From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Wed May 05 2004 - 05:18:08 GMT-3
It is possible that the Netscreen is defending from a high rate of
particular frames. Have you checked the logs on the Netscreen ? During a
period of "instability" try and type "get log event" to see if the FW is
rejecting packets.
I am not sure but maybe the Netscreen is rejecting a high number of
fragmented packets or something else.
Did you tune the different screening options on the Netscreen ? The command
is (Use Trust zone if instead if your catalyst s on the other side):
Netscreen-> get zone Untrust screen
ICMP Flood Protection(100) on
UDP Flood Protection(200) on
Winnuke Attack Protection on
Port Scan Protection(5000) on
IP Sweep Protection(5000) on
Tear-drop Attack Protection on
SYN Flood Protection(200) on
Alarm Threshold: 200
Queue Size : 10240
Timeout Value : 10
Source Threshold: 4000
Destination Threshold: 40000
Drop unknown mac (xparent mode only): off
Ping-of-Death Protection on
Source Route IP Option Filter on
Land Attack Protection on
SYN Fragment Detection on
TCP Packet Without Flag on
Unknown Protocol Protection on
Bad IP Option Detection on
IP Record Route Option on
IP Timestamp Option on
IP Security Option on
IP Loose Src Route Option on
IP Strict Src Route Option on
IP Stream Option on
ICMP Fragment on
Large ICMP Packet on
SYN and FIN Bits Set on
Malicious URL Protection
--- more ---
Code-Red-Worm Protection on
And you may need to fine tune one of those ,
--Richard
-----Original Message-----
From: Raminder Sarna [mailto:raminder_sarna@yahoo.com]
Sent: miircoles, 05 de mayo de 2004 8:32
To: ccielab@groupstudy.com
Subject: Show interface counters errors !!! Please advise !!
Hi all,
could anyone please throw some light on the following
points:
Background: We have a Cisco 3550-48 switch connected
to a Netscreen Firewall on a port using 802.1Q trunk encapsulation, we
encounter periods of instability in production where the netscreen stops
responding, when this happens the command show interface counters errors on
the 3550 displays packet counter increments in the Xmit-error field.
a) what does Xmit-err mean ??
b) we do have on going undersized packets on the same
port all the time (as reported by the 3550), this does
not change during the instability periods when the
show interface counters errors seems to go up.
c) the show interface counters trunk reports no errors
in encapsulation, so im convinced this is not an error
caused by an undersized packet being encapsulated with
802.1Q parameters and being thrown at the netscreen
d) the netscreen reports packet drops during the
instability periods.
e) the number of packets reported as Xmit errors is
only 10 % of the undersized packets during the
instability period.... why would this stop the
netscreen from responding at all ??
Anyone Please advise
regards
Raminder
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover
This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:04 GMT-3