Paul,
in my humble opinion have a new router doesn't resolve the problem. I didn't
create a RMA case: I will create it when and if the problem will appear.
In this week I opened two cases for the same problem: "high CPU utilizazion".
I had 4000 nat transaltion in few seconds. From the "sh ip nat translation" I
was in able to see every source/destination IP address.
The workaround suggested by Cisco was to configure some static route for
these
hosts to the Null0 interface.
This time the situation is different.
I have high CPU utilization but normal nat translations: and the IP input
process is low.
Cisco doesn't think it is an attack or a code red.
I gave to Cisco the telnet access on my router:
-we upgraded IOS to 12.2 (3)
-we reset all the universe
and at the end they suggested to create a RMA case.
Connected to this router I have a switch Lucent Cajun P333 24x4 UTP port
10/100 (92 port busy and only 4 available...)
I checked all the ports and (Murphy's Law) at the end (port 90) I found the
"killer".
I removed this host (Sun Enterprise 220R / Solaris 2.6) and the situation
has
experienced a noticeble improvement (10% cpu utilization).
In networking matter I do not believe to the coincidences.
By the way the case is still open.
Ciao,
Teresa
>Avete una buona fine settimana!
Your italian is fine, better than my english.
Have a nice weekend you too!
----- Original Message -----
From: Paul Werner
To: [EMAIL PROTECTED]
Sent: Saturday, August 25, 2001 3:17 AM
Subject: Re: Re: Subject: Re: sh arp [7:17012]
Teresa,
You can't argue with getting a new router :-) I would call
that a giant leap in the direction of problem resolution.
If you are able to get a new router and the same conditions
appear to exist, then additional troubleshooting may be
required. If it is in fact some form of a hacking attack,
having a sniffer available will aid in discovering the nature
and severity of the hacking attack. Besides, it never hurts to
have a sniffer handy for general network troubleshooting and
analysis. BTW, make sure you document the IOS you have in the
router before it ships and don't forget to save your config to
a TFTP server and erase it from the router prior to shipping.
Best of luck with the new router and let us know if the problem
got resolved.
v/r,
Paul Werner
From my very poor Italian translation:)
Avete una buona fine settimana!
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
---- On Fri, 24 Aug 2001, Teresa Presutto ([EMAIL PROTECTED]) wrote:
> Paul,
>
> to be honest Cisco suggested to create a RMA case ( a new
router in 4 =
> hours).
>
> I know that could be a form of hacking attack and I'm
downloading the =
> sniffer you provided me.
> Thank you and have a goodnight,
>
> Teresa
>
>
> =20
> ----- Original Message -----=20
> From: Paul Werner=20
> To: [EMAIL PROTECTED]=20
> Sent: Friday, August 24, 2001 7:15 PM
> Subject: Re: Re: Subject: Re: sh arp [7:17012]
>
>
> Teresa,
>
> I read the email exchanges. Did Cisco resolve the matter
for=20
> you? Reading the exchanges below, that is not exactly
clear. =20
> If you were getting 4000+ packets per second very late at=20
> night, I would tend to agree with another poster (was it=20
> Rheinhold?) that there is possibly some form of hacking
attack=20
> going on. This also assumes that you do not have any
late=20
> night scheduled tasks that consume high bandwidth (such as
an=20
> across the wire backup). Have you put a sniffer on the
wire to=20
> see what is going on? There is a sinffer that you may want
to=20
> look at that was written in Italy for a graduate project.
The=20
> menus are in English, but the help files are in Italian:
>
> http://netgroup-serv.polito.it/analyzer/
>
> http://netgroup-serv.polito.it/analyzer/install/default.htm
>
> If you are running a non-Windows platform, here is a list
of=20
> others out there:
>
> http://www.cotse.com/tools/sniffers.htm
>
> Just to be sure, did Cisco resolve the problem?
>
> v/r,
>
> Paul Werner
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17239&t=17012
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
