Troubleshooting router serial port

mbalasubramanian · ‎11-20-2003

We have this 2600 router and 512 K ISP bandwidth...running a c2600-i-mz.121-19.bin train.

For the past month we have been having high input rate on our serial port dispropotionate to the Tx rate Serial is sometimes Rx 250/255 and Tx 30/255

Considering the recent splurge of worms all our LAN systems are patched and infact behind a firewall which denies outgoing ICMP packets (taking care of nachi welchia ) so even if there is an infected PC...it never saturates or hits the router.

What could be the reasons for high input rate on serial port when the output rate is meagre...the LAN nodes=150 number and do usual internet transactions

what could be happening ??time for forensics???

regards and thanks

vaughan.lee · ‎11-20-2003

First of all, check that you've got your bandwidth statement set correctly to verify that your loads are as see.

I would then look at putting an analyser on the LAN to monitor what is coming into and out of this router, and find out which hosts are communicating most. It may be that you have someone on the LAN downloading a lot of information, possibly using a peer-to-peer system to download non-business related files. Alternatively, there may be widespread use of web-based items such as news ticker-tapes. The list could go on!

There is also the danger that, although you are blocking worm traffic outbound, you are receiving such traffic inbound (though I wouldn't expect it to constantly use up your bandwidth). If you aren't blocking this traffic, you'll pick it up on your analyser; if you are blocking it you should see your access-list counts increasing.

Bear in mind that under 'normal' Internet usage you will have significantly more inbound data than outbound anyway, especially when web browsing. A short outbound packet sent to a web site will result in several Kbytes of web-page, including graphics etc being sent back (inbound).

mbalasubramanian · ‎11-20-2003

There is an appliance based firewall with an airtight security policy between the router and the LAN ...no peer to peer allowed egress or ingress...only traffic allowed inwards thru the firewall is SMTP and POP3 since we are hosting the same and outgoing same +http...not much mail traffic...beats me...is there any forensics that can be done on the cisco serial port???thru commands...and yes the bandwidth is set right ...can i use any commands to isolate the culprit traffic on the serial port

regards and thanks

vaughan.lee · ‎11-20-2003

The only comand that would help you find out what traffic is passing, and so the source, is 'debug ip packet' BUT there is no way I would use it on a live network generating the traffic you are getting as you'll probably crash the router.

I'm assuming that the router connects to the firewall via an ethernet interface, so I would still be tempted to plug an analyser in between the two and see what is coming inbound there. You may also find that the firewall keeps logs of the amount of traffic passing or which is blocked, though tis would be dependent on the firewall being used.