Unknown protocol drops on 1841

Unanswered Question
Sep 18th, 2007
User Badges:

I have a 1841 running IOS 12.4(17). Int fa0/0 output packets is showing unknown protocol drops. What does this mean and is there a way I can see what protocol/ports the drops are occuring on?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Tue, 09/18/2007 - 23:10
User Badges:
  • Red, 2250 points or more

hi


can you post the logs which you are seeing out there and also if possible do post out the config of the router...


regds


BAMURRAY1 Wed, 09/19/2007 - 06:53
User Badges:

This is simply from the sho int fa0/0.


FastEthernet0/0 is up, line protocol is up

0 output errors, 0 collisions, 3 interface resets

1694079 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out


Richard Burts Wed, 09/19/2007 - 07:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Blair


My guess is that you have configured an IP address on the interface so the interface is processing (and recognizing) IP. I would also guess that something is sending packets of some other protocol (perhaps IPX, perhaps NetBEUI, perhaps SNA) to the interface. Probably the best way to identify this is to run some packet capture/protocol analyzer (Sniffer, Wireshark/Ethereal, etc) on the interface.


HTH


Rick

insccisco Sun, 12/30/2007 - 20:31
User Badges:

Hi Rick, I am having the exact issues. I have 2 interfaces, one behind a cable ISP, and the other one behind a T1 ISP.


When we use the cable ISP, there are no problems, but when we use the T1 ISP, the interface connected to this T1 shows lots of unknown protocol drops.


If there is an inside host sending packets of some other protocols (perhaps IPX, perhaps NetBEUI, perhaps SNA), I will assume that I should also see the errors on the interface facing the Cable ISP. But because I don't see any errors on the interface facing the Cable ISP, assuming this is wrong.


So what do you think is happening? I already called the T1 ISP and they performed some tests and said that the line is clean.


any advice?



guruprasadr Sun, 12/30/2007 - 22:24
User Badges:
  • Gold, 750 points or more

HI,


In addition to Ricks POST,


Normally check with the Routing configured for all IP and IPX protocols.


Check whether other Routing protocols like IPX, NeetBEUI are routed via T1 ISP ?


Do RATE all HELPFUL POSTS


Best Regards,


Guru Prasad R

Richard Burts Tue, 01/01/2008 - 10:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Angel


Perhaps I am not understanding something correctly. You have 1 outbound interface to the cable ISP, 1 outbound interface to the T1 ISP, and at least 1 interface to the internal network. Please clarify which interface is showing the unknown protocol drops.


It would make it easier to understand your situation if you would post the output of show protocol on your router and to post the configuration of all the interfaces.


I am not surprised that the T1 ISP reports that the line tests are clean. Their test is to detect errors in transmission on the line. What you are experiencing is not a transmission error but a packet is received for a protocol that the interface is not expecting.


HTH


Rick

insccisco Wed, 01/02/2008 - 13:39
User Badges:

Hi Rick,


yes, the interface facing the T1 ISP is the one showing all those unknown protocol drops.


You are right, it seems like it isnt a transmission error, it is just a constant traffic being generated towards the router outbound interface (to the T1)


I have never seen this on T1s. Perhaps it could just be a host somewhere in the internet constantly generating packets towards our T1 ISP, We get the hits every 60 seconds. So the unknown protocol drops increment every minute


Is there any way on the router to sniff the source of this packet?



Richard Burts Wed, 01/02/2008 - 13:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Angel


Do I understand that you get these every 60 seconds on the T1 interface? How many do you get every 60 seconds?


If it is occuring on a regular periodic basis of every 60 seconds it sounds like the T1 ISP is running something that is attempting to send updates (or probes or something) every 60 seconds.


If it were an Ethernet interface there are easily available packet sniffing software that might show what it is. But on serial interfaces it is more difficult. I have used Sniffers that had serial interfaces that could sniff serial traffic. But I doubt that you have access to one of these. I am not sure but you might try running debug serial packet and see if it produces any useful output.


HTH


Rick

insccisco Wed, 01/02/2008 - 14:00
User Badges:

I see. Well I see the number of unknown protocol drops increment by 1 every 60 seconds. I see this by just doing the "sh int fas0/1"


This is a simply ethernet interface connecting to a WAN switch via a straight thru cable. The managed T1 ISP router connects to this WAN switch as well, so I guess it will be easy to put a sniffer on one of the ports on the WAN switch and see where there packets with unknown protocols are coming from.


This will require me to physically go on-site though. Is there a debug command to do in the ethernet interface of my 1841 router?



Richard Burts Wed, 01/02/2008 - 14:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Angel


If it comes into the router on Ethernet (or FastEthernet) then it should be much easier to sniff. You might experiment with some of the debug ethernet type of commands, but I am not real optimistic that they will identify this traffic.


HTH


Rick

Actions

This Discussion