From: Chuck Church (cchurch@MAGNACOM.com)
Date: Sat Sep 21 2002 - 14:46:57 GMT-3
Imo,
Jay's right. We had an infected machine behind our 2611 router
running FWFS, and that behaved the same way, 90-100% CPU. Luckily the FWFS
logged the errors (host x.x.x.x getting aggressive, etc), so it was easy to
find the culprit. I think a server needs to be running IIS to be infected
(could be wrong on this one though), so an easy thing to do is one-by-one,
disable the switch port of each of your IIS servers, while watching the CPU
utilization. We tracked another problem server down this way pretty
quickly. Good luck. By the way, did this problem just start?
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jay Hennigan
Sent: Saturday, September 21, 2002 12:44 PM
To: Imo Etuk
Cc: ccielab@groupstudy.com
Subject: RE: NAt oh NAT
On Sat, 21 Sep 2002, Imo Etuk wrote:
> Jay,
>
> Thanks for responding to this but i already tweaked the timers
>
> > ip nat translation timeout 180
> > ip nat translation tcp-timeout 300
> > ip nat translation udp-timeout 30
> > ip nat translation finrst-timeout 15
> > ip nat translation dns-timeout 15
It could still be the bug I referenced if you've got a machine behind
it that's infected with code red or otherwise generating thousands of
translations.
* When you clear ip nat translations * does the CPU drop and then ramp
back up?
* Does "show ip nat translations" show an inordinately large number of
translations coming from a single host or small group to destination
port 80 (or some other unusually large number of translations)? Look
at it both before and immediately after you clear them, see if it ramps
up quickly.
* What IOS version, full value?
> Warning : The information contained in this message may be privileged and
> confidential and protected from disclosure. If the reader of this message
is
> not the intended recipient, you are hereby notified that any
dissemination,
> distribution or copying of this communication is strictly prohibited. If
you
> have received this communication in error, please notify the sender
> immediately by replying to this message and then delete it from your
> computer.
NOTICE: This communication may contain confidential and/or privileged
information. If you are not the intended recipient, or believe that you
have received this communication in error, you are obligated to kill
yourself and anyone else who may have read it. So there. My disclaimer
is scarier than yours. Nyaah. You started this silly nonsense. Knock
it off and I will too, ok? It's worthless from a legal standpoint, makes
you look really clueless, and is a waste of CPU cycles. Nobody reads it
anyway. You're not actually reading this, are you? I didn't think so.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:59 GMT-3