Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
5
Helpful
3
Replies

RX Load Issue

Go to solution
snarayanaraju
Level 4
Level 4

‎06-23-2010 07:09 AM - edited ‎03-04-2019 08:52 AM

Hi Experts & Friends,

I need your help in letting me know how to troubleshoot the Bandwidth choke issue. Internet has become very very slow today. By entering the "show interface" command I am seeing the RX Load as 255/255. However TX load is 6/255, Reliability as 255/255. I know tx load & Reliability in this case is very normal.

Since RX Load is very abnormal here i used "route cache flow" to find out the traffic passing thru my interfaces. I found my Internet proxy server (125.201.17.1) is making this traffic.But i am unable to find out wherther all the traffic i am seeing orginated from 125.201.17.1 are legitimate internet traffic or some DoS attack

I am worried to block /Disconnect the said Proxy server from the LAN as it is the gateway for all my users internet traffic

How to troubleshoot this issue safely

thanks in advance

sairam         

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to snarayanaraju

‎06-23-2010 02:19 PM

The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:

ip flow-top-talkers

sort-by bytes

top 5

on your PUBLIC interface:

ip flow ingress

Then let it run for a few seconds, then look at the results:

sh ip flow top-talkers

It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.

** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎06-23-2010 07:25 AM

Where is the proxy server in relation to your router that's experiencing this? Is it on the outside of the router, or is it behind it? If it's behind it, can you look at your proxy server to see what's generating all of the traffic? It would be someone downloading something (I would think from the direction you're stating). Maybe someone is downloading a large file or streaming music?

If the proxy server is outside of this router, then someone is sending something to some other device that's behind this router. Do you have an FTP or web server behind this router that accepts uploads?

HTH,

John

HTH, John *** Please rate all useful posts ***

Go to solution
snarayanaraju
Level 4
Level 4
In response to John Blakley

‎06-23-2010 01:40 PM

Hi John,

Thanks for your suggestion and help.

Porxy server is behind the Router and not outside. Otherthan that, I want to know what could be the reason behind the increase in RX load to 255/255. How to trouble shoot in the general sense and solve this issue. What is the general practice followed in the industry

regards,

sairam

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to snarayanaraju

‎06-23-2010 02:19 PM

The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:

ip flow-top-talkers

sort-by bytes

top 5

on your PUBLIC interface:

ip flow ingress

Then let it run for a few seconds, then look at the results:

sh ip flow top-talkers

It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.

** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card