Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

Network traffic is saturated going outbound on my T1....

Peter010101
Level 1
Level 1

‎12-04-2003 08:05 PM - edited ‎03-02-2019 12:09 PM

I am trying to find the source or sources of why my network traffic is saturated going outbound.

I set up a syslog server and have my pix sending it type 6 info alerts. I found some obvious problems and patched the pc's but that did not solve my problem.

I have also been running a sniffer (sniffer4.5 & ethereal) but I do not see anything obivous there either.

What should I be looking for specifically? Any one have any filters set up for ethereal that they would like to share?

Labels:
0 Helpful
2 Replies 2

Peter010101
Level 1
Level 1

‎12-06-2003 08:59 PM

Thanks for the advice everyone. I'll let you know how it goes.

I have two PIX to syslog logs that I looked thorough, But this time I used firewallanalyzer to do a report based on syslog data. Here is what I found:

12/4 12:33pm -2:18pm:

106011 No routing to arrival interface. event count 124426 38.45%

302013 Built TCP connection event count 84424 26.09%

106015 Deny TCP no connection established. event count 67932 20.99%

305011 TCP UDP ICMP Address Translation slot created. event count 33707 10.42%

302015 Built UDP connection event count 10883 3.36%

106023 Deny IP packet by access-list. event count 1884 0.58%

305005 Translate group not found. event count 192 0.06%

110001 No route.event count 54 0.02%

609001 event count 33 0.01%

305009 Address Translation slot created. event count 24 0.01%

Patched all the 106011 PC with latest security patched from Microsoft and the error event went away. I didn't know what to make of the 106015 events because they were from different PC's.

0 Helpful

Peter010101
Level 1
Level 1
In response to Peter010101

‎12-06-2003 08:59 PM

12/5 every 30 min starting at mindnight to 6 am:

106015 Deny TCP no connection established. event count 87481 75.67%

302013 Built TCP connection event count 11310 9.78%

302015 Built UDP connection event count 5048 4.37%

305011 TCP UDP ICMP Address Translation slot created. event count 3854 3.33%

305012 Teardown TCP UDP ICMP Address Translation slot. event count 3830 3.31%

106023 Deny IP packet by access-list. event count 3587 3.10%

305005 Translate group not found. event count 380 0.33%

110001 No route. event count 60 0.05%

302010 TCP connections in use. event count 21 0.02%

609002 Network state container for the host IP address connected to interface name is removed. event count 13 0.01%

A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's.

0 Helpful
Customers Also Viewed These Support Documents