Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Kazaa NBAR bug - latest PLDM??

Reply
Thread Tools

Kazaa NBAR bug - latest PLDM??

 
 
P
Guest
Posts: n/a
 
      10-23-2003
Hi all.

Watch out for this. I would suspect that it would be common across 12.3
IOS's..

I had this on a 3725.. running 12.3(3). It had me stumped or ages because
the symptoms look like a DOS attack.. I have comments/question annotated
inline..

http://www.cisco.com/cgi-bin/Support...target=&train=

NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The problem
was seen on a 7200-series router and 1700-series router and appears to be a
platform-independent problem. Kazaa2 can use any available port, including
DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and SMTP
packets as Kazaa2 traffic. This problem is only seen when the number of
active links reaches a fairly high value (such as 3900), as seen in "show ip
nbar esources".

*note, I had this with active links much less - like 180*


This problem results in non-Kazaa2 traffic being matched and having actions
taken on the traffic that are detrimental to network performance, such as
the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2 traffic
was configured to be rate-limited / policed). It can also cause other
features to fail, such as vpn tunnels not coming up, because the packets
needed to establish the connections are incorrectly marked as Kazaa2 traffic
and possibly dropped or rate-limited.

The solution is to load the latest Kazaa2 PDLM, currently available on CCO
and use the "ip nbar pdlm" command to load the PDLM from flash.

There are a couple workarounds if the new PDLM cannot be downloaded yet. One
workaround is to do "no ip nbar resources"; however, the problem will return
after awhile. Another workaround is to remove "match protocol kazaa2".

*Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and my
IOS was compiled in September 03. So is this definitely the latest one??*

thanks

P


 
Reply With Quote
 
 
 
 
mimiseh
Guest
Posts: n/a
 
      10-23-2003
Can you points me to a cisco's link that explain how to inplement NBAR to
block Kazaa traffic.
"P" <(E-Mail Removed)> wrote in message
news:ZRPlb.256$(E-Mail Removed)...
> Hi all.
>
> Watch out for this. I would suspect that it would be common across 12.3
> IOS's..
>
> I had this on a 3725.. running 12.3(3). It had me stumped or ages because
> the symptoms look like a DOS attack.. I have comments/question annotated
> inline..
>
>

http://www.cisco.com/cgi-bin/Support...target=&train=
>
> NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The problem
> was seen on a 7200-series router and 1700-series router and appears to be

a
> platform-independent problem. Kazaa2 can use any available port, including
> DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
> Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and

SMTP
> packets as Kazaa2 traffic. This problem is only seen when the number of
> active links reaches a fairly high value (such as 3900), as seen in "show

ip
> nbar esources".
>
> *note, I had this with active links much less - like 180*
>
>
> This problem results in non-Kazaa2 traffic being matched and having

actions
> taken on the traffic that are detrimental to network performance, such as
> the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2 traffic
> was configured to be rate-limited / policed). It can also cause other
> features to fail, such as vpn tunnels not coming up, because the packets
> needed to establish the connections are incorrectly marked as Kazaa2

traffic
> and possibly dropped or rate-limited.
>
> The solution is to load the latest Kazaa2 PDLM, currently available on CCO
> and use the "ip nbar pdlm" command to load the PDLM from flash.
>
> There are a couple workarounds if the new PDLM cannot be downloaded yet.

One
> workaround is to do "no ip nbar resources"; however, the problem will

return
> after awhile. Another workaround is to remove "match protocol kazaa2".
>
> *Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and my
> IOS was compiled in September 03. So is this definitely the latest one??*
>
> thanks
>
> P
>
>



 
Reply With Quote
 
 
 
 
Hugo Drax
Guest
Posts: n/a
 
      10-23-2003

"P" <(E-Mail Removed)> wrote in message
news:ZRPlb.256$(E-Mail Removed)...
> Hi all.
>
> Watch out for this. I would suspect that it would be common across 12.3
> IOS's..
>
> I had this on a 3725.. running 12.3(3). It had me stumped or ages because
> the symptoms look like a DOS attack.. I have comments/question annotated
> inline..
>
>

http://www.cisco.com/cgi-bin/Support...target=&train=
>


does 12.3.3a resolve this? or will I have to wait til 12.3.4


 
Reply With Quote
 
P
Guest
Posts: n/a
 
      10-23-2003
not according to the bug entry..

but I'm about to whack it on and see..

"Hugo Drax" <(E-Mail Removed)> wrote in message
news:bn92c1$u56f9$(E-Mail Removed)-berlin.de...
>
> "P" <(E-Mail Removed)> wrote in message
> news:ZRPlb.256$(E-Mail Removed)...
> > Hi all.
> >
> > Watch out for this. I would suspect that it would be common across 12.3
> > IOS's..
> >
> > I had this on a 3725.. running 12.3(3). It had me stumped or ages

because
> > the symptoms look like a DOS attack.. I have comments/question annotated
> > inline..
> >
> >

>

http://www.cisco.com/cgi-bin/Support...target=&train=
> >

>
> does 12.3.3a resolve this? or will I have to wait til 12.3.4
>
>



 
Reply With Quote
 
P
Guest
Posts: n/a
 
      10-23-2003
just search cisco for nbar.. its in the ios security config guide most
likely

"mimiseh" <(E-Mail Removed)> wrote in message
news:3URlb.1246$(E-Mail Removed)...
> Can you points me to a cisco's link that explain how to inplement NBAR to
> block Kazaa traffic.
> "P" <(E-Mail Removed)> wrote in message
> news:ZRPlb.256$(E-Mail Removed)...
> > Hi all.
> >
> > Watch out for this. I would suspect that it would be common across 12.3
> > IOS's..
> >
> > I had this on a 3725.. running 12.3(3). It had me stumped or ages

because
> > the symptoms look like a DOS attack.. I have comments/question annotated
> > inline..
> >
> >

>

http://www.cisco.com/cgi-bin/Support...target=&train=
> >
> > NBAR is incorrectly matching packets as Kazaa2 in 12.2(13)T1. The

problem
> > was seen on a 7200-series router and 1700-series router and appears to

be
> a
> > platform-independent problem. Kazaa2 can use any available port,

including
> > DNS (53) and HTTP (80), and NBAR looks into the packet to see if it's a
> > Kazaa2 packet. However, NBAR is matching legitmate DNS, HTTP, HTTPS and

> SMTP
> > packets as Kazaa2 traffic. This problem is only seen when the number of
> > active links reaches a fairly high value (such as 3900), as seen in

"show
> ip
> > nbar esources".
> >
> > *note, I had this with active links much less - like 180*
> >
> >
> > This problem results in non-Kazaa2 traffic being matched and having

> actions
> > taken on the traffic that are detrimental to network performance, such

as
> > the rate-limiting of DNS, web traffic, and e-mail (and only Kazaa2

traffic
> > was configured to be rate-limited / policed). It can also cause other
> > features to fail, such as vpn tunnels not coming up, because the packets
> > needed to establish the connections are incorrectly marked as Kazaa2

> traffic
> > and possibly dropped or rate-limited.
> >
> > The solution is to load the latest Kazaa2 PDLM, currently available on

CCO
> > and use the "ip nbar pdlm" command to load the PDLM from flash.
> >
> > There are a couple workarounds if the new PDLM cannot be downloaded yet.

> One
> > workaround is to do "no ip nbar resources"; however, the problem will

> return
> > after awhile. Another workaround is to remove "match protocol kazaa2".
> >
> > *Now when you go to CCO the latest Kazaa2 PDLM is dated April 2003 and

my
> > IOS was compiled in September 03. So is this definitely the latest

one??*
> >
> > thanks
> >
> > P
> >
> >

>
>



 
Reply With Quote
 
Hugo Drax
Guest
Posts: n/a
 
      10-24-2003

"P" <(E-Mail Removed)> wrote in message
news:ctYlb.336$(E-Mail Removed)...
> not according to the bug entry..
>
> but I'm about to whack it on and see..
>


That sucks, I was planning to move to 12.3 code on a 7200 for that reason
but I will not risk it if they do not resolve that issue in a 12.3.x release


 
Reply With Quote
 
Richard Deal
Guest
Posts: n/a
 
      10-24-2003
Hugo,

It's not a big deal...just download the PLDM file to flash and have the IOS
load it. This is pretty cool since it provides modularity without having to
reboot the IOS--sort of like a callable module. NBAR is actually one of my
favorite features in the IOS--you can do some really neat filtering stuff
with it.

Hope this helps!

Cheers!
--

Richard A. Deal

Visit my home page at http://home.cfl.rr.com/dealgroup/

Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
exams on the market.



"Hugo Drax" <(E-Mail Removed)> wrote in message
news:bna54l$u3jqg$(E-Mail Removed)-berlin.de...
>
> "P" <(E-Mail Removed)> wrote in message
> news:ctYlb.336$(E-Mail Removed)...
> > not according to the bug entry..
> >
> > but I'm about to whack it on and see..
> >

>
> That sucks, I was planning to move to 12.3 code on a 7200 for that reason
> but I will not risk it if they do not resolve that issue in a 12.3.x

release
>
>
>



 
Reply With Quote
 
P
Guest
Posts: n/a
 
      10-25-2003
Hey Richard

I was bothered by the fact that the PDLM was dated 6 months prior to the IOS
image I have..

Why wasn't 6 month old PDLM image invluded with NBAr in 12.3(3)?

"Richard Deal" <(E-Mail Removed)> wrote in message
news:cRcmb.31399$(E-Mail Removed).. .
> Hugo,
>
> It's not a big deal...just download the PLDM file to flash and have the

IOS
> load it. This is pretty cool since it provides modularity without having

to
> reboot the IOS--sort of like a callable module. NBAR is actually one of my
> favorite features in the IOS--you can do some really neat filtering stuff
> with it.
>
> Hope this helps!
>
> Cheers!
> --
>
> Richard A. Deal
>
> Visit my home page at http://home.cfl.rr.com/dealgroup/
>
> Author of CCNA Cisco Certified Network Associate Study Guide (Exam

640-801),
> Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
> CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam

Cram
>
> Cisco Test Prep author for QuizWare, providing the most comprehensive

Cisco
> exams on the market.
>
>
>
> "Hugo Drax" <(E-Mail Removed)> wrote in message
> news:bna54l$u3jqg$(E-Mail Removed)-berlin.de...
> >
> > "P" <(E-Mail Removed)> wrote in message
> > news:ctYlb.336$(E-Mail Removed)...
> > > not according to the bug entry..
> > >
> > > but I'm about to whack it on and see..
> > >

> >
> > That sucks, I was planning to move to 12.3 code on a 7200 for that

reason
> > but I will not risk it if they do not resolve that issue in a 12.3.x

> release
> >
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where can I download the latest version of Kazaa Lite K++ FREE? Arawak Computer Support 20 01-25-2004 01:44 AM
NBAR os IDSM-2 to monitor multiple vlans JOE CAMPOS Cisco 0 12-10-2003 02:14 AM
IP CEF and NBAR BenH Cisco 0 11-28-2003 11:11 AM
IP NBAR - What kind of overhead does it cause?? Douw Gerber Cisco 1 11-22-2003 09:27 AM
Streaming Media and NBAR BenH Cisco 0 11-18-2003 10:25 AM



Advertisments