Network Problem High CPU and traffic

idanlerer · ‎03-13-2007

Hello,

My network topology is:

I have firewall, 1 card connect to wireless network include 2 Cisco AIR 1100.

1 card to my LAN and 1 card to the internet. In my LAN I have Cisco router 2811 that serve only my IP telephony. Once of every X days my router CPU goes to 85% and I see 70Mbps traffic on the router and on my firewall (I?m monitoring my switch).

Network monitor show dozens of HTTP / HTTPS RST packet per second from workstation in the wireless network try to access to IP in the internet.

(Each time is a deferent our employees workstation) I really don?t understand why the traffic comes to my router at all. Also monitor the access point and the wireless LAN switch no workstation have 70Mbps traffic.

Even if the workstation disconnects from the wireless network the traffic still 70Mbps and the router still 85% CPU. Only if I disconnect the router or the firewall from the network and reconnect every thing back to normal.

In the network monitor I can see a lot of

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address

> Source: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> Address: 00:0e:0c:71:3a:41 (00:0e:0c:71:3a:41)

> .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame

> .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address

Can some one help me please

rajivrajan1 · ‎03-13-2007

Hi idanlerer ,

It seems alike DoS attack.As you are saying that the traffic is from your LAN , it need not be a attack from the user.It could be PC worm , Virus or any internet spam.

Use netflow , ACLs to track down the source of the packets and find the root cause.

this link could help u.

http://www.ciscopress.com/articles/article.asp?p=345618&rl=1

idanlerer · ‎03-13-2007

Thanks for replay.

This problem occure only from workstation that connect to the wireless LAN.

same workstation never cost this problem in the LAN.

I scan for virus and worm |(I have up to date) and noghink found

Danilo Dy · ‎03-13-2007

Hi,

Turn on IP Accounting in the router. When the problem happens again, you can find from which host the high traffic is coming from. Also, capture "show tech-support" or "show proc cpu" during the time when the cpu util is high and post the result here.

Dandy

idanlerer · ‎03-13-2007

First thanks you for helping me

I attached the command output

I turned on IP Accounting but how can I use it ?

Danilo Dy · ‎03-13-2007

Use "show ip accounting" to check which host has high data transfer http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt1/1rdip.htm#wp1020197

My findings from your "show tech-support"

1. High Traffic

There's a high traffic in the following interfaces that may have overload the router cpu;

FastEthernet0/0

FastEthernet0/0.1

FastEthernet0/0.4

2. IOS 12.3(14)T5

There's multiple problem with your current IOS

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_field_notice09186a0080797d2d.shtml

http://www.securityfocus.com/bid/22211

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0648

http://www.cisco.com/en/US/products/products_security_advisory09186a008073c972.shtml

Search for 12.3(14)T5 in Google

I recommend you upgrade your IOS to the latest stable version first. Come back if you still having problem

idanlerer · ‎03-14-2007

unfortunately I don't have now support for this router so I'm not able to download and upgrade the IOS.

Any idea ?

Danilo Dy · ‎03-14-2007

That's sad. With the problems of your current IOS provided in the links, it's difficult to point to the root cause of the high CPU util - one of the problem does have similar symptoms with what you currently experiencing. We might be troubleshooting for a problem that we can't fix but will be able to fix by just upgrading the IOS.

In this case, use the "ip accounting" it may help you to point to the source of high traffic in your lan interface that may have cause the high cpu util.

idanlerer · ‎03-18-2007

Hi Just found the problem.

While user connect to my wireless LAN, not disconnect and reconect to my LAN I have this problem.

Actualy user connect to my Wireless LAN (NIC in the firewaal) also connect to my LAN (other NIC in the firewall) it's seems there is a loop in the LAN.

how can I solve that >

Danilo Dy · ‎03-18-2007

This supposed to be common to networks having connected both wireless and lan, happens anywhere.

However, you can try separating the network for wireless and lan. i.e. 192.168.1.0 for wireless and 192.168.0.0 for lan. This is good practice.

idanlerer · ‎03-14-2007

Also I just found the problem but I didn't found the solution.

It's seems I have a loop packet in my network:

The problem occur while user connect to my wireless lan (NIC in the firewall) then reconnect to my LAN without disconnect the wifi.

In the sniffer I can see packet come from my wifi IP address but the mac address is my internal router (just to be more clear, I have firewaal with one NIC for wifi, on NIC for internet and one NIC for LAN, the router locate on my LAN for my IP telephony system, all the DG in the LAN is the router)

idanlerer · ‎03-13-2007

Maybe I have loop in my LAN but I can't understand that, I checked and I have no physical loop but...

maybe user connect to my wireless LAN and start working.

after that he back to my local LAN and the wirless and the LAN are connecting and maybe there is a loop but I can't understand and find it