RE: Invisible dilemma - ARP flush

Hi All

Thanks for the replies and I am on my way to follow most of your suggestions. Checked that all the switches are at the same IOS Level and STP was disabled on all switches. All machines patched upto the best of my knowledge and running the latest antivirus signatures.

Just wanted to update that, there was brief disruption and the usual ping traffic in Building B that usually takes <1ms swelled up to 20-40ms for about 10-15 minutes ..and then returning back to normal by doing an ARP reset. It took four days since last reset. Didn't give me much time to investigate this time though as it had to be done urgently.

Having now configured ntop on SuSe and MRTG watching all switch ports traffic, (next is cacti), I am waiting for the Lion to come again.

Two more issues came to mind.

If it's not STP (now that it's disabled), could it be a speed mismatch as my workstation have Gigabit NICs (set to auto/full duplex), switches are only 100 Mbps on prts (set to auto/full duplex) with single uplink gigabit ports (will check speed) and then finally a Fast Ethernet on Router (100 mbps/full duplex/auto).

What should I set them all/some to? Setting all gigabits on workstations to 100 Mbps would be labour intensive.

Just thinking...now that the eluding Lion is still not dead.
:(


At 01:57 PM 3/16/2007 +1100, Dr Yuri \"Joe\" Petkoswki wrote:
Though a more robust but easy to configure program is MRTG. I suggest try it
should pin-point the cause of the problem.
Good luck.
Joe Haskian

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Bryce Verdier
Sent: Thursday, March 15, 2007 6:06 PM
To: WALI
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Invisible dilemma - ARP flush


I don't know how much this will help... but besides from the investment
of time it can't hurt. Try putting a ntop (http://www.ntop.org) box
between office B and the default gateway. If you can capture everything
over that span of a day or a few... you at least have the information to
start searching for the problem.

Again... i'm not sure if this will help... but I as an unexperienced
person would try it. Information gathering is never a bad thing.

best of luck, and i'd like to hear the results.

bryce


WALI wrote:
>
> We have 100 MBps EoATM link between two office buildings. Say A and B.
> Server and majority of users are in Building A while a few (about 150)
> are in Building B. Router on the Building B end is configured for QoS
> as there is also Voice traffic floating across.
>
> The connection between the two buildings has been recently upgraded to
> 100 MBps from initial 10Mbps.
>
> Once every 2-3 days, users from building B starts to complain about
> slow network connections to Servers lying in Building A. The usual
> ping from B to A that takes <1ms, increases to 30-40ms. Ethereal shows
> no Broadcast traffic. Building A users complain of no such problems
> either. 100 Mbps connectivity between the two buildings remains under
> utilised. To me, it seems to be a problem local to Building B. We have
> four L3 48 port switches cascaded with gigabit uplink to each other. 2
> VLANS and spanning tree enabled on all.
>
> Crazy Solution: I take out any patch cable and re-inserts it, the
> problem gets resolved. I reset any switch, the problem gets resolved.
> I disconnect any uplink cable between the four switches or do a ARP
> reset thru command line, the problem gets resolved for couple of hours
> or even days.
>
> But where could the problem lie?
>
> I have ran Nessus, did find quite a few windows unpatched machines in
> Building B that had lost their connection with WSUS, so did the
> patching. Made sure that all the machines are running latest
> anti-virus definitions. Sent a mail across to all users to get their
> laptops checked for latest updates (few have returned although).
>
> What else can I do next time the problem recurs. It's a mystery till
> now. The switch support provider has upgraded the IOS and says there
> is nothing wrong with the switch. The VoIP provider maintains there
> instruments are fine. Is there a bandwidth monitoring free software?
> What else can help me here apart from routine wireshark/ethereal?
>
> Where else could the problem lie?
>
>

Relevant Pages

  • problem with LAN
    ... The only difference between FTP & UTP cable is that FTP is shielded. ... Mbps half duplex). ... This can be done only by 2 switches. ...
    (microsoft.public.windowsxp.network_web)
  • problem with LAN
    ... The only difference between FTP & UTP cable is that FTP is shielded. ... Mbps half duplex). ... This can be done only by 2 switches. ...
    (microsoft.public.windowsxp.network_web)
  • Re: OT: Possibly dumb question but..
    ... I recently upgraded my CAT 5 to CAT 5e and I have three NICs on the ... way that supports the 1000 Mbps throughput CAT 5e provides. ... the LinkSys router I have will only support up to ... Switches were less expensive (around $50.00 and up ...
    (alt.2600)
  • Re: SMB vs. Speed
    ... > sitting on the same 9ft table with the router. ... Network passes thorugh two 100 MB non-blocking switches, ... D-Link DSS-8+ on this end, ... A few other tests crossing only one switch yield up to 9.5 MBps. ...
    (alt.os.linux.suse)
  • Re: When cat comes chasing...
    ... The other side of the router facing the inside of LAN in Building B, is configured to Auto and is connected to gigabit switches, also set to Auto. ... >Building B that had lost their connection with WSUS, ... >Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)