Network Problem High CPU and traffic

Unanswered Question
Mar 13th, 2007
User Badges:


My network topology is:

I have firewall, 1 card connect to wireless network include 2 Cisco AIR 1100.

1 card to my LAN and 1 card to the internet. In my LAN I have Cisco router 2811 that serve only my IP telephony. Once of every X days my router CPU goes to 85% and I see 70Mbps traffic on the router and on my firewall (I?m monitoring my switch).

Network monitor show dozens of HTTP / HTTPS RST packet per second from workstation in the wireless network try to access to IP in the internet.

(Each time is a deferent our employees workstation) I really don?t understand why the traffic comes to my router at all. Also monitor the access point and the wireless LAN switch no workstation have 70Mbps traffic.

Even if the workstation disconnects from the wireless network the traffic still 70Mbps and the router still 85% CPU. Only if I disconnect the router or the firewall from the network and reconnect every thing back to normal.

In the network monitor I can see a lot of

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address

> Source: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> Address: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address

Can some one help me please

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rajivrajan1 Tue, 03/13/2007 - 02:28
User Badges:
  • Bronze, 100 points or more

Hi idanlerer ,

It seems alike DoS attack.As you are saying that the traffic is from your LAN , it need not be a attack from the user.It could be PC worm , Virus or any internet spam.

Use netflow , ACLs to track down the source of the packets and find the root cause.

this link could help u.

idanlerer Tue, 03/13/2007 - 02:31
User Badges:

Thanks for replay.

This problem occure only from workstation that connect to the wireless LAN.

same workstation never cost this problem in the LAN.

I scan for virus and worm |(I have up to date) and noghink found

Danilo Dy Tue, 03/13/2007 - 05:36
User Badges:
  • Blue, 1500 points or more


Turn on IP Accounting in the router. When the problem happens again, you can find from which host the high traffic is coming from. Also, capture "show tech-support" or "show proc cpu" during the time when the cpu util is high and post the result here.


idanlerer Tue, 03/13/2007 - 06:07
User Badges:

First thanks you for helping me

I attached the command output

I turned on IP Accounting but how can I use it ?

Danilo Dy Tue, 03/13/2007 - 07:20
User Badges:
  • Blue, 1500 points or more

Use "show ip accounting" to check which host has high data transfer

My findings from your "show tech-support"

1. High Traffic

There's a high traffic in the following interfaces that may have overload the router cpu;




2. IOS 12.3(14)T5

There's multiple problem with your current IOS

Search for 12.3(14)T5 in Google

I recommend you upgrade your IOS to the latest stable version first. Come back if you still having problem

idanlerer Wed, 03/14/2007 - 02:46
User Badges:

unfortunately I don't have now support for this router so I'm not able to download and upgrade the IOS.

Any idea ?

Danilo Dy Wed, 03/14/2007 - 03:02
User Badges:
  • Blue, 1500 points or more

That's sad. With the problems of your current IOS provided in the links, it's difficult to point to the root cause of the high CPU util - one of the problem does have similar symptoms with what you currently experiencing. We might be troubleshooting for a problem that we can't fix but will be able to fix by just upgrading the IOS.

In this case, use the "ip accounting" it may help you to point to the source of high traffic in your lan interface that may have cause the high cpu util.

idanlerer Sun, 03/18/2007 - 00:30
User Badges:

Hi Just found the problem.

While user connect to my wireless LAN, not disconnect and reconect to my LAN I have this problem.

Actualy user connect to my Wireless LAN (NIC in the firewaal) also connect to my LAN (other NIC in the firewall) it's seems there is a loop in the LAN.

how can I solve that >

Danilo Dy Sun, 03/18/2007 - 00:43
User Badges:
  • Blue, 1500 points or more

This supposed to be common to networks having connected both wireless and lan, happens anywhere.

However, you can try separating the network for wireless and lan. i.e. for wireless and for lan. This is good practice.

idanlerer Wed, 03/14/2007 - 03:00
User Badges:

Also I just found the problem but I didn't found the solution.

It's seems I have a loop packet in my network:

The problem occur while user connect to my wireless lan (NIC in the firewall) then reconnect to my LAN without disconnect the wifi.

In the sniffer I can see packet come from my wifi IP address but the mac address is my internal router (just to be more clear, I have firewaal with one NIC for wifi, on NIC for internet and one NIC for LAN, the router locate on my LAN for my IP telephony system, all the DG in the LAN is the router)

idanlerer Tue, 03/13/2007 - 07:11
User Badges:

Maybe I have loop in my LAN but I can't understand that, I checked and I have no physical loop but...

maybe user connect to my wireless LAN and start working.

after that he back to my local LAN and the wirless and the LAN are connecting and maybe there is a loop but I can't understand and find it


This Discussion