Re: Does anyone know why this is an issue?

From: cc ie (davidscottmartin@gmail.com)
Date: Wed Feb 02 2005 - 05:47:41 GMT-3

• Next message: Gajewski Mariusz: "wccp"
• Previous message: Radu Pavaloiu: "BGP IPv6"
• Maybe in reply to: Etchings, Jay: "Does anyone know why this is an issue?"
• Next in thread: Brian McGahan: "RE: Does anyone know why this is an issue?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jay,

use Netlow to check your traffic, you may see a huge amount of scans
going to Null0. These trojans are flooding your NAT table and running
up your CPU.

create and inbound ACL on your Ethernet Interface to drop this crap
before it gets natted and chews CPU cycles.

HTH
dave

On Tue, 1 Feb 2005 17:39:11 -0800, Etchings, Jay <EtchingsJ@ally.com> wrote:
> Group if I am doing something stupid feel free to flame away I would
> just like to figure out what the deal is, even if a few lumps are in
> order.
>
> I have had an issue since last Friday where my 2651 DMVPN router is
> running at 100% of the CPU. It seems to have 150K NAT translations
> during the day which should calculate to 30Mbs of memory based on the
> 160 Bytes per trans.
>
> I am working to figure out what I can do to resolve this issue. Has
> anyone heard of such a thing?
>
> I made the following changes. This is a simple error -- the interface
> ran out of ports to translate (~65599..)
>
> access-list 11 permit 10.1.4.0 0.0.3.255
>
> access-list 11 permit 10.1.16.0 0.0.3.255 access-list 11 permit
> 10.1.200.0 0.0.1.255 access-list 11 permit 10.2.200.0 0.0.0.255 ip nat
> pool OUTSIDE_PAT 200.200.200.200 200.200.200.203 netmask ip nat inside
> source list 11 pool OUTSIDE_PAT overload no ip nat inside source static
> 10.1.4.37 200.200.200.201 extendabe ip nat inside source static
> 10.1.4.37 200.200.200.202 extendable no access-list 10 no ip nat inside
> source list 10 interface FastEthernet0/1 overload
>
> (I subbed my public IP's with the 200.200.200.20X)
>
> This seemed to be the temporary fix to infected computers using too many
> NAT translations.
>
> ________________________________
>
> I issued a clear IP nat tr * to clear 70,000+ translations on my 2651
> DMVPN router again and it seems to have supplied a temporary fix.
>
> The issue of running the CPU at 100% still persists.
>
> Any ideas?
>
> Regards,
>
> Jay Etchings
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Gajewski Mariusz: "wccp"
• Previous message: Radu Pavaloiu: "BGP IPv6"
• Maybe in reply to: Etchings, Jay: "Does anyone know why this is an issue?"
• Next in thread: Brian McGahan: "RE: Does anyone know why this is an issue?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:16 GMT-3