Slow tcp traffic over ge0 interface
I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.
I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke?
Similar Messages
-
Switch sending tcp traffic to incorrect interface
Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately.
Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported. Switch is a 3750x with version 12.2.I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
LOST TCP SESSION, LDP AND BGP, OVER ONE INTERFACE
On 7609 PE router, lost only TCP session attach to one interface (Te3/3). The router shows this log
Aug 4 13:17:31.424: %LDP-5-NBRCHG: LDP Neighbor 200.111.117.251:0 (1) is DOWN (Session KeepAlive Timer expired)
Aug 4 13:19:52.493: %BGP-5-ADJCHANGE: neighbor 200.11.96.126 Down BGP Notification sent
Aug 4 13:19:52.493: %BGP-3-NOTIFICATION: sent to neighbor 200.11.96.126 4/0 (hold time expired) 0 bytes
Aug 4 13:42:11.265: %BGP-5-ADJCHANGE: neighbor 200.11.96.126 Up
Aug 4 13:42:23.549: %LDP-5-NBRCHG: LDP Neighbor 200.111.117.251:0 (1) is UP
The device did not present a interface flap.
The device did not present lost of OSPF adyacency, over the same interface
The device did not present lost of TCP session over oher interfaces
Please help me,
I suspect a bug, but I failed to find
ChristianHi Nagendra
This is output og sh tcp brief
PE2-PCS-RANCAGUA#sh tcp brief
TCB Local Address Foreign Address (state)
4B558124 200.11.98.9.646 200.11.98.37.51654 ESTAB
53336910 200.11.98.9.646 200.111.117.61.49833 ESTAB
4B4CF2A0 200.11.98.9.646 200.111.117.20.64138 ESTAB
536E56A4 200.11.98.9.61369 200.11.96.126.179 ESTAB
53359454 200.11.98.9.22913 200.11.96.81.646 ESTAB
4B6C25EC 200.11.98.9.646 200.111.117.251.53802 ESTAB
537CFBE4 200.11.98.9.62975 200.11.96.125.179 ESTAB
5330A774 200.11.98.9.646 200.111.117.86.62367 ESTAB
4B4D97EC 200.11.98.9.18753 200.11.96.88.646 ESTAB
4B018A28 200.11.98.9.61292 200.11.98.8.646 ESTAB
4B0B176C 200.11.98.9.23 190.151.64.218.36508 ESTAB
4B1976F0 200.11.98.9.17760 190.151.97.92.646 ESTAB
4B261BD0 200.11.98.9.646 200.72.146.42.64641 ESTAB
537CEFF8 200.11.98.9.646 200.111.117.74.54785 ESTAB
531F4890 200.11.98.9.15536 190.151.97.77.646 ESTAB
5359F5B4 200.11.98.9.24658 190.151.97.74.646 ESTAB
PE2-PCS-RANCAGUA#
Christian -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed -
Calculate traffic amount on interface
Team:
I have not deployed any monitoring software yet; however, Cacti is in the works. But is it possible to change ‘five minute input rate / five minute output rate’ time interval from 5 min to secs and get an accurate account of traffic going over a FastEthernet interface? Would I choke the hardware (3750) if I can change this attribute? Would this be a good method to see the load/traffic values in real time?
BACKGROUD:
The server team has deployed a new SQL server, and the DB devs are complaining that it is slow. I am suspecting that more traffic is going over the interfaces then what the ‘server team’ and ‘db devs’ indicated because they know I would raise a stink. I do not have access to the database server, nor the other end, yet I have access to network gear between the points.
Since I have never faced this type of issue, or problem – I need some direction and/or suggestions on how to troubleshoot this type of issue.
Thanks
JJHi Jason,
Issue the command load interval 30 on the interface and it will start displaying the input/output rate for 30 secs.
This won't impact the efficiency of the switch..
For further troubleshooting of the issue check for any output drops/ input errors/crc in the show interface fax/y output.
Thanks
Ankur
"Please rate the post if found useful" -
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
Encapsulate ODBC traffice over HTTP???
Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
Thanks in advance,
John SebastianProbably not easily, no.
If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
Justin -
IPS traffic over performace limit
Hi,
I could not find any information about traffic which is over declared IPS appliance performance (throughput) limit.
Those packets will be droped or will pass through without inspection?
Thanks in advance!
RadimHi Radim,
Oversubscription in IPS is at Interface level or Virtual Sensor level.
Hypothetically say IPS has 6 interfaces each being a gig port.
This does not mean IPS throughput is 6 gigs, since the inspection engine may not be able to handle 6 gig at a time.
For interface level oversubscription, if you send more traffic to an interface than it can handle, then you overwhelm its interface buffers.
The packets get dropped at the interface level.
The ' FIFO errors' counter under 'show interface' will show this error.
Packets dropped because too much traffic it being sent to virtual sensor than it can handle will be seen as 'missed packet percentage' counter.
I shall check if this traffic is dropped or passed through uninspected and let you know.
The throughput of the IPS depends on the type of traffic flowing through it.
Please check the document below which explains IPS performance with some data for 4270.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
Hope this helps.
Sid Chandrachud
Cisco TAC - Security Team -
RV042 - Priority Routing HTTP Traffic Over WAN2?
Hi,
I have an RV042 set to load balancing. WAN1 is a T1 and WAN2 is an ADSL connection. It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
Is there a way to do this?
Thanks!blasty,
Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
If you have any problems please post them in as much detail as possible.
Bill -
Transporting QinQ traffic over L2 EoMPLS circuit
Hello,
Suppose that we have QinQ traffic that reaches a GigabitEthernet interface of a GSR. (The second VLAN tag has been previously imposed at a dot1q-tunnel interface of some edge switch. Traffic that reaches the GSR has 2 VLAN tags.) We want to deliver this traffic (over an MPLS backbone) to the GigabitEthernet interface of another GSR. What configuration options are there ? Would a configuration like the following (symmetrically configured at both GigabitEthernet interfaces) work and why ?
interface GigabitEthernet s1/s2/s3.x
encapsulation dot1Q x
xconnect <peer-router-id> <vc-id> encapsulation mpls
(x above is supposed to play the role of the outermost/service VLAN tag)
I am wondering whether the command encapsulation dot1q second-dot1q is actually needed or not.
Any answers or documentation or related standards/drafts will be appreciated.
Kind Regards,
MariaHI Maria, [Pls RATE if HELPS]
I have implemented a Scenario as below:
Base Station - A
=================
Metro Edge Switch Config:
int Gi 0/46
switchport access vlan 402 >> OuterVLAN in QnQ
switchport mode dot1q-tunnel
description X-Connect to BaseStation-LAN
Base Satation LAN Switch Config:
int GI 0/45
description X-connection to Metro Edge
switchport trunk encapsulation dot1q
switchport mode trunk
Bast Station - B
=================
Metro Edge Switch Config:
int GI 0/46
switchport access vlan 401 >> OuterVlan in QnQ
switchport mode dot1q-tunnel
description X-connect to Bast Station LAN
Base Station LAN Switch Config:
int GI 0/45
description X-Connect to Metro Edge
switchport trunk encapsulation dot1q
switchport mode trunk
NOC:
====
Metro Head end Switch Config:
int GI 0/45
description to X-Connect to Provider Edge
switchport mode dot1q-tunnel
switchport mode trunk
Provider Edge Router Config:
int Gi 0/1.402100
encapsulation dot1q 402 second-dot1q 100
!! 402 is the OuterVLAN and 100 is Customer VLAN
ip address 10.100.0.101 255.255.255.252
description Customer Bast Station - A
int Gi 0/1.401100
encapsulation dot1q 401 second-dot1q 100
!! 401 is the OuterVLAN and 100 is Customer VLAN
ip address 10.100.0.101 255.255.255.252
description Customer Bast Station - B
In the above Config the QnQ is enabled in the Metro Edge & provider edge routers encapsulation function will be carried out by the edge metro switches and PE Routers. By this way the VLAN's are duplicated are in Metro network itself also making the VLAN allocation locally.
Hope I am Informative.
PLS RATE if HELPS
Best Regards,
Guru Prasad R -
Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?
In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
Any hint is welcome!
Stephan StrackHey Stephan,
The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms. This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
In short, 'vpc bind-vrf' is not required on N7K.
-Andy -
I have an access list as shown:
access-list 199 permit tcp host <ip address> any
What debugging command can I use so that I can see the TCP traffic from this specific list?
ThanksCorey
There is an implicit part of the answer by Ankur and I think it helps to make it explicit. If you add the log keyword to the access list, then you also need to apply the access list to appropriate interface(s). And you would need to determine if there is any interaction between this access list and any other access lists that may be applied on any interface.
I believe that you were probably looking for the debug ip packet 199 as Ankur has said. This modifies the debug output and only shows traffic that matches the access list. This can be very effective in reducing the impact of a debug that is potentially very disruptive.
Also if you are telnetted to a router when you do this you will need to do terminal monitor so that you can see the debug output.
HTH
Rick -
I have been trying to get my computer (os x.7) to astablish a remote desktop connection to my work computer via a vpn tunnel. In fact I have just discovered that it works fine if i select to "send all traffic over vpn connection" from the options in the advanced setup of the vpn.
If the option is selected microsofts "Remote desktop connection for mac" works just fine. However without selecting the option it is not taking advantage of the tunnel but tries to connect as if the tunnel would not exist.
Now the question is how do I get program to use the vpn tunnel without checking the above option?
Thanks for any hints and pointers.Then can her computer be authorized to both accounts?
Absolutely. You can authorize any given computer to up to five iTunes Store accounts.
If purchases are made on her account, to a computer authorized to my account, can I put those songs on my iPod?
If you connect your iPod to her computer, yes. Tracks download only to the computer from which they're purchased, regardless of which iTunes Store account is used for the purchase. Or you could copy the tracks from her computer to yours and then authorize your computer to her iTunes Store account. But that's sort of defeating the original purpose, it would seem to me.
is it better to buy music through Amazon downloads and/or actually purchasing CDs to avoid the security features iTunes puts on its music?
That's certainly an option. If it's an entire album I want, I buy CDs. That way I can import them at the quality I want and to whichever of my systems I want. Amazon or one of the other download stores that offer tracks as MP3 are also an option, though for me download stores are best when you just want a couple of tracks off a given CD. -
Routing outgoing packets over multiple interfaces?
I have two network interfaces (eth0 and eth1) with separate IP addresses on the same subnet. All outgoing traffic uses eth0 regardless of the interface the incoming traffic came in on.
I assume the outgoing packets still have the correct source IP address (not always eth0's), and I'd like the packets to go out on the interface with the corresponding IP address.
I think I have half the solution to my problem:
http://www.novell.com/support/viewConte … Id=7000318
The other half is that my IPs are dynamic, so ddclient could change my IPs and then the routing would be invalid.
Last edited by MindlessXD (2009-02-10 07:06:16)Setup custom route tables to be used depending on the iptables conntrack marks below
ip route flush table 1
ip rule del fwmark 101 table 1
ip route add table 1 default via <ETH0 IP ADDRESS>
ip rule add fwmark 101 table 1
ip route flush table 2
ip rule del fwmark 102 table 2
ip route add table 2 default via <ETH1 IP ADDRESS>
ip rule add fwmark 102 table 2
I'm not 100% sure if you can add a route via the interfaces IP address. This code has been modified from a box using 2 different ISP's so they have different upstream routers. You might need to replace the 'via' parts with 'src'
# Ensure traffic in one interface goes back out the same interface
iptables -t mangle -F PREROUTING
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW -j MARK --set-mark 101
iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -j MARK --set-mark 102 -
How do I do the following so I can get into my chess program??
The access to our new chess hall may be blocked by your
local firewall. You would need to reconfigure your firewall to open port 15010
for TCP traffic.This is not really Firefox related.
What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions
Maybe you are looking for
-
How to put jsp content in to string butter?
Hello Friends, I'm new to J2EE. please tell me how can I put jsp content into string buffer. following is a part of code I wrote. I'm also reading data from database on some part of code. <html> <head> <title>JSP for AdminForm form</ti
-
Hello, I want to display all dates in my Purchase order Print preview in the same format in which user has set his date (SU3). Purchase Order is using script MEDRUCK to display the data. Please help.
-
param name='progressbar' value='true' is not working, shows as empty
Hello everyone, I have a very odd problem with the above tag within an applet. I am running the same applet, using the same JVM version and same browser version, but on different LANs. On one system, the progress bar will correctly update as the Jar
-
Any idea when apex 5.0 will be available? Thanks
-
Hi everyone: I've just purchased and installed an Airport Extreme on our office network. I'm able to see and connect to the wireless connection I've set up. However, I can't see the guest network. I've gone through the settings a number of times, but