Constant TCP traffic on LAN

Similar Messages

• Switch sending tcp traffic to incorrect interface

  Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately. 
  Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported.  Switch is a 3750x with version 12.2. 

  I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
  I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
  Default config for both ports:
   switchport access vlan 101
   switchport mode access
   ip access-group ACL_DEFAULT in
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  Am I missing something? Was this an attack? Was it a fluke? 

• Using Xserve to route traffic between LANs

  A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
  Xserve is running Server 10.5.4

  Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
  You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
  I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
  You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
  My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe).

• The access to our new chess hall may be blocked by your local firewall. You would need to reconfigure your firewall to open port 15010 for TCP traffic.

  How do I do the following so I can get into my chess program??
  The access to our new chess hall may be blocked by your
  local firewall. You would need to reconfigure your firewall to open port 15010
  for TCP traffic.

  This is not really Firefox related.
  What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
  If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions

• WAAS - Dropping TCP Traffic

  I'm having issues with TCP traffic between my edge and my core. Using L2 redirection at my edge with a 4507 (l3) and L2 redirection at my core with a 6500Sup720. I have a dedicated VLAN for my WAE's at both sites.
  I issue the 'sh tfo connection summary' on my Core WAE and I see the following:
  Local-IP:Port Remote-IP:Port ConnType
  HostAIP:45056 HostBIP:80 PT AD Int Error
  Does anyone know what the 'PT AD Int Error' indicates?

  Michael,
  We'll need to collect some additional information to determine what is going on. Can we start with the following (assuming you can reproduce the condition):
  1. Change the disk logging level to 'debug':
  conf
  logg disk prior debug
  end
  2. Enable TFO AD debugging;
  debug tfo conn auto
  3. Disable the debug:
  un all
  4. Send me the syslog.txt file from the local1 directory.
  Would it also be possible to collect a packet capture from the WAE showing this state?
  Thanks,
  Zach

• IPhone app to intercept TCP traffic

  Hi,
  I would like to write an app for iPhone that will run in background and intercept all TCP traffic on iPhone generated by Safari browser.
  Is it possible to write such an app? Any relevant links or articles would be much appreciated.
  Anyone aware of similar app that runs on normal iPhone (not jailbreak)?
  Thanks.
  Ambi.

  >intercept all TCP traffic on iPhone generated by Safari browser.
  Your app does not have access outside of it's own sandbox....it's a privacy thing and a good one too.

• Maill.app constant outbound traffic problem

  Hi Guys
  strange issue where mail.app is just sending lots of outbound traffic and saturating my upload bandwidth...
  I can also see its the top ranker in littlesnitch for outbound traffic....
  My desktop appears unaffected...its only my MBP showing this problem. Could this be some sort of syncing issue? It has now been doing it for a while.
  TIA
  Neil

  hmm now its stopped and now i have constant inbound traffic? It obviously a sync of some kind but it took ages and i'm not really sure why it even needed such a large sync?
  Ill see how long it takes to download whatever its downloading and then post the graph for future ref....
  As a note I did do a quick packet capture and it seems to be only communicating with IP addresses registered to apple and it appears to be encrypted using SSL....so im not expecting anything too fishy....such as a virus or spyware

• Debugging TCP traffic

  I have an access list as shown:
  access-list 199 permit tcp host <ip address> any
  What debugging command can I use so that I can see the TCP traffic from this specific list?
  Thanks

  Corey
  There is an implicit part of the answer by Ankur and I think it helps to make it explicit. If you add the log keyword to the access list, then you also need to apply the access list to appropriate interface(s). And you would need to determine if there is any interaction between this access list and any other access lists that may be applied on any interface.
  I believe that you were probably looking for the debug ip packet 199 as Ankur has said. This modifies the debug output and only shows traffic that matches the access list. This can be very effective in reducing the impact of a debug that is potentially very disruptive.
  Also if you are telnetted to a router when you do this you will need to do terminal monitor so that you can see the debug output.
  HTH
  Rick

• Filtering traffic inside LAN

  Hi.
  I have the following setup.
  As gateway to the Internet i have a Cisco 2911 router with IP 192.168.20.10.
  The company have a lease line to the other companies in their company group, all owned by a single mother company. IP of the gateway for this leased line is 192.168.20.11.
  My machines and servers are on the single subnet 192.168.20.0/24.
  My problem is the following, i want a machine that has the capability to filter traffic going from 192.168.20.11 to my SAN wich is on 192.168.20.35. Do i use a machine with firewall as proxy and bridging the interfaces on that machine or how do i go about this? Im concerned about this as the other companies connected via this leased line may be infected with viruses and such.
  Would be great if someone could givet me a hint on a machine that would do the trick.
  Kind regards,
  Tommy

                           Network-A
                                        |
                                        |
  192.168.20.0/24-----Cisco2911---Internet---
                                        |
                                        |
                                 Network-B
  Are you saying that you want to make sure the 192.168.20.0/24 network is free of virus what you have to do?
  You can add an ASA firewall with CSC module and it will scan tcp ports 80, 443, 21 and 25 and make sure the content is clean.
  You can read more about it here:
  http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html
  -Kureli

• Slow tcp traffic over ge0 interface

  I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.

  I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
  I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
  Default config for both ports:
   switchport access vlan 101
   switchport mode access
   ip access-group ACL_DEFAULT in
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  Am I missing something? Was this an attack? Was it a fluke? 

• Firewall Allow all traffic on lan

  Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

  dtich wrote:
  thx dean, yes, i had certainly looked at the log, which shows these entries:
  Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
  but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
  traceroute gives me:
  traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
  1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
  so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
  if i allow 169.254.x.x, i still get no joy.
  mean anything else to you?
  yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
  Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

• Displaying client tcp traffic

  I want to see what my associated users are connecting to [ip address] and what tcp port.
  I see a command that is close to what I'm looking for....show tcp brief. This is what I get:
  TCB Local Address Foreign Address (state)
  00B1063C 10.1.1.15.23 laptop.am.4823 ESTAB
  [This shows my laptop hitting the AP on port 23.]
  The problem is that this is from the AP perspective, I'm looking for connection details from a user perspective.
  Does anyone know if this is possible and if so what command would accomplish this?

  You will want to look into netflow
  there are several commercial apps that do this as well as open source apps such as ntop.
  You can also get such info along with even more detail using sniffer software.
  The cisco wireless system has the ability to feed a sniffer app from the wireless directly.
  if you are using 4.x wlc, you can feed it to airopeek, if you are using 5.x & above, you can point it at wireshark
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/command/reference/cli42c1.html#wp2465366

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• Cisco RV042 Firewall Blocking LAN Traffic

  Hello Everyone,
  I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
  Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.
  Priority
  Enable
  Action
  Service
  Source
  Interface
  Source
  Destination
  Time
  Day
  Delete
  123
  Allow
  All Traffic [1]
  LAN
  10.10.21.1 ~ 10.10.21.31
  10.10.10.10 ~ 10.10.10.10
  Always
  123
  Allow
  All Traffic [1]
  LAN
  10.10.10.10 ~ 10.10.10.10
  10.10.21.1 ~ 10.10.21.31
  Always
  123
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN1
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN2
  Any
  Any
  Always

  I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 
  Below is a scrubbed copy of my switch configuration. 
  config-file-header
  SWITCH01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  vlan database
  vlan 2
  exit
  no bonjour enable
  hostname SWITCH01
  no logging console
  ip ssh server
  ip ssh password-auth
  clock timezone CEST +1
  interface vlan 1
  ip address 10.10.10.2 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name VIRTUAL-MANAGEMENT
  ip address 10.10.21.1 255.255.255.224
  interface gigabitethernet1
  description ESXI01:VMNIC0:MGMT
  switchport trunk allowed vlan add 2
  interface gigabitethernet20
  description UPLINK
  exit
  ip route 0.0.0.0 /0 10.10.10.1 metric 15
  The routes I have defined is:
  Destination IP
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  10.10.21.0
  255.255.255.224
  10.10.10.2
  1
  eth0
  10.10.10.0
  255.255.255.0
  0
  eth0
  255.255.252.0
  0
  eth1
  239.0.0.0
  255.0.0.0
  0
  eth0
  default
  0.0.0.0
  40
  eth1
  Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

• Slow TCP performance for traffic routed by ACE module

  Hi,
  the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-(  See:
  server1: / #ftp server2
  Connected to server2.cent.priv.
  220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
  Name (server2:root):
  331 Password required for root.
  Password:
  230 User root logged in.
  ftp> bin
  200 Type set to I.
  ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
  200 PORT command successful.
  150 Opening data connection for /dev/null.
  5000+0 records in.
  5000+0 records out.
  226 Transfer complete.
  163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
  local: |dd if=/dev/zero bs=32k count=5000  remote: /dev/null
  ftp>
  The output from show resource usage doesn't show any drops:
  conc-connections              0          0     800000    1600000          0
    mgmt-connections             10         54      10000      20000          0
    proxy-connections             0          0     104858     209716          0
    xlates                        0          0     104858     209716          0
    bandwidth                     0      46228   50000000  225000000          0
      throughput                  0       1155   50000000  100000000          0
      mgmt-traffic rate           0      45073          0  125000000          0
    connections rate              0          9     100000     200000          0
    ssl-connections rate          0          0        500       1000          0
    mac-miss rate                 0          0        200        400          0
    inspect-conn rate             0          0        600       1200          0
    acl-memory                 7064       7064    7082352   14168883          0
    sticky                        6          6     419430          0          0
    regexp                       47         47     104858     209715          0
    syslog buffer            794624     794624     418816     431104          0
    syslog rate                   0         31      10000      20000          0
  There is parameter map configured with rebalance persistant for cookie insertion in the context.
  Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
  Roman

  Default inactivity timeouts used by ACE are
  icmp 2sec
  tcp 3600sec
  udp 120sec
  With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
  other inactivity timeouts as they are now use following
  parameter-map type connection GLOBAL-TCP
  set timeout inactivity 600
  parameter-map type connection GLOBAL-UDP
  set timeout inactivity 120
  parameter-map type connection GLOBAL-ICMP
  set timeout inactivity 2
  class-map match-all ALL-TCP
  match port tcp any
  class-map match-all ALL-UDP
  match port tcp any
  class-map match-all ALL-ICMP
  match port tcp any
  policy-map multi-match TIMEOUTS
  class ALL-TCP
  connection advanced GLOBAL-TCP
  class ALL-UDP
  connection advanced GLOBAL-UDP
  class ALL-TCP
  connection advanced GLOBAL-ICMP
  and apply service-policy TIMEOUTS globally
  Syed Iftekhar Ahmed