Slow tcp traffic over ge0 interface

Similar Messages

• Switch sending tcp traffic to incorrect interface

  Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately. 
  Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported.  Switch is a 3750x with version 12.2. 

  I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
  I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
  Default config for both ports:
   switchport access vlan 101
   switchport mode access
   ip access-group ACL_DEFAULT in
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  Am I missing something? Was this an attack? Was it a fluke? 

• LOST TCP SESSION, LDP AND BGP, OVER ONE INTERFACE

  On 7609 PE router, lost only TCP session attach to one interface (Te3/3). The router shows this log
  Aug  4   13:17:31.424: %LDP-5-NBRCHG: LDP Neighbor 200.111.117.251:0 (1) is DOWN   (Session KeepAlive Timer expired)
  Aug  4   13:19:52.493: %BGP-5-ADJCHANGE: neighbor 200.11.96.126 Down BGP Notification   sent
  Aug  4   13:19:52.493: %BGP-3-NOTIFICATION: sent to neighbor 200.11.96.126 4/0 (hold   time expired) 0 bytes
  Aug  4   13:42:11.265: %BGP-5-ADJCHANGE: neighbor 200.11.96.126 Up
  Aug  4   13:42:23.549: %LDP-5-NBRCHG: LDP Neighbor 200.111.117.251:0 (1) is UP
  The device did not present a interface flap.
  The device did not present lost of OSPF adyacency, over the same interface
  The device did not present lost of TCP session over oher interfaces
  Please help me,
  I suspect a bug, but I failed to find
  Christian

  Hi Nagendra
  This is output og sh tcp brief
  PE2-PCS-RANCAGUA#sh tcp brief
  TCB       Local Address               Foreign Address             (state)
  4B558124  200.11.98.9.646             200.11.98.37.51654          ESTAB
  53336910  200.11.98.9.646             200.111.117.61.49833        ESTAB
  4B4CF2A0  200.11.98.9.646             200.111.117.20.64138        ESTAB
  536E56A4  200.11.98.9.61369           200.11.96.126.179           ESTAB
  53359454  200.11.98.9.22913           200.11.96.81.646            ESTAB
  4B6C25EC  200.11.98.9.646             200.111.117.251.53802       ESTAB
  537CFBE4  200.11.98.9.62975           200.11.96.125.179           ESTAB
  5330A774  200.11.98.9.646             200.111.117.86.62367        ESTAB
  4B4D97EC  200.11.98.9.18753           200.11.96.88.646            ESTAB
  4B018A28  200.11.98.9.61292           200.11.98.8.646             ESTAB
  4B0B176C  200.11.98.9.23              190.151.64.218.36508        ESTAB
  4B1976F0  200.11.98.9.17760           190.151.97.92.646           ESTAB
  4B261BD0  200.11.98.9.646             200.72.146.42.64641         ESTAB
  537CEFF8  200.11.98.9.646             200.111.117.74.54785        ESTAB
  531F4890  200.11.98.9.15536           190.151.97.77.646           ESTAB
  5359F5B4  200.11.98.9.24658           190.151.97.74.646           ESTAB
  PE2-PCS-RANCAGUA#
  Christian

• Slow TCP performance for traffic routed by ACE module

  Hi,
  the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-(  See:
  server1: / #ftp server2
  Connected to server2.cent.priv.
  220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
  Name (server2:root):
  331 Password required for root.
  Password:
  230 User root logged in.
  ftp> bin
  200 Type set to I.
  ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
  200 PORT command successful.
  150 Opening data connection for /dev/null.
  5000+0 records in.
  5000+0 records out.
  226 Transfer complete.
  163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
  local: |dd if=/dev/zero bs=32k count=5000  remote: /dev/null
  ftp>
  The output from show resource usage doesn't show any drops:
  conc-connections              0          0     800000    1600000          0
    mgmt-connections             10         54      10000      20000          0
    proxy-connections             0          0     104858     209716          0
    xlates                        0          0     104858     209716          0
    bandwidth                     0      46228   50000000  225000000          0
      throughput                  0       1155   50000000  100000000          0
      mgmt-traffic rate           0      45073          0  125000000          0
    connections rate              0          9     100000     200000          0
    ssl-connections rate          0          0        500       1000          0
    mac-miss rate                 0          0        200        400          0
    inspect-conn rate             0          0        600       1200          0
    acl-memory                 7064       7064    7082352   14168883          0
    sticky                        6          6     419430          0          0
    regexp                       47         47     104858     209715          0
    syslog buffer            794624     794624     418816     431104          0
    syslog rate                   0         31      10000      20000          0
  There is parameter map configured with rebalance persistant for cookie insertion in the context.
  Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
  Roman

  Default inactivity timeouts used by ACE are
  icmp 2sec
  tcp 3600sec
  udp 120sec
  With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
  other inactivity timeouts as they are now use following
  parameter-map type connection GLOBAL-TCP
  set timeout inactivity 600
  parameter-map type connection GLOBAL-UDP
  set timeout inactivity 120
  parameter-map type connection GLOBAL-ICMP
  set timeout inactivity 2
  class-map match-all ALL-TCP
  match port tcp any
  class-map match-all ALL-UDP
  match port tcp any
  class-map match-all ALL-ICMP
  match port tcp any
  policy-map multi-match TIMEOUTS
  class ALL-TCP
  connection advanced GLOBAL-TCP
  class ALL-UDP
  connection advanced GLOBAL-UDP
  class ALL-TCP
  connection advanced GLOBAL-ICMP
  and apply service-policy TIMEOUTS globally
  Syed Iftekhar Ahmed

• Calculate traffic amount on interface

  Team:
  I have not deployed any monitoring software yet; however, Cacti is in the works. But is it possible to change ‘five minute input rate / five minute output rate’ time interval from 5 min to secs and get an accurate account of traffic going over a FastEthernet interface? Would I choke the hardware (3750) if I can change this attribute? Would this be a good method to see the load/traffic values in real time?
  BACKGROUD:
  The server team has deployed a new SQL server, and the DB devs are complaining that it is slow. I am suspecting that more traffic is going over the interfaces then what the ‘server team’ and ‘db devs’ indicated because they know I would raise a stink. I do not have access to the database server, nor the other end, yet I have access to network gear between the points.
  Since I have never faced this type of issue, or problem – I need some direction and/or suggestions on how to troubleshoot this type of issue.
  Thanks
  JJ

  Hi Jason,
  Issue the command load interval 30  on the interface and it will start displaying the input/output rate for 30 secs.
  This won't impact the efficiency of the switch..
  For further troubleshooting of the issue check for any output drops/ input errors/crc in the show interface fax/y output.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

  Hello,
  We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
  We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
  Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
  Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
  Questions:
  Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
  If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
  In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
  I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
  Please help.
  Thanks in advance,
  Nick

  We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
  If there are other suggestions, please advise.
  Thanks,
  Nick

• Encapsulate ODBC traffice over HTTP???

  Does anyone know if it's possible to have an external client (in the internet) make an ODBC connection to a database that is behind a firewall which only allows HTTP traffic to pass through? I guess the question is, Is is possible to encapsulate ODBC traffic over the HTTP protocol so that it can pass through the firewall?
  Thanks in advance,
  John Sebastian

  Probably not easily, no.
  If the firewall allows arbitrary traffic on port 80, you could configure the Oracle database to accept connections on that port and configure the tnsnames.ora on the client machine to use port 80. This wouldn't go through HTTP, so if the firewall is actually analyzing the traffic, you'd be out of luck, but it would work if the port is wide open. Of course, it is a terrible idea from a security perspective-- opening up databases to connections over the internet is a recipe for pain and suffering.
  It is certainly possible to write an ODBC to HTTP proxy that converts an ODBC call into some sort of web service call and then write an HTTP to ODBC proxy that lives inside the firewall that translates the HTTP calls back into ODBC calls, but that is likely to be very slow. And a lot of code-- I'm not aware of any commercial utilities that do that sort of thing.
  Generally, the proper way to do something like this is to use Oracle Connection Manager (or something similar that is baked in to certain firewall products) to proxy the Oracle connection through the firewall. But that requires changing the firewall setup and/or installing additional software.
  Justin

• IPS traffic over performace limit

  Hi,
  I could not find any information about traffic which is over declared IPS appliance performance (throughput) limit.
  Those packets will be droped or will pass through without inspection?
  Thanks in advance!
  Radim

  Hi Radim,
  Oversubscription in IPS is at Interface level or Virtual Sensor level.
  Hypothetically say IPS has 6 interfaces each being a gig port.
  This does not mean IPS throughput is 6 gigs, since the inspection engine may not be able to handle 6 gig at a time.
  For interface level oversubscription, if you send more traffic to an interface than it can handle, then you overwhelm its interface buffers.
  The packets get dropped at the interface level.
  The ' FIFO errors' counter under 'show interface' will show this error.
  Packets dropped because too much traffic it being sent to virtual sensor than it can handle will be seen as 'missed packet percentage' counter.
  I shall check if this traffic is dropped or passed through uninspected and let you know.
  The throughput of the IPS depends on the type of traffic flowing through it.
  Please check the document below which explains IPS performance with some data for 4270.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
  Hope this helps.
  Sid Chandrachud
  Cisco TAC - Security Team

• RV042 - Priority Routing HTTP Traffic Over WAN2?

  Hi,
  I have an RV042 set to load balancing.  WAN1 is a T1 and WAN2 is an ADSL connection.  It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
  Is there a way to do this?
  Thanks!

  blasty,
  Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
  http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
  If you have any problems please post them in as much detail as possible.
  Bill

• Transporting QinQ traffic over L2 EoMPLS circuit

  Hello,
  Suppose that we have QinQ traffic that reaches a GigabitEthernet interface of a GSR. (The second VLAN tag has been previously imposed at a dot1q-tunnel interface of some edge switch. Traffic that reaches the GSR has 2 VLAN tags.) We want to deliver this traffic (over an MPLS backbone) to the GigabitEthernet interface of another GSR. What configuration options are there ? Would a configuration like the following (symmetrically configured at both GigabitEthernet interfaces) work and why ?
  interface GigabitEthernet s1/s2/s3.x
  encapsulation dot1Q x
  xconnect <peer-router-id> <vc-id> encapsulation mpls
  (x above is supposed to play the role of the outermost/service VLAN tag)
  I am wondering whether the command encapsulation dot1q second-dot1q is actually needed or not.
  Any answers or documentation or related standards/drafts will be appreciated.
  Kind Regards,
  Maria

  HI Maria, [Pls RATE if HELPS]
  I have implemented a Scenario as below:
  Base Station - A
  =================
  Metro Edge Switch Config:
  int Gi 0/46
  switchport access vlan 402 >> OuterVLAN in QnQ
  switchport mode dot1q-tunnel
  description X-Connect to BaseStation-LAN
  Base Satation LAN Switch Config:
  int GI 0/45
  description X-connection to Metro Edge
  switchport trunk encapsulation dot1q
  switchport mode trunk
  Bast Station - B
  =================
  Metro Edge Switch Config:
  int GI 0/46
  switchport access vlan 401 >> OuterVlan in QnQ
  switchport mode dot1q-tunnel
  description X-connect to Bast Station LAN
  Base Station LAN Switch Config:
  int GI 0/45
  description X-Connect to Metro Edge
  switchport trunk encapsulation dot1q
  switchport mode trunk
  NOC:
  ====
  Metro Head end Switch Config:
  int GI 0/45
  description to X-Connect to Provider Edge
  switchport mode dot1q-tunnel
  switchport mode trunk
  Provider Edge Router Config:
  int Gi 0/1.402100
  encapsulation dot1q 402 second-dot1q 100
  !! 402 is the OuterVLAN and 100 is Customer VLAN
  ip address 10.100.0.101 255.255.255.252
  description Customer Bast Station - A
  int Gi 0/1.401100
  encapsulation dot1q 401 second-dot1q 100
  !! 401 is the OuterVLAN and 100 is Customer VLAN
  ip address 10.100.0.101 255.255.255.252
  description Customer Bast Station - B
  In the above Config the QnQ is enabled in the Metro Edge & provider edge routers encapsulation function will be carried out by the edge metro switches and PE Routers. By this way the VLAN's are duplicated are in Metro network itself also making the VLAN allocation locally.
  Hope I am Informative.
  PLS RATE if HELPS
  Best Regards,
  Guru Prasad R

• Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?

  In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
  I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
  Any hint is welcome!
  Stephan Strack

  Hey Stephan,
  The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms.  This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
  In short, 'vpc bind-vrf' is not required on N7K.
  -Andy

• Debugging TCP traffic

  I have an access list as shown:
  access-list 199 permit tcp host <ip address> any
  What debugging command can I use so that I can see the TCP traffic from this specific list?
  Thanks

  Corey
  There is an implicit part of the answer by Ankur and I think it helps to make it explicit. If you add the log keyword to the access list, then you also need to apply the access list to appropriate interface(s). And you would need to determine if there is any interaction between this access list and any other access lists that may be applied on any interface.
  I believe that you were probably looking for the debug ip packet 199 as Ankur has said. This modifies the debug output and only shows traffic that matches the access list. This can be very effective in reducing the impact of a debug that is potentially very disruptive.
  Also if you are telnetted to a router when you do this you will need to do terminal monitor so that you can see the debug output.
  HTH
  Rick

• How can i use an existing vpn connection without using the option "Send all traffic over vpn connection"?

  I have been trying to get my computer (os x.7) to astablish a remote desktop connection to my work computer via a vpn tunnel. In fact I have just discovered that it works fine if i select to "send all traffic over vpn connection" from the options in the advanced setup of the vpn.
  If the option is selected microsofts "Remote desktop connection for mac" works just fine. However without selecting the option it is not taking advantage of the tunnel but tries to connect as if the tunnel would not exist.
  Now the question is how do I get program to use the vpn tunnel without checking the above option?
  Thanks for any hints and pointers.

  Then can her computer be authorized to both accounts?
  Absolutely. You can authorize any given computer to up to five iTunes Store accounts.
  If purchases are made on her account, to a computer authorized to my account, can I put those songs on my iPod?
  If you connect your iPod to her computer, yes. Tracks download only to the computer from which they're purchased, regardless of which iTunes Store account is used for the purchase. Or you could copy the tracks from her computer to yours and then authorize your computer to her iTunes Store account. But that's sort of defeating the original purpose, it would seem to me.
  is it better to buy music through Amazon downloads and/or actually purchasing CDs to avoid the security features iTunes puts on its music?
  That's certainly an option. If it's an entire album I want, I buy CDs. That way I can import them at the quality I want and to whichever of my systems I want. Amazon or one of the other download stores that offer tracks as MP3 are also an option, though for me download stores are best when you just want a couple of tracks off a given CD.

• Routing outgoing packets over multiple interfaces?

  I have two network interfaces (eth0 and eth1) with separate IP addresses on the same subnet.  All outgoing traffic uses eth0 regardless of the interface the incoming traffic came in on.
  I assume the outgoing packets still have the correct source IP address (not always eth0's), and I'd like the packets to go out on the interface with the corresponding IP address.
  I think I have half the solution to my problem:
  http://www.novell.com/support/viewConte … Id=7000318
  The other half is that my IPs are dynamic, so ddclient could change my IPs and then the routing would be invalid.
  Last edited by MindlessXD (2009-02-10 07:06:16)

  Setup custom route tables to be used depending on the iptables conntrack marks below
  ip route flush table 1
  ip rule del fwmark 101 table 1
  ip route add table 1 default via <ETH0 IP ADDRESS>
  ip rule add fwmark 101 table 1
  ip route flush table 2
  ip rule del fwmark 102 table 2
  ip route add table 2 default via <ETH1 IP ADDRESS>
  ip rule add fwmark 102 table 2
  I'm not 100% sure if you can add a route via the interfaces IP address. This code has been modified from a box using 2 different ISP's so they have different upstream routers. You might need to replace the 'via' parts with 'src'
  # Ensure traffic in one interface goes back out the same interface
  iptables -t mangle -F PREROUTING
  iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
  iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
  iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW -j MARK --set-mark 101
  iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -j MARK --set-mark 102

• The access to our new chess hall may be blocked by your local firewall. You would need to reconfigure your firewall to open port 15010 for TCP traffic.

  How do I do the following so I can get into my chess program??
  The access to our new chess hall may be blocked by your
  local firewall. You would need to reconfigure your firewall to open port 15010
  for TCP traffic.

  This is not really Firefox related.
  What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
  If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions