voice modem
>  peer default ip address pool setup_pool
>  fair-queue 64 256 0
>  ppp authentication pap
>  ppp multilink
> !
> interface Serial2:23
>  ip unnumbered Loopback0
>  encapsulation ppp
>  no ip route-cache
>  dialer-group 1
>  isdn switch-type primary-dms100
>  isdn incoming-voice modem
>  peer default ip address pool setup_pool
>  fair-queue 64 256 0
>  ppp authentication pap
>  ppp multilink
> !
> interface Serial3:23
>  ip unnumbered Loopback0
>  encapsulation ppp
>  no ip route-cache
>  dialer-group 1
>  isdn switch-type primary-dms100
>  isdn incoming-voice modem
>  peer default ip address pool setup_pool
>  fair-queue 64 256 0
>  ppp authentication pap
>  ppp multilink
> !
> interface FastEthernet0
>  ip address 65.xxx.xxx.xxx 255.255.255.0
>  no ip unreachables
>  duplex full
>  speed 100
>  no cdp enable
> !
> interface Group-Async1
>  ip unnumbered Loopback0
>  no ip unreachables
>  encapsulation ppp
>  ip tcp header-compression
>  async mode interactive
>  peer default ip address pool setup_pool
>  no keepalive
>  ppp authentication pap
>  group-range 1 192
> !
> ip local pool setup_pool 65.xxx.xxx.xxx 65.xxx.xxx.xxx
> ip classless
> ip route 0.0.0.0 0.0.0.0 65.xxx.xxx.xxx
> no ip http server
> !
> !
> !
> !
> access-list 101 permit ip any any
> access-list 110 permit tcp any any established
> access-list 110 deny   icmp any any echo log
> access-list 110 deny   icmp any any echo-reply log
> access-list 110 permit ip any any
> dialer-list 1 protocol ip permit
> snmp-server engineID local 000000090200003080BD40CA
> snmp-server community xxxxxx RO
> snmp-server enable traps tty
> radius-server host 65.xxx.xxx.xxx auth-port 1812 acct-port 1813
> non-standard
> radius-server key 7 xxxxxxxxxx
> radius-server authorization permit missing Service-Type
> !
> line con 0
>  exec-timeout 0 0
>  logging synchronous
> line 1 192
>  no flush-at-activation
>  modem Dialin
>  modem autoconfigure type mica-nokflex
>  autocommand  ppp
>  autoselect during-login
>  autoselect ppp
> line aux 0
> line vty 0 4
>  exec-timeout 0 0
>  password 7 xxxxxxxxxxxxx
> !
> scheduler interval 1000
> end
>
> John Lord
> It Manager
> AllTurbo Internet Services Inc
> 410-213-9388 Office
> www.allturbo.com
>
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

More information about the cisco-nas mailing list