Had some problem site today where router was constantly dialling different
sites. I must admit this was not a Cisco router, it was a Bintec but I think
a problem which would be the same with a Cisco, so thought I'd mention it
here.
I shoved a sniffer on the ethernet interface of the router (Bintec debug is
poor), and found that three servers on the LAN were constantly sending http
port 80 packets to (almost) random addresses. I say random, because they did
seem to be within the Class A range even though the ethernet was using a 24
bit mask.
There was no reason for this traffic apparently, other than one of the
variants of Code Red virus on the three servers. Once all the Microsoft
patches were installed and the servers re-booted, the problem disappeared.
I'll be honest that I haven't had a good look which of the variants it was,
as the rest of the day has been pretty busy.
Also had another problem which I don't know whether is connected or not.
We've had a sudden flow of support customers with Pix 506 which keep
re-booting (very regularly - few minutes).
We've replaced a few of them, upgrading the code from the deferred 5.3.1 to
5.3.2 and waiting to hear whether that alone has cured the problem.
In the lab, I couldn't get the box to fall over even with the deferred code
on. Tried using the sniffed packets from above server faults with traffic
generator to generate 100% network traffic, but still stayed up.
Something I did notice was that the customers config used the outside
interface within the global range, and had no overload.
i.e. (IP addresses changed)
ip address outside 192.49.146.243 255.255.255.248
global (outside) 1 192.49.146.243-192.49.146.246
whereas I used something more like:
ip address outside 192.49.146.243 255.255.255.248
global (outside) 1 192.49.146.244-192.49.146.245
global (outside) 1 192.49.146.246
I know I could now use the outside interface with the accepted commands, but
I am not convinced that the customers config is a workable method.
Can anybody advise on whether or not the customers config would actually do
PAT, or whether it would allow four NAT sessions then stop.
I won't rattle on any more as I suspect the number of people reading this
far is limited, but may have further input if the thread continues.
Regards,
Gaz
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15160&t=15160
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
