Re: IDS4230 Network Access Problem

dennis.foon · ‎01-09-2004

Hi everybody,

I just encountered access problem on IDS4230 with latest version. Suddenly, all network access was failed either using ssh, https or ping. There was only console login from the terminal could be done. Here is the errors found on the NIC card:

netrangr01# sh int comm

command-control is up

Internet address is 172.31.196.9, subnet mask is 255.255.255.0, telnet is disabled.

Hardware is eth1, tx

Network Statistics

eth1 Link encap:Ethernet HWaddr 00:E0:29:9D:FD:CD

inet addr:172.31.196.9 Bcast:172.31.196.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1959 errors:0 dropped:0 overruns:0 frame:85

TX packets:264 errors:13 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:449753 (439.2 Kb) TX bytes:18190 (17.7 Kb)

Interrupt:17 Base address:0x1400

After rebooted, everything is back to normal. Here the log retrieved from /etc/cids/idsRoot/log/main.log:

===========================

24Dec2003 05:26:54.429 2872.777 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

24Dec2003 05:26:54.429 0.000 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

Dec 28 04:02:00 dsbidssrv02 syslogd 1.4.1: restart.

Jan 4 04:02:00 dsbidssrv02 syslogd 1.4.1: restart.

----------- sensorApp.logAppFifo begin Mon 05-Jan-2004 05:28:09 CST ------------

05Jan2004 05:28:09.274 74.845 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

05Jan2004 05:28:09.306 0.032 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

05Jan2004 05:43:17.069 907.763 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

05Jan2004 05:43:17.069 0.000 sensorApp[7162] sensorApp/W errWarning ARP: bad operation from packet: 28448

===========================

Is that possible any hardware problem or bug on sensorApp? Appreciate if you'd have any feedback. Thanks!

Regards, Dennis.

marcabal · ‎01-09-2004

This sounds similar to an issue we found when testing the initial 4.0 release on the 4230.

DDTS Issue: CSCdz66704

After a reboot we were unable to connect to the command and control interface. Running "ifconfig -a" ("show interfaces" in the cli) showed that the Error counts on the NIC were increasing.

We were never able to consistently reproduce to determine what the problem was.

A simple reboot would fix the problem.

The sensorApp warnings are not related to the command and control port problem you are seeing.

The sensorApp warnings are for packets seen on the sniffing ports.

If you are able to consistently replicate this problem, then let me know and we can see about gathering more information.

But from my experience it could happen once and maybe never again on that sensor.

The problem is isolated to the command and control port ofthe 4220 and 4230 models.

As a side note: The 4230 models have a field notice out on CCO. It is unrelated to your problem, but I would suggest reading the field notice if you have not already:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a00801850de.shtmlhttp://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_field_notice09186a00801850de.shtml

dennis.foon · ‎01-09-2004

Thanks for sharing your experience, Macrcabal !

The machine now looks fine. And I'll keep track of the error on the interface and report to you if it happens again :P

Best Regards,

Dennis.