Network Problem High CPU and traffic

Unanswered Question
Mar 13th, 2007

Hello,

My network topology is:

I have firewall, 1 card connect to wireless network include 2 Cisco AIR 1100.

1 card to my LAN and 1 card to the internet. In my LAN I have Cisco router 2811 that serve only my IP telephony. Once of every X days my router CPU goes to 85% and I see 70Mbps traffic on the router and on my firewall (I?m monitoring my switch).

Network monitor show dozens of HTTP / HTTPS RST packet per second from workstation in the wireless network try to access to IP in the internet.

(Each time is a deferent our employees workstation) I really don?t understand why the traffic comes to my router at all. Also monitor the access point and the wireless LAN switch no workstation have 70Mbps traffic.

Even if the workstation disconnects from the wireless network the traffic still 70Mbps and the router still 85% CPU. Only if I disconnect the router or the firewall from the network and reconnect every thing back to normal.

In the network monitor I can see a lot of

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address

> Source: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> Address: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address


Can some one help me please



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
idanlerer Tue, 03/13/2007 - 02:31

Thanks for replay.

This problem occure only from workstation that connect to the wireless LAN.

same workstation never cost this problem in the LAN.

I scan for virus and worm |(I have up to date) and noghink found

Danilo Dy Tue, 03/13/2007 - 05:36

Hi,


Turn on IP Accounting in the router. When the problem happens again, you can find from which host the high traffic is coming from. Also, capture "show tech-support" or "show proc cpu" during the time when the cpu util is high and post the result here.


Dandy

idanlerer Tue, 03/13/2007 - 06:07

First thanks you for helping me


I attached the command output

I turned on IP Accounting but how can I use it ?




Danilo Dy Tue, 03/13/2007 - 07:20

Use "show ip accounting" to check which host has high data transfer http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt1/1rdip.htm#wp1020197


My findings from your "show tech-support"

1. High Traffic

There's a high traffic in the following interfaces that may have overload the router cpu;

FastEthernet0/0

FastEthernet0/0.1

FastEthernet0/0.4


2. IOS 12.3(14)T5

There's multiple problem with your current IOS

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_field_notice09186a0080797d2d.shtml

http://www.securityfocus.com/bid/22211

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0648

http://www.cisco.com/en/US/products/products_security_advisory09186a008073c972.shtml


Search for 12.3(14)T5 in Google


I recommend you upgrade your IOS to the latest stable version first. Come back if you still having problem





idanlerer Wed, 03/14/2007 - 02:46

unfortunately I don't have now support for this router so I'm not able to download and upgrade the IOS.

Any idea ?

Danilo Dy Wed, 03/14/2007 - 03:02

That's sad. With the problems of your current IOS provided in the links, it's difficult to point to the root cause of the high CPU util - one of the problem does have similar symptoms with what you currently experiencing. We might be troubleshooting for a problem that we can't fix but will be able to fix by just upgrading the IOS.


In this case, use the "ip accounting" it may help you to point to the source of high traffic in your lan interface that may have cause the high cpu util.

idanlerer Sun, 03/18/2007 - 00:30

Hi Just found the problem.

While user connect to my wireless LAN, not disconnect and reconect to my LAN I have this problem.

Actualy user connect to my Wireless LAN (NIC in the firewaal) also connect to my LAN (other NIC in the firewall) it's seems there is a loop in the LAN.

how can I solve that >

Danilo Dy Sun, 03/18/2007 - 00:43

This supposed to be common to networks having connected both wireless and lan, happens anywhere.


However, you can try separating the network for wireless and lan. i.e. 192.168.1.0 for wireless and 192.168.0.0 for lan. This is good practice.

idanlerer Wed, 03/14/2007 - 03:00

Also I just found the problem but I didn't found the solution.


It's seems I have a loop packet in my network:

The problem occur while user connect to my wireless lan (NIC in the firewall) then reconnect to my LAN without disconnect the wifi.

In the sniffer I can see packet come from my wifi IP address but the mac address is my internal router (just to be more clear, I have firewaal with one NIC for wifi, on NIC for internet and one NIC for LAN, the router locate on my LAN for my IP telephony system, all the DG in the LAN is the router)

idanlerer Tue, 03/13/2007 - 07:11

Maybe I have loop in my LAN but I can't understand that, I checked and I have no physical loop but...


maybe user connect to my wireless LAN and start working.

after that he back to my local LAN and the wirless and the LAN are connecting and maybe there is a loop but I can't understand and find it

Actions

This Discussion