Serious Problem With AS5200

Discussion in 'Cisco' started by AC, Dec 9, 2003.

  1. AC

    AC Guest

    In the last four or five days, we've had the MICA modems on our AS5200 go
    down twice. While the unit itself still responds to the network, all
    dialups failed. This is what I get from our syslog. Sorry about the
    formatting. Can anyone tell me what might be going on?

    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21657: Dec 9 09:01:18:
    %SYS-2-MALLOCFAIL: Memory allocation of 4000 bytes failed from 0x221D0AF8,
    pool Processor, alignment 0"
    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21658: -Process= ""Exec"",
    ipl= 0, pid= 37"
    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21659: -Traceback= 221BBE1A
    221BCAD6 221D0B00 221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E
    22152972 22152EF0 2217E2BE
    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21660: Dec 9 09:01:18:
    %SYS-2-CFORKMEM: Process creation of Exec failed (no memory).
    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21661: -Process= ""Exec"",
    ipl= 0, pid= 37"
    2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21662: -Traceback= 221D0B4E
    221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E 22152972 22152EF0
    2217E2BE
    2003-12-09 09:01:19,Syslog.Info,64.141.6.40,"21663: Dec 9 09:01:19:
    %ISDN-6-DISCONNECT: Interface Serial1:5 disconnected from unknown , call
    lasted 46 seconds"
    2003-12-09 09:01:19,Syslog.Info,64.141.6.40,"21664: Dec 9 09:01:19:
    %ISDN-6-DISCONNECT: Interface Serial1:9 disconnected from unknown , call
    lasted 20 seconds"
    2003-12-09 09:01:29,Syslog.Info,64.141.6.40,"21665: Dec 9 09:01:28:
    %ISDN-6-DISCONNECT: Interface Serial1:10 disconnected from unknown , call
    lasted 28 seconds"
    2003-12-09 09:01:30,Syslog.Notice,64.141.6.40,"21666: Dec 9 09:01:30:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async39, changed state to
    down"
    2003-12-09 09:01:30,Syslog.Info,64.141.6.40,"21667: Dec 9 09:01:30:
    %ISDN-6-DISCONNECT: Interface Serial1:4 disconnected from unknown , call
    lasted 156 seconds"
    2003-12-09 09:01:30,Syslog.Debug,64.141.6.40,"21668: 5d07h: LIF_Fatal called
    from CCPRI 0x22096B54, func = CCPMSG_GetOutInfo, string = Unable to get a
    package info buffer: 0"
    2003-12-09 09:01:30,Syslog.Debug,64.141.6.40,21669: 5d07h: ExecExit called
    from 0x2206566C
    2003-12-09 09:01:30,Syslog.Debug,64.141.6.40,21670: 5d07h: ISDN Software
    Error: call to isdn_exit(0)
    2003-12-09 09:01:31,Syslog.Error,64.141.6.40,21671: Dec 9 09:01:30:
    %SYS-3-HARIKARI: Process ISDN top-level routine exited
    2003-12-09 09:01:36,Syslog.Notice,64.141.6.40,"21672: Dec 9 09:01:33:
    %LINK-5-CHANGED: Interface Async39, changed state to reset"
    2003-12-09 09:01:39,Syslog.Error,64.141.6.40,"21673: Dec 9 09:01:38:
    %LINK-3-UPDOWN: Interface Async39, changed state to down"
    2003-12-09 09:01:41,Syslog.Notice,64.141.6.40,"21674: Dec 9 09:01:40:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async29, changed state to
    down"
    2003-12-09 09:01:44,Syslog.Notice,64.141.6.40,"21675: Dec 9 09:01:43:
    %LINK-5-CHANGED: Interface Async29, changed state to reset"
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,"21676: Dec 9 09:01:48:
    %SYS-2-MALLOCFAIL: Memory allocation of 1068 bytes failed from 0x221BD1CC,
    pool Processor, alignment 0"
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,"21677: -Process= ""Net
    Periodic"", ipl= 0, pid= 51"
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,21678: -Traceback= 221BBE1A
    221BCF68 221BD1D4 221B9846 221B9CC8 221C9AEE 221CBBD0 221AD158 221A7030
    221A7090
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,21679: Dec 9 09:01:48:
    %SYS-2-CFORKMEM: Process creation of Modem Autoconfigure failed (no memory).
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,"21680: -Process= ""TTY
    Background"", ipl= 0, pid= 49"
    2003-12-09 09:01:48,Syslog.Critical,64.141.6.40,21681: -Traceback= 221D0B4E
    221CBDB6 224F838E 22155A42 22156258 2214898A
    2003-12-09 09:01:49,Syslog.Error,64.141.6.40,"21682: Dec 9 09:01:48:
    %LINK-3-UPDOWN: Interface Async29, changed state to down"
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,"21683: Dec 9 09:02:19:
    %SYS-2-MALLOCFAIL: Memory allocation of 1068 bytes failed from 0x221BD1CC,
    pool Processor, alignment 0"
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,"21684: -Process= ""Net
    Periodic"", ipl= 0, pid= 51"
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,21685: -Traceback= 221BBE1A
    221BCF68 221BD1D4 221B9846 221B9CC8 221C9AEE 221CBBD0 221AD158 221A7030
    221A7090
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,21686: Dec 9 09:02:19:
    %SYS-2-CFORKMEM: Process creation of Modem Autoconfigure failed (no memory).
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,"21687: -Process= ""TTY
    Background"", ipl= 0, pid= 49"
    2003-12-09 09:02:20,Syslog.Critical,64.141.6.40,21688: -Traceback= 221D0B4E
    221CBDB6 224F838E 22155A42 22156258 2214898A
    2003-12-09 09:02:50,Syslog.Critical,64.141.6.40,"21689: Dec 9 09:02:49:
    %SYS-2-MALLOCFAIL: Memory allocation of 1068 bytes failed from 0x221BD1CC,
    pool Processor, alignment 0"
    2003-12-09 09:02:50,Syslog.Critical,64.141.6.40,"21690: -Process= ""Net
    Periodic"", ipl= 0, pid= 51"
    2003-12-09 09:02:50,Syslog.Critical,64.141.6.40,21691: -Traceback= 221BBE1A
    221BCF68 221BD1D4 221B9846 221B9CC8 221C9AEE 221CBBD0 221AD158 221A7030
    221A7090
    2003-12-09 09:02:52,Syslog.Critical,64.141.6.40,21692: Dec 9 09:02:51:
    %SYS-2-CFORKMEM: Process creation of Modem Autoconfigure failed (no memory).
    2003-12-09 09:02:52,Syslog.Critical,64.141.6.40,"21693: -Process= ""TTY
    Background"", ipl= 0, pid= 49"
    2003-12-09 09:02:52,Syslog.Critical,64.141.6.40,21694: -Traceback= 221D0B4E
    221CBDB6 224F838E 22155A42 22156258 2214898A
    2003-12-09 09:03:18,Syslog.Notice,64.141.6.40,"21695: Dec 9 09:03:17:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async14, changed state to
    down"
    2003-12-09 09:03:18,Syslog.Notice,64.141.6.40,"21696: Dec 9 09:03:17:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async21, changed state to
    down"
    2003-12-09 09:03:18,Syslog.Notice,64.141.6.40,"21697: Dec 9 09:03:17:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async25, changed state to
    down"
    2003-12-09 09:03:18,Syslog.Notice,64.141.6.40,"21698: Dec 9 09:03:17:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async30, changed state to
    down"
    2003-12-09 09:03:18,Syslog.Notice,64.141.6.40,"21699: Dec 9 09:03:17:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async44, changed state to
    down"
    2003-12-09 09:03:19,Syslog.Notice,64.141.6.40,"21700: Dec 9 09:03:18:
    %LINK-5-CHANGED: Interface Async14, changed state to reset"
    2003-12-09 09:03:19,Syslog.Notice,64.141.6.40,"21701: Dec 9 09:03:18:
    %LINK-5-CHANGED: Interface Async21, changed state to reset"
    2003-12-09 09:03:19,Syslog.Notice,64.141.6.40,"21702: Dec 9 09:03:18:
    %LINK-5-CHANGED: Interface Async25, changed state to reset"
    2003-12-09 09:03:19,Syslog.Notice,64.141.6.40,"21703: Dec 9 09:03:18:
    %LINK-5-CHANGED: Interface Async30, changed state to reset"
    2003-12-09 09:03:19,Syslog.Notice,64.141.6.40,"21704: Dec 9 09:03:18:
    %LINK-5-CHANGED: Interface Async44, changed state to reset"
    2003-12-09 09:03:21,Syslog.Critical,64.141.6.40,"21705: Dec 9 09:03:19:
    %SYS-2-MALLOCFAIL: Memory allocation of 1068 bytes failed from 0x221BD1CC,
    pool Processor, alignment 0"
    2003-12-09 09:03:21,Syslog.Critical,64.141.6.40,"21706: -Process= ""Net
    Periodic"", ipl= 0, pid= 51"
    2003-12-09 09:03:21,Syslog.Critical,64.141.6.40,21707: -Traceback= 221BBE1A
    221BCF68 221BD1D4 221B9846 221B9CC8 221C9AEE 221CBBD0 221AD158 221A7030
    221A7090
    2003-12-09 09:03:21,Syslog.Notice,64.141.6.40,"21708: Dec 9 09:03:20:
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Async37, changed state to
    down"
    2003-12-09 09:03:41,Syslog.Critical,64.141.6.40,21709: Dec 9 09:03:21:
    %SYS-2-CFORKMEM: Process creation of Async tty Reset failed (no memory).
    2003-12-09 09:03:41,Syslog.Critical,64.141.6.40,"21710: -Process= ""Serial
    Background"", ipl= 0, pid= 6"
    2003-12-09 09:03:41,Syslog.Critical,64.141.6.40,21711: -Traceback= 221D0B4E
    221CBDB6 222F81DC 222F83B0 220F76BA
    2003-12-09 09:03:41,Syslog.Notice,64.141.6.40,"21712: Dec 9 09:03:22:
    %LINK-5-CHANGED: Interface Async37, changed state to reset"
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21713: Dec 9 09:03:40:
    %SYS-3-CPUHOG: Task ran for 14768 msec (992/59), process = PPP IP Add Route,
    PC = 221C7B7E."
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,21714: -Traceback= 221C7B2A
    221C7B86 222DB9D6
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21715: Dec 9 09:03:40:
    %LINK-3-UPDOWN: Interface Async14, changed state to down"
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21716: Dec 9 09:03:40:
    %LINK-3-UPDOWN: Interface Async21, changed state to down"
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21717: Dec 9 09:03:40:
    %LINK-3-UPDOWN: Interface Async25, changed state to down"
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21718: Dec 9 09:03:41:
    %LINK-3-UPDOWN: Interface Async30, changed state to down"
    2003-12-09 09:03:41,Syslog.Error,64.141.6.40,"21719: Dec 9 09:03:41:
    %LINK-3-UPDOWN: Interface Async44, changed state to down"
    2003-12-09 09:03:43,Syslog.Error,64.141.6.40,"21720: Dec 9 09:03:42:
    %LINK-3-UPDOWN: Interface Async37, changed state to down"
    2003-12-09 10:05:32,Syslog.Notice,64.141.6.40,21721: Dec 9 10:05:31:
    %SYS-5-RELOAD: Reload requested


    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 9, 2003
    #1
    1. Advertising

  2. Sounds like you are just running out of memory, possible due to a virus/worm
    like Nachi or Blaster
    http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml

    The key tip is:

    > %SYS-2-MALLOCFAIL: Memory allocation of 4000 bytes failed from 0x221D0AF8,
    > pool Processor, alignment 0"
    > 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21658: -Process=

    ""Exec"",
    > ipl= 0, pid= 37"

    and
    > %SYS-2-CFORKMEM: Process creation of Exec failed (no memory).
    > 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21661: -Process=

    ""Exec"",
    > ipl= 0, pid= 37"
    > 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21662: -Traceback=

    221D0B4E
    > 221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E 22152972 22152EF0
    > 2217E2BE


    No memory means no new conenctions.
     
    Phillip Remaker, Dec 10, 2003
    #2
    1. Advertising

  3. AC

    AC Guest

    On Tue, 9 Dec 2003 16:00:02 -0800,
    Phillip Remaker <> wrote:
    > Sounds like you are just running out of memory, possible due to a virus/worm
    > like Nachi or Blaster
    > http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    > http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml
    >
    > The key tip is:
    >
    >> %SYS-2-MALLOCFAIL: Memory allocation of 4000 bytes failed from 0x221D0AF8,
    >> pool Processor, alignment 0"
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21658: -Process=

    > ""Exec"",
    >> ipl= 0, pid= 37"

    > and
    >> %SYS-2-CFORKMEM: Process creation of Exec failed (no memory).
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21661: -Process=

    > ""Exec"",
    >> ipl= 0, pid= 37"
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21662: -Traceback=

    > 221D0B4E
    >> 221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E 22152972 22152EF0
    >> 2217E2BE

    >
    > No memory means no new conenctions.


    What is happening, it appears to knock (gracefully) existing dialup
    connections.

    We're running a Cisco router (1605R). Is there any way I can block ICMP for
    just the PRI unit? There's no reason whatsoever for the outside world to be
    able to ping the unit. If I'm coming in from some other network, I can
    telnet into one of our other boxes and do work.

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 10, 2003
    #3
  4. In article <>,
    AC <> wrote:
    :We're running a Cisco router (1605R). Is there any way I can block ICMP for
    :just the PRI unit? There's no reason whatsoever for the outside world to be
    :able to ping the unit.


    You can block icmp for anything you can describe with an access-list.

    I won't volunteer the commands as I'm not sure whether you are referring
    to PRI as an interface or as some specific device.
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
     
    Walter Roberson, Dec 10, 2003
    #4
  5. AC

    AC Guest

    On 10 Dec 2003 01:14:27 GMT,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > In article <>,
    > AC <> wrote:
    >:We're running a Cisco router (1605R). Is there any way I can block ICMP for
    >:just the PRI unit? There's no reason whatsoever for the outside world to be
    >:able to ping the unit.
    >
    >
    > You can block icmp for anything you can describe with an access-list.
    >
    > I won't volunteer the commands as I'm not sure whether you are referring
    > to PRI as an interface or as some specific device.


    I'm referring to the Ethernet interface on the PRI. However, I don't want
    to block it internally, I want to block it on our gateway router (a Cisco
    1605R).

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 10, 2003
    #5
  6. AC

    AC Guest

    On Tue, 9 Dec 2003 16:00:02 -0800,
    Phillip Remaker <> wrote:
    > Sounds like you are just running out of memory, possible due to a virus/worm
    > like Nachi or Blaster
    > http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    > http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml
    >
    > The key tip is:
    >
    >> %SYS-2-MALLOCFAIL: Memory allocation of 4000 bytes failed from 0x221D0AF8,
    >> pool Processor, alignment 0"
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21658: -Process=

    > ""Exec"",
    >> ipl= 0, pid= 37"

    > and
    >> %SYS-2-CFORKMEM: Process creation of Exec failed (no memory).
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21661: -Process=

    > ""Exec"",
    >> ipl= 0, pid= 37"
    >> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21662: -Traceback=

    > 221D0B4E
    >> 221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E 22152972 22152EF0
    >> 2217E2BE

    >
    > No memory means no new conenctions.


    I've blocked the ports mentioned in the articles. Is it possible that such
    an attack could be coming from a dialup user?

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 10, 2003
    #6
  7. In article <>,
    AC <> wrote:
    :On 10 Dec 2003 01:14:27 GMT,
    :Walter Roberson <-cnrc.gc.ca> wrote:
    :> You can block icmp for anything you can describe with an access-list.

    :> I won't volunteer the commands as I'm not sure whether you are referring
    :> to PRI as an interface or as some specific device.

    :I'm referring to the Ethernet interface on the PRI. However, I don't want
    :to block it internally, I want to block it on our gateway router (a Cisco
    :1605R).

    I do not understand at the moment. You speak of "the Ethernet
    interface on the PRI" as if the PRI is a device. Considering the
    context, it sounds like by "the PRI" you mean the AS5200. I, though,
    know "PRI" as meaning ISDN Primary Rate Interface, which is an
    -interface-, not a device, and so for me it does not seem to make
    sense to speak of "the Ethernet interface" of a Primary Rate Interface.

    If you are trying to block icmp addressed to the interface IP's
    you have defined on your AS5200, then just go ahead and do so
    using an access list. For example if the public WAN interface
    on the 1605R is named E1, then on the 1605R,

    enable
    config term
    access-list 111 permit icmp any host 17.59.21.88 unreachable
    access-list 111 permit icmp any host 17.59.21.88 echo-reply
    access-list 111 deny icmp any host 17.59.21.88
    access-list 111 permit ip any any
    interface E1
    ip access-group 111 in
    exit
    --
    Warhol's Law: every Usenet user is entitled to his or her very own
    fifteen minutes of flame -- The Squoire
     
    Walter Roberson, Dec 10, 2003
    #7
  8. AC

    AC Guest

    On 10 Dec 2003 17:42:26 GMT,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > In article <>,
    > AC <> wrote:
    >:On 10 Dec 2003 01:14:27 GMT,
    >:Walter Roberson <-cnrc.gc.ca> wrote:
    >:> You can block icmp for anything you can describe with an access-list.
    >
    >:> I won't volunteer the commands as I'm not sure whether you are referring
    >:> to PRI as an interface or as some specific device.
    >
    >:I'm referring to the Ethernet interface on the PRI. However, I don't want
    >:to block it internally, I want to block it on our gateway router (a Cisco
    >:1605R).
    >
    > I do not understand at the moment. You speak of "the Ethernet
    > interface on the PRI" as if the PRI is a device. Considering the
    > context, it sounds like by "the PRI" you mean the AS5200. I, though,
    > know "PRI" as meaning ISDN Primary Rate Interface, which is an
    > -interface-, not a device, and so for me it does not seem to make
    > sense to speak of "the Ethernet interface" of a Primary Rate Interface.
    >
    > If you are trying to block icmp addressed to the interface IP's
    > you have defined on your AS5200, then just go ahead and do so
    > using an access list. For example if the public WAN interface
    > on the 1605R is named E1, then on the 1605R,
    >
    > enable
    > config term
    > access-list 111 permit icmp any host 17.59.21.88 unreachable
    > access-list 111 permit icmp any host 17.59.21.88 echo-reply
    > access-list 111 deny icmp any host 17.59.21.88
    > access-list 111 permit ip any any
    > interface E1
    > ip access-group 111 in
    > exit


    Thank you, and I apologize for mixing terminology. I meant the Ethernet
    interface on the AS5200.

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 10, 2003
    #8
  9. AC

    AC Guest

    On 10 Dec 2003 17:17:01 GMT,
    AC <> wrote:
    > On Tue, 9 Dec 2003 16:00:02 -0800,
    > Phillip Remaker <> wrote:
    >> Sounds like you are just running out of memory, possible due to a virus/worm
    >> like Nachi or Blaster
    >> http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    >> http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml
    >>
    >> The key tip is:
    >>
    >>> %SYS-2-MALLOCFAIL: Memory allocation of 4000 bytes failed from 0x221D0AF8,
    >>> pool Processor, alignment 0"
    >>> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21658: -Process=

    >> ""Exec"",
    >>> ipl= 0, pid= 37"

    >> and
    >>> %SYS-2-CFORKMEM: Process creation of Exec failed (no memory).
    >>> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,"21661: -Process=

    >> ""Exec"",
    >>> ipl= 0, pid= 37"
    >>> 2003-12-09 09:01:19,Syslog.Critical,64.141.6.40,21662: -Traceback=

    >> 221D0B4E
    >>> 221CBDB6 222F9F7A 22164026 22164212 2216412A 2215260E 22152972 22152EF0
    >>> 2217E2BE

    >>
    >> No memory means no new conenctions.

    >
    > I've blocked the ports mentioned in the articles. Is it possible that such
    > an attack could be coming from a dialup user?


    Sigh. It just happened again. Is it possible that this problem could be
    coming from a dialup user infected with Blaster? Would a 33.6k or 56k
    connection be capable of delivering this sort of an attack.

    I have disabled MS filesharing ports, and no one from the outside world can
    even touch the AS5200 with an ICMP packet. The other possibility is
    something from within the network.

    In other words; help!

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 11, 2003
    #9
  10. In article <>,
    AC <> wrote:
    :Sigh. It just happened again. Is it possible that this problem could be
    :coming from a dialup user infected with Blaster? Would a 33.6k or 56k
    :connection be capable of delivering this sort of an attack.

    Yes, the issue has to do with route cache entries being formed and
    not being purged. If there is no cache purge mechanism, then -eventually-
    even a 1200 bps dialup user could cause the table to be filled.
    --
    Disobey all self-referential sentences!
     
    Walter Roberson, Dec 11, 2003
    #10
  11. AC

    AC Guest

    On 11 Dec 2003 15:59:14 GMT,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > In article <>,
    > AC <> wrote:
    >:Sigh. It just happened again. Is it possible that this problem could be
    >:coming from a dialup user infected with Blaster? Would a 33.6k or 56k
    >:connection be capable of delivering this sort of an attack.
    >
    > Yes, the issue has to do with route cache entries being formed and
    > not being purged. If there is no cache purge mechanism, then -eventually-
    > even a 1200 bps dialup user could cause the table to be filled.


    And how would I determine if that is the issue?

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 11, 2003
    #11
  12. In article <>,
    AC <> wrote:
    :> Yes, the issue has to do with route cache entries being formed and
    :> not being purged. If there is no cache purge mechanism, then -eventually-
    :> even a 1200 bps dialup user could cause the table to be filled.

    :And how would I determine if that is the issue?

    http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    and look at the 'Detection' section.
    --
    "The human genome is powerless in the face of chocolate."
    -- Dr. Adam Drewnowski
     
    Walter Roberson, Dec 11, 2003
    #12
  13. AC

    AC Guest

    On 11 Dec 2003 16:26:50 GMT,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > In article <>,
    > AC <> wrote:
    >:> Yes, the issue has to do with route cache entries being formed and
    >:> not being purged. If there is no cache purge mechanism, then -eventually-
    >:> even a 1200 bps dialup user could cause the table to be filled.
    >
    >:And how would I determine if that is the issue?
    >
    > http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    > and look at the 'Detection' section.


    The command itself "show ip cache flow" shows nothing. I'm running an older
    version of the IOS (11.3(10)T).

    Is it possible I'm dealing with a hardware issue here? It's happened three
    times now.

    Oh, and thank you for the help thus far. Very much appreciated.

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 11, 2003
    #13
  14. AC

    AC Guest

    > On 11 Dec 2003 16:26:50 GMT,
    > Walter Roberson <-cnrc.gc.ca> wrote:
    >> In article <>,
    >> AC <> wrote:
    >>:> Yes, the issue has to do with route cache entries being formed and
    >>:> not being purged. If there is no cache purge mechanism, then -eventually-
    >>:> even a 1200 bps dialup user could cause the table to be filled.
    >>
    >>:And how would I determine if that is the issue?
    >>
    >> http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
    >> and look at the 'Detection' section.


    I just discovered that one of the machines on the same network as the AS5200
    has been infected with W32Badtrans.a. Looking at the description of it, it
    says that it is capable of some DOS attacks. Has anybody heard of any
    problems with Badtrans and Cisco hardware?

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 12, 2003
    #14
  15. AC

    AC Guest

    Problem With AS5200 Possibly Solved, But Questions (was Re: Serious Problem With AS5200)

    Our AS5200 has been up and running without reboot for over three days now.
    Thanks to everyone that helped me. It was a nightmare.

    I've been logging what is hitting the access-lists, and it seems probable to
    me that some of our customers may have been contributing to our problem.
    Here's some chunks from the syslog (FYI: our net is 64.141.6.0/23).

    Log segment #1
    ==============
    2003-12-15 09:40:42,Syslog.Info,64.141.6.40,"38332: Dec 15 09:40:42: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.98 -> 64.142.60.100 (8/0), 1 packet"
    2003-12-15 09:40:44,Syslog.Info,64.141.6.40,"38333: Dec 15 09:40:43: %SEC-6-IPACCESSLOGP: list 115 denied tcp 64.141.6.98(2591) -> 64.142.60.129(135), 1 packet"
    2003-12-15 09:40:44,Syslog.Info,64.141.6.40,"38334: Dec 15 09:40:43: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.98 -> 64.142.60.192 (8/0), 1 packet"
    2003-12-15 09:40:44,Syslog.Info,64.141.6.40,"38335: Dec 15 09:40:44: %SEC-6-IPACCESSLOGP: list 115 denied tcp 64.141.6.98(2593) -> 64.142.60.228(135), 1 packet"
    2003-12-15 09:40:45,Syslog.Info,64.141.6.40,"38336: Dec 15 09:40:44: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.98 -> 64.142.61.37 (8/0), 1 packet"
    2003-12-15 09:40:45,Syslog.Info,64.141.6.40,"38337: Dec 15 09:40:45: %SEC-6-IPACCESSLOGP: list 115 denied tcp 64.141.6.98(2595) -> 64.142.61.73(135), 1 packet"
    2003-12-15 09:40:45,Syslog.Info,64.141.6.40,"38338: Dec 15 09:40:45: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.98 -> 64.142.61.139 (8/0), 1 packet"
    2003-12-15 09:40:47,Syslog.Info,64.141.6.40,"38339: Dec 15 09:40:46: %SEC-6-IPACCESSLOGP: list 115 denied tcp 64.141.6.98(2597) -> 64.142.61.184(135), 1 packet"
    2003-12-15 09:40:47,Syslog.Info,64.141.6.40,"38340: Dec 15 09:40:46: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.98 -> 64.142.61.252 (8/0), 1 packet"

    Log Segment #2
    ==============
    2003-12-12 18:21:16,Syslog.Info,64.141.6.40,"3350: .Dec 12 18:21:14: %SEC-6-IPACCESSLOGP: list 115 denied udp 66.50.189.122(0) -> 64.141.6.81(0), 1 packet"
    2003-12-12 18:21:18,Syslog.Info,64.141.6.40,"3351: .Dec 12 18:21:17: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.81 -> 204.152.133.61 (8/0), 1 packet"
    2003-12-12 18:21:20,Syslog.Info,64.141.6.40,"3352: .Dec 12 18:21:19: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.81 -> 130.244.31.203 (8/0), 1 packet"
    2003-12-12 18:21:22,Syslog.Info,64.141.6.40,"3353: .Dec 12 18:21:21: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.81 -> 202.139.233.37 (8/0), 1 packet"
    2003-12-12 18:21:25,Syslog.Info,64.141.6.40,"3354: .Dec 12 18:21:24: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 64.141.6.81 -> 202.232.11.33 (8/0), 1 packet"

    --
    Aaron Clausen

    tao_of_cow/\alberni.net (replace /\ with @)
     
    AC, Dec 15, 2003
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bod

    AS5200- AS5350 Problem

    bod, Jul 10, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,002
    Aaron Leonard
    Jul 10, 2003
  2. Dave Pooser

    Re: AS5200 Newbie questions

    Dave Pooser, Jul 15, 2003, in forum: Cisco
    Replies:
    1
    Views:
    466
  3. John Gelavis
    Replies:
    0
    Views:
    421
    John Gelavis
    Nov 27, 2003
  4. Forever

    Problem about the as5200

    Forever, Nov 29, 2004, in forum: Cisco
    Replies:
    0
    Views:
    480
    Forever
    Nov 29, 2004
  5. henry
    Replies:
    1
    Views:
    517
    Michael S. Cooper
    Nov 8, 2003
Loading...

Share This Page