Strange behavior of Catalyst4006

Joe_Shen1 · June 29, 2004, 1:01am

Hi,

We met a strange problem with Catalyst 4006 when provideing leased line service to one of our customers.

Catalyst4006 ------------ Customer's firewall ---------------Customer's Intranet

The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our
network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting
subnet is configured between Cata4006 and firewall interface(10.10.1.122/30).

Static route is used on Catalyst4006 to designate route to customer's intranet address. ( ip route 192.168.5.0
255.255.255.0 10.10.1.124 ). Customer setup their email server at 192.168.5.7, dns server at 192.168.5.1,
web server at 192.168.5.9.

At the very begining all system works fine. After sometime they said they could not acces their email/web/dns
server from host outside their company's network. But, when we telnet to Cata4006, we could 'ping'
192.168.5.7, but if we move to host in NOC ping failed all the time. ( ping to server is allowed on firewall). At the same
time, their intranet host could access our network.

We restart ( shut; noshut) the fastethernet interface on Catalyst4006, and then servers' network access recovered.

The phenomon comes up frequently, and our customer said this is a bug with catalyst4006. But, to my understanding,
if this is a bug to catos, it should not only affact only three servers. But, why it could be solved by restart catalyst interface?

Would you please do some help? ( I attach system info below)

Joe Shen

Erik_Amundson1 · June 29, 2004, 1:27am

It is possible that this issue is being cause by the customer's firewall as
well. Every Ethernet cable has two ends. I would check and see if the
customer's firewall log says anything. I believe doing a shut/no shut on
the Cat 4006 causes the Ethernet link to 'flap' on the port, causing the
interface to totally reset on both ends. This could be clearing errored
conditions on both sides. Is there anything interesting in the 4006 log?
Have you done a 'show interface fa4/41' when the interface in broken to see
if it has any reasoning for the failure?

One other thing you could do it a 'no cdp enable' on the interface. You
really won't get any cdp information from a firewall anyways...at least you
shouldn't* get any.

- Erik

Robert_Blayzor2 · June 29, 2004, 2:02am

Joe Shen wrote:

The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our
network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30).

For starters 10.10.1.122/30 is not on a valid subnet boundry.

Other things to make sure is that speed and duplex are always forced toward customer facing equipment. (you never know whats on the other side)