|
Home > Archive > alt.certification.cisco > September 2003 > 2620 Hangs every hour
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
2620 Hangs every hour
|
|
| WhyAks 2003-09-23, 12:24 am |
| We use a 2620 router to access the Internet and a Terminal Server
application via a VPN connection. The router stops routing Internet
traffic about every hour and the only solution is cold reboot of the
router (with both cpu and memory maxed out). What's weird, the VPN
connection is on most of the time.
We did all the basic troubleshooting we could (virus cleaning,
patching clients, cables, switches, etc.) but the only thing we could
tell is that the router is being flooded from the "inside".
Any ideas?
| |
|
| did'nt like the suggestions we gave you from your other post?
You should apply ACL's on the router ANYWAY just to get an idea of where
it's coming from, if you say it's coming from the inside, so put an acl on
the inside interface, THEN run a debug ip icmp (only because this is the
most common issue right now, and I realize this may drop the box again, but
it'll tell you where the virii traffic is coming from. I've included an acl
below you should be able to apply to the box (unless you did already, but
you didn't say anything)
conf t
access-list 114 deny icmp any any
access-list 114 deny tcp any any range 134 139 (get all thos dam ports
blocked in case)
access-list 114 permit ip any any
interface FastEthernet0/0
ip access-group 114 in
ip access-group 114 out
end
notice i've applied the ACL to incoming AND outgoing traffic, just to
monitor. After you put this in, check with show ip access-list, if you see a
shitload of hits beside ICMP or 135, you'll know where your problem lies..
Hope this helps
shoot me an email if this dosen't work
SD
..
"WhyAks" <mapjat@hotmail.com> wrote in message
news:cjfvmvkc803ahob11mei1ba8c
au6atb3nf@4ax.com...
> We use a 2620 router to access the Internet and a Terminal Server
> application via a VPN connection. The router stops routing Internet
> traffic about every hour and the only solution is cold reboot of the
> router (with both cpu and memory maxed out). What's weird, the VPN
> connection is on most of the time.
>
> We did all the basic troubleshooting we could (virus cleaning,
> patching clients, cables, switches, etc.) but the only thing we could
> tell is that the router is being flooded from the "inside".
>
> Any ideas?
| |
| Hansang Bae 2003-09-23, 6:26 pm |
| In article <56Rbb.3022$qu4.316653@news20.bellglobal.com>, diesel7108
@NOSPAM.sympatico.ca says...
> did'nt like the suggestions we gave you from your other post?
[snip]
> conf t
> access-list 114 deny icmp any any
[snip]
Note that this breaks Path MTU Discovery mechanism.
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
******************************
******************************
********
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
******************************
******************************
********
| |
|
| I realize it may have adverse consequences, but this is to troublsh00t,
they are minimal if compared to the fact that the box is dropping every hour
=(
"Hansang Bae" <uonr@alp.ee.pbz> wrote in message
news:MPG.19da8662e8b725ba989ae6@news-server.nyc.rr.com...
> In article <56Rbb.3022$qu4.316653@news20.bellglobal.com>, diesel7108
> @NOSPAM.sympatico.ca says...
> > did'nt like the suggestions we gave you from your other post?
> [snip]
> > conf t
> > access-list 114 deny icmp any any
> [snip]
>
> Note that this breaks Path MTU Discovery mechanism.
>
>
> --
>
> hsb
>
> "Somehow I imagined this experience would be more rewarding" Calvin
> *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
> ******************************
******************************
********
> Due to the volume of email that I receive, I may not not be able to
> reply to emails sent to my account. Please post a followup instead.
> ******************************
******************************
********
| |
| Hans Pauly 2003-09-24, 4:25 am |
| smells like the Welchea virus.....
Yea, I know this onw has been around for months, but It's still
alive. Just ran into it again the other day.
5 infected boxes can cripple a 1700, takes a bit more for a 2600.
Somewhere along the line, somebody suggested WINDUMP to track. I've
found that this exasperates the situation, cuz now in addition to all
the ICMP packets you now add ARP's.
WhyAks wrote:
> We use a 2620 router to access the Internet and a Terminal Server
> application via a VPN connection. The router stops routing Internet
> traffic about every hour and the only solution is cold reboot of the
> router (with both cpu and memory maxed out). What's weird, the VPN
> connection is on most of the time.
>
> We did all the basic troubleshooting we could (virus cleaning,
> patching clients, cables, switches, etc.) but the only thing we could
> tell is that the router is being flooded from the "inside".
>
> Any ideas?
| |
| Mark Smythe 2003-09-24, 6:25 pm |
| do you mean the interface that workstations attach to is flooded ? How
did you figure that out ? You may want to try ip accounting on the
interfaces to see if maybe there is one source generating the most
traffic. I would also check the accounting on the VPN if it is not
supposed to be active. I dont know if that is what you meant by the
flooding. I would also check the switch rx/tx lights and see if there is
something obvious such as one light being on constantly. If you have a
managed switch then you should be able to look at port statistics. then
again maybe you have the latest virus that your software didnt pick up (
it has happened before )
WhyAks wrote:
> We use a 2620 router to access the Internet and a Terminal Server
> application via a VPN connection. The router stops routing Internet
> traffic about every hour and the only solution is cold reboot of the
> router (with both cpu and memory maxed out). What's weird, the VPN
> connection is on most of the time.
>
> We did all the basic troubleshooting we could (virus cleaning,
> patching clients, cables, switches, etc.) but the only thing we could
> tell is that the router is being flooded from the "inside".
>
> Any ideas?
|
|
|
|
|