unknown protocol drops

Unanswered Question
Jan 14th, 2009

I have a 2800 and on the interface to the provider, there are increasing amounts of unknown protocol drops and I am hearing that the router is down and people are getting dropped.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Giuseppe Larosa Wed, 01/14/2009 - 08:48

Hello Aaron,

unknown protocol drops can be originated by different causes:

for example IS-IS hello packets sent by service provider router.

or some L2 signalling protocol not supported by the router itself.

They shouldn't be the reason for the network problem you see not directly at least.

you need to investigate when the router is reachable what error messages appear in the router log.

Also check cpu usage with

sh proc cpu history

and memory usage with

sh proc mem

Or if the site is still isolated see if you can lead someone to perform basic checks for you via a console connection.

Hope to help


Hope to

Aaron Greene Wed, 01/14/2009 - 08:50

nothing in the sh log. how can I tell what protocol it is by debugging?

Giuseppe Larosa Wed, 01/14/2009 - 09:02

Hello Aaron,

being unknown you cannot you should use a sniffer capture instead.

the only fatal error a provider could do nowdays is to change your access from IPv4 to ipv6.

Or you are under a DOS attack with forged packets (but they must be routable so at least the ip header exists in this case debug ip packet if the unknown rate is not high can be used ) that can hit the router cpu.

Hope to help


s.clinard Wed, 03/11/2009 - 11:41

I have noticed this issue as well with IOS 12.4(15)T7 and T8 on a Cisco 2811.

Here's the odd part though - those numbers ONLY seem to increase when I issue a show interface s0/0/0 command. I am SSH'd to the router. I will issue the command and see the unknown protocol drops count increase by one.

I have even issued the command once, then logged off after taking note of the number. I'll log on the next day, issue the command and notice that it only increased by one more number! It seems that they are not increasing for any other reason.

Hope this helps.


Giuseppe Larosa Wed, 03/11/2009 - 12:26

Hello Shane,

with a so low increment rate there are no issues for your router.

You have seen a close relationship with SSH activity: I guess that ser0/0/0 is the interface that receives the SSH packets of your session.

You should be fine, however it is a good thing that you have reported your findings here this can help somebody else.

Hope to help


s.clinard Wed, 03/11/2009 - 12:42

Hiya Giuseppe -

Well, I took a look a little further in to this matter and discovered that the FastEthernet interface connected to the local switch is showing a lot more of these unknown protocol drops. It sure seems like DTP is the cause.

I connect to the router over the WAN (a site-to-site VPN tunnel) to an IP assigned to the FastEthernet0/1 interface (connected to the switch), so in essence my SSH traffic is indeed traversing the S0/0/0 interface.

I agree that it's not causing any issues, it's just something I want to clean up.

Thanks for the reply!


mtorzewski Thu, 03/26/2009 - 12:42

I found this very helpful as I ran into this today. I have a 2821 running 124-15.T8 and have the same issue. I could not find any Cisco documentation on what protocol drops are. At least I know it is not anything to worry about. I ran the same test. I logged out of the router and logged back in 10 mins later and the numbers only incremented by 1. It seems the number increments only when I do the sh interface s/0/0/0:0. The errors show up on the LAN interface also.


This Discussion