RE: cisco 7200 performance issue
From: Luciano Z (user_luciano_at_yahoo.com.br)
Date: 05/23/03
- Previous message: Jerry Shenk: "RE: [ANNOUNCE] protocol watcher"
- Maybe in reply to: Luciano Z: "cisco 7200 performance issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 May 2003 16:42:14 -0300 (ART) To: Paul Benedek <paul.benedek@excis.co.uk>
I forgot the version information :-)
Itīs a 12.2(12b) box.
Another interesting information is that the router
does not use SSH, it is connected to a console server.
This is configuration is not a regular policy, I still
have boxes that use telnet :-(
Follow-up on this incident:
We report the problem to cisco and the recommendation
that we got is 'apply an access-list'. Well, this is a
problem to implement. The message we received on the
router syslog affected the CPU too (itīs like doing a
"debug all" on the console). With the access-list this
could be solved. The only question I have is why does
RSHELL messages need to be logged while connections to
others tcp ports doesnīt? It would be interesting to
have a feature to disable logging on service ports
that are not in use (suggestion to the cisco guys
here? :-)
Some of the replys I got recommended this to but letīs
analyze the problem of implementing access-lists on
this box. This is a access layer box so we have about
80 active customers connected to this router. If we
apply an access-list to protect the router by droping
all packets destinated to the routerīs interface (and
itīs loopbacks) we will end up with an access-list
with at least 80 lines (imagine the problem to manage
this while activating/deactivating customers). So this
is not a solution, at least at this network layer.
One thing we did here after the incident is a review
of the "schedule allocate" configuration. We first
used the values on that classic paper about router
securiy wrote by cisco but now we change it a bit and
will test this to evalute this new value.
Well, thanks for all the replys I got.
If we have some new information Iīll post here.
[]
luciano
--- Paul Benedek <paul.benedek@excis.co.uk> escreveu:
> Hi Luciano,
>
> What is the IOS version that you are running? This
> could be a bug. It
> would be worth looking at the field notices on CCO
> to determine if this is
> IOS related.
>
> Regards
>
> Paul Benedek
>
> -----Original Message-----
> From: Luciano Z [mailto:user_luciano@yahoo.com.br]
> Sent: 21 May 2003 20:45
> To: incidents@securityfocus.com
> Subject: cisco 7200 performance issue
>
> Hi!
>
> I was responding an incident last night and saw a
> strange performance problem with a cisco 7200.
>
> When I issued a "sh interface" on the two fast
> ethernets of my box it was show that I got only
> 6Mbps
> traffic and normal packet per second rate but when I
> "sh logg" the box I got a lot of
> "%RCMD-4-RSHPORTATTEMPT: Attempted to connect to
> RSHELL from x.y.z.w" messages with spoofed sources.
>
> Investigating a little more I discovered that this
> traffic was pushing the CPU to 98% to 100% of
> utilization. Back to the output of "sh logg" I saw
> that the box was logging 2 to 3 RSHELL messages per
> second. In my opinion this coulndīt affect the CPU
> so
> much. The router have 256M of RAM and itīs a 7200!
>
> I coulndīt gather more info about this incident
> because it stopped before I could get the data. The
> strange thing itīs that the high CPU utilization
> stopped too.
>
> I donīt know if this is a problem of this cisco
> model
> or if Iīm missing something. Any ideias?
>
> []
> lwulff
>
>
_______________________________________________________________________
> Yahoo! Mail
> O melhor e-mail gratuito da internet: 6MB de espaįo,
> antivírus, acesso POP3,
> filtro contra spam.
> http://br.mail.yahoo.com/
>
>
----------------------------------------------------------------------------
> *** Wireless LAN Policies for Security & Management
> - NEW White Paper ***
> Just like wired networks, wireless LANs require
> network security policies
> that are enforced to protect WLANs from known
> vulnerabilities and threats.
> Learn to design, implement and enforce WLAN security
> policies to lockdown
> enterprise WLANs.
>
> To get your FREE white paper visit us at:
> http://www.securityfocus.com/AirDefense-incidents
>
----------------------------------------------------------------------------
>
>
>
_______________________________________________________________________
Yahoo! Mail
O melhor e-mail gratuito da internet: 6MB de espaįo, antivírus, acesso POP3, filtro contra spam.
http://br.mail.yahoo.com/
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
- Previous message: Jerry Shenk: "RE: [ANNOUNCE] protocol watcher"
- Maybe in reply to: Luciano Z: "cisco 7200 performance issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
