×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Network traffic is saturated going outbound on my T1....

Unanswered Question
Dec 4th, 2003
User Badges:


I am trying to find the source or sources of why my network traffic is saturated going outbound.


I set up a syslog server and have my pix sending it type 6 info alerts. I found some obvious problems and patched the pc's but that did not solve my problem.


I have also been running a sniffer (sniffer4.5 & ethereal) but I do not see anything obivous there either.


What should I be looking for specifically? Any one have any filters set up for ethereal that they would like to share?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pkurdziel Sat, 12/06/2003 - 20:59
User Badges:

Thanks for the advice everyone. I'll let you know how it goes.


I have two PIX to syslog logs that I looked thorough, But this time I used firewallanalyzer to do a report based on syslog data. Here is what I found:


12/4 12:33pm -2:18pm:


106011 No routing to arrival interface. event count 124426 38.45%

302013 Built TCP connection event count 84424 26.09%

106015 Deny TCP no connection established. event count 67932 20.99%

305011 TCP UDP ICMP Address Translation slot created. event count 33707 10.42%

302015 Built UDP connection event count 10883 3.36%

106023 Deny IP packet by access-list. event count 1884 0.58%

305005 Translate group not found. event count 192 0.06%

110001 No route.event count 54 0.02%

609001 event count 33 0.01%

305009 Address Translation slot created. event count 24 0.01%


Patched all the 106011 PC with latest security patched from Microsoft and the error event went away. I didn't know what to make of the 106015 events because they were from different PC's.

pkurdziel Sat, 12/06/2003 - 20:59
User Badges:


12/5 every 30 min starting at mindnight to 6 am:


106015 Deny TCP no connection established. event count 87481 75.67%

302013 Built TCP connection event count 11310 9.78%

302015 Built UDP connection event count 5048 4.37%

305011 TCP UDP ICMP Address Translation slot created. event count 3854 3.33%

305012 Teardown TCP UDP ICMP Address Translation slot. event count 3830 3.31%

106023 Deny IP packet by access-list. event count 3587 3.10%

305005 Translate group not found. event count 380 0.33%

110001 No route. event count 60 0.05%

302010 TCP connections in use. event count 21 0.02%

609002 Network state container for the host IP address connected to interface name is removed. event count 13 0.01%



A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's.

Actions

This Discussion