Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Cisco 801 ISDN Problem

Cisco 801 ISDN Problem 9 years 7 months ago #19887

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
We have 3 sites:

Site 1 (remote location)
Kit - Cisco 801 router
Connection - ISDN2

Site 2 (central)
Kit - Cisco 2611XM
Connection - ISDN30

Site 3 (central standby)
Kit - Cisco 2611XM
Connection - ISDN30

Overview of how it works:

Site 1 dials up Site 2 via ISDN. Once the connection is established, traffic goes through the router and onto a firewall, then to a web server so the remote users can display a web page. This connection works fine.

I can get Site 1 to dial up to either Site 2 or Site 3 by changing the dialler entry in Site 1's router and rebooting it, and the web page is displayed okay.

What we need it to do:

Site 1 presently has a dialer configured with a single dialer string. We need to add a 2nd dialer string for the Site 3 site. The idea is that if the connection to Site 2 fails to connect for whatever reason then it dials Site 3 instead and connects.

This works (see below), and I can see the incoming activity on the firewall, however the web page will not load up! But if I reboot the router at Site 1, the web page then loads.

Testing:

Test 1.
I can reproduce the problem quite easily. Both web servers at Site 2 and Site 3 are accessible. If I set up the router to dial Site 2 and load up the web page via a connected device, it works fine. However, if I then disconnect the ISDN and change the dialler config to dial Site 3 (with only a single dialer string), the router dials and connects, but the web page wont load....if I reboot the router, hey presto....it works.

Test 2.
I set up 2 dialer strings at Site 1, one for Site 2 and one for Site 3, then add dialer order round-robin. The router will dial the 1st dialer string....e.g. Site 2, the web page loads up via a connected device. I then disconnect the ISDN link. And reload the webpage, the router dials Site 3 this time (because of round robin) and connects - but again the web page will not load up.

Site information.

The routers and servers at Site 2 and Site 3 are identical; same IP configs, same firewall rules etc.

Any ideas why it is behaving as it is?

I can provide much more info, configs, IOS versions etc if required; the above is a simple overview of the problem.
The administrator has disabled public write access.

Re: Cisco 801 ISDN Problem 9 years 7 months ago #19888

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi Bishop,

Not had much dealings with this myself as we use DSL but its good to try and help :)

Just wondering what further testings have you done ? I'm thinking showing the routing tables to ensure that the routing is properly setup ? I am thinking this incase the routing information is still pointing to connection 2 and it hasn't cleared when connection 3 has established ? You say it works from a reboot which is why i am wondering. While reading the post i was swaying along a routing issue problem until you put "iThe routers and servers at Site 2 and Site 3 are identical; same IP configs, same firewall rules etc", i am wondering if this is getting the router confussed.

Also,do you see any traffic reaching the remote site ?

Is the Connection definatley establishing the second time ?

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Cisco 801 ISDN Problem 9 years 7 months ago #19890

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Yes the connection definitely establishes the second time; you can telnet to the remote router over it. Everything 'looks' right but the web page won't come up until you reboot the Site 1 router. Then it works.
The routing tables are definitely okay. Tried resetting the BRI interface on Site 1's router and tried flushing the ARP cache as well
There has to be something the router is retaining from the first connection that stops it working on the second, and which clears at a reboot. But what?!?
The administrator has disabled public write access.

Re: Cisco 801 ISDN Problem 9 years 7 months ago #19891

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Yes, i was thinking about it again and it didn't sound right with the routing since its using the same interface.

Can you reach the other side of the connection from a client ? You said you can telnet, i am guessing thats from the router ? Can you do it from a client ?

Hmmm, i will have another ponder.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Cisco 801 ISDN Problem 9 years 7 months ago #19892

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Yes the telnet is router to router. We wouldn't be able to do anything from the remote client except go for the web page as the firewall rules won't permit anything else. And we can't mess with the rules, not even experimentally, as the firewall is a live box that carries other services.
The vendor we got the router from is offering limited support; they'll look at the configs and show version output but if there's nothing obvious then we're on our own
The administrator has disabled public write access.

Re: Cisco 801 ISDN Problem 9 years 7 months ago #19894

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Thought that the firewall would be in front of the web server thats why i suggested that. I was just curious if the clients were being routed down the ISDN and the issue was traffic coming back (which again wouldn't make sense if it was the case).

I am a little stumped. Can we take a look at the config (or PM me?)

Gonna go and do some CISSP studying (day off work and studying, sad aint it, lol) now but will try and check back in an hour or so.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup