Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1272
Views
0
Helpful
1
Replies

CSS 11503 cannot detect services

gerrylim
Level 1
Level 1

‎09-06-2010 01:17 AM

Hi,

Please help. I have an issue with the CSS 11503.

After performing maintenance job on the Cisco core switch, where CSS's interfaces are connected to, both CSS (master and standby) were not able to detect the the servers in the network. Even though at that point of time the core switch was already up, the servers were alive on the network and services were up.

To resolve the issue, I tried to restart CSS, it did not work. I had to shutdown, turn off both CSS and turn them on again after a short while.

Is this problem related to STP of the CSS or Core Switch? Mismatch of STP parameters with the Core switch? Clear Arp? Disable STP on CSS and turn on Port Fast? Enable preempt on Master?

Please advice on how to rectify the problem.

Sample Logs

Service Name                     State     Conn  Weight  Avg   State

                                                         Load  Transitions

shared_ServerD_389                Down          0      1   255            0

shared_ServerE_389_backup         Down          0      1   255            0

shared_ServerA_443_httpredirect  Down          0      1   255            0

shared_ServerB_443_httpredirect  Down          0      1   255            0

shared_ServerC_443_httpredirect  Down          0      1   255            0

Sample Syslogs

SEP  5 05:18:58 1/1 1910936 IPV4-4: Duplicate IP address detected: 10.x.x.x 00-xx-xx-xx-xx-xx

Warning x.x.x.x SEP  5 04:14:53 1/1 31918 IPV4-4: Ipv4MasterForwIphdrChk: Dest = 224.0.0.18,<010>                          Src = x.x.x.x, DosAttack ILLEGAL SOURCE
2010-09-05 04:15:05 Local6.Warning x.x.x.x SEP  5 04:15:02 1/1 31921 IPV4-4: Duplicate IP address detected: x.x.x.x 00-XX-XX-XX-XX-ac
2010-09-05 04:15:05 Local6.Warning x.x.x.x SEP  5 04:15:02 1/1 31926 IPV4-4: Duplicate IP address detected: x.x.x.x 00-XX-XX-XX-XX-ac
2010-09-05 04:15:05 Local6.Warning x.x.x.x SEP  5 04:15:02 1/1 31928 IPV4-4: Ipv4MasterForwIphdrChk: Dest = 224.0.0.18,<010>                          Src = x.x.x.x, DosAttack ILLEGAL SOURCE
2010-09-05 04:15:05 Local6.Critical x.x.x.x SEP  5 04:15:03 1/1 31930 NETMAN-2: Enterprise:Service Transition:shared_XXXXX-> down
2010-09-05 04:15:05 Local6.Critical x.x.x.x SEP  5 04:15:03 1/1 31932 NETMAN-2: Enterprise:Service Transition:shared_XXXXX-> down
2010-09-05 04:15:05 Local6.Warning  x.x.x.x SEP  5 04:14:57 1/1 13568140 IPV4-4: Ipv4MasterForwIphdrChk: Dest = 224.0.0.18,<010>                          Src = 10.244.7.108, DosAttack ILLEGAL SOURCE
2010-09-05 04:15:05 Local6.Warning  x.x.x.x SEP  5 04:14:57 1/1 13568143 VRRP-4: VrrpMain: bad IP header received,<010>Bman free'd
2010-09-05 04:16:43 Local6.Warning  x.x.x.x SEP  5 04:16:27 1/1 21608 IPV4-4: Ipv4MasterForwIphdrChk: Dest = 224.0.0.18,<010>                          Src = 10.244.7.107, DosAttack ILLEGAL SOURCE
2010-09-05 04:28:33 Local6.Warning  x.x.x.x SEP  5 04:23:04 1/1 13724001 VRRP-4: VrrpMain: bad IP header received,<010>Bman free'd
2010-09-05 04:33:03 Local6.Warning  x.x.x.xSEP  5 04:30:07 1/1 13757757 VRRP-4: VrrpMain: bad IP header received,<010>Bman free'd

Labels:
0 Helpful
1 Reply 1

sachinga.hcl
Level 4
Level 4

‎09-08-2010 12:06 PM

HI GerryLim,

Could you please publish the out put of the following command so as to check for the hit counts of DOS (denial-of-services) attack:

CSS11500(config)# show dos

You might get around this by modifying the SNMP settings:

snmp trap-type enterprise dos-illegal-attack trap-threshold X


...where X is the number of connections per second for which the CSS will generate a trap message like the one you describe.

The default setting is 1, meaning that any one packet matching the criteria would generate a trap.


I suggest you modify the value X to match up with your VRRP keepalive timers to avoid these messages.

According to the docs, the following DOS protection trap-types exist:


  a.. dos-illegal-attack: Generates traps for illegal addresses, either  source or destination. Illegal addresses are loopback source addresses,
broadcast source addresses, loopback destination addresses, multicast source  addresses, or source addresses that you own. The default trap threshold for this type of attack is one per second.


  b.. dos-land-attack: Generates traps for packets that have identical source and destination addresses. The default trap threshold for this type
of attack is one per second.


  c.. dos-ping-attack: Generates traps when the number of pings exceeds the threshold value. The default trap threshold for this type of attack is 30 per second. Note that this does not track pings of death DoS attacks.


  d.. dos-smurf-attack: Generates traps when the number of pings with a broadcast destination address exceeds the threshold value. The default trap
threshold for this type of attack is one per second.


  e.. dos-syn-attack: Generates traps when the number of TCP connections that are initiated by a source but not followed with an ACK frame to
complete the three-way TCP handshake exceeds the threshold value. The default trap threshold for this type of attack is ten per second.


Hope this helps!

Sachin Garg

Message was edited by: sachinga.hcl

0 Helpful
Customers Also Viewed These Support Documents