RX Load Issue

Answered Question
Jun 23rd, 2010
User Badges:

Hi Experts & Friends,


I need your help in letting me know how to troubleshoot the Bandwidth choke issue. Internet has become very very slow today. By entering the "show interface" command I am seeing the RX Load as 255/255. However TX load is 6/255, Reliability as 255/255. I know tx load & Reliability in this case is very normal.


Since RX Load is very abnormal here i used "route cache flow" to find out the traffic passing thru my interfaces. I found my Internet proxy server (125.201.17.1) is making this traffic.But i am unable to find out wherther all the traffic i am seeing orginated from 125.201.17.1 are legitimate internet traffic or some DoS attack


I am worried to block /Disconnect the said Proxy server from the LAN as it is the gateway for all my users internet traffic


How to troubleshoot this issue safely


thanks in advance


sairam         

Correct Answer by John Blakley about 6 years 10 months ago

The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:


ip flow-top-talkers

sort-by bytes

top 5


on your PUBLIC interface:


ip flow ingress



Then let it run for a few seconds, then look at the results:


sh ip flow top-talkers


It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.


** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
John Blakley Wed, 06/23/2010 - 07:25
User Badges:
  • Purple, 4500 points or more

Where is the proxy server in relation to your router that's experiencing this? Is it on the outside of the router, or is it behind it? If it's behind it, can you look at your proxy server to see what's generating all of the traffic? It would be someone downloading something (I would think from the direction you're stating). Maybe someone is downloading a large file or streaming music?


If the proxy server is outside of this router, then someone is sending something to some other device that's behind this router. Do you have an FTP or web server behind this router that accepts uploads?


HTH,

John

snarayanaraju Wed, 06/23/2010 - 13:40
User Badges:

Hi John,


Thanks for your suggestion and help.


Porxy server is behind the Router and not outside. Otherthan that, I want to know what could be the reason behind the increase in RX load to 255/255. How to trouble shoot in the general sense and solve this issue. What is the general practice followed in the industry


regards,


sairam

Correct Answer
John Blakley Wed, 06/23/2010 - 14:19
User Badges:
  • Purple, 4500 points or more

The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:


ip flow-top-talkers

sort-by bytes

top 5


on your PUBLIC interface:


ip flow ingress



Then let it run for a few seconds, then look at the results:


sh ip flow top-talkers


It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.


** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?


HTH,

John

Actions

This Discussion