loupis
asked on
Slow Network and loss of gateway connection
My network for some reason is grinding to halting speed and all computers seem to lose connectivity with the gateway - this effect is affecting vpn's coming in from the outside as well. My hubs are all showing constant network traffic.
I've been running ethereal but i'm not sure what to look for.
Any help here would be greatly appreciated.
thx in advance
I've been running ethereal but i'm not sure what to look for.
Any help here would be greatly appreciated.
thx in advance
Also while you are at it can you do an internal portscan of the subnet and post the ports open? We need to find out for one as well wether this traffic is coming from the inside or the outside. Next I would scan your outside network to see whats open. My first guess is filesharing. Look for ports like 6889 and up and LOTS of packets coming form them. One or two machines on a small network using BitTorrenet can bring things to a screeching halt. What do you have for a firewall?
Mike
Mike
Sure looks like you have a worm loose on your network...
Try shutting down PC's and servers one at a time until they are all offline and see if you can catch the culprit...
Then bring them all back up one at a time. Someone else might take over and bring the network back down..
We saw this all over the place with MSBlast, Welchia/Nachi worms earlier this year.
If you can, block ICMP at the router ingress port (stop all ICMP from going out the router/firewall)
Can you be more specific in the network equipment you have?
Try shutting down PC's and servers one at a time until they are all offline and see if you can catch the culprit...
Then bring them all back up one at a time. Someone else might take over and bring the network back down..
We saw this all over the place with MSBlast, Welchia/Nachi worms earlier this year.
If you can, block ICMP at the router ingress port (stop all ICMP from going out the router/firewall)
Can you be more specific in the network equipment you have?
ASKER
the domain is a 2k sbs and the router is a cisco1720 with an adsl card
icmp should be blocked out but not in
i'll attach an etherial clip - how many lines of text can I post here- or would you need to see?
I'm in the process of a powerdown on all computers now.
andy
icmp should be blocked out but not in
i'll attach an etherial clip - how many lines of text can I post here- or would you need to see?
I'm in the process of a powerdown on all computers now.
andy
If you have a 1720, try this to help:
access-list 110 deny icmp any any echo
access-list 110 permit ip any any
interface fast 0
ip access-group 110 in
ip accounting output-packets
ip route-cache flow
Then use:
"sho access-list 110" to see the hit-count increase on the deny entry - yes | no = clue
"sho ip accounting output-packets" highest number of packets to inside IP = clue
"sho ip cache flow" shows source/destination pairs and ports (in hex)
Sort your ethereal capture by port number. look for any specific port that has a lot of activity that is outside the "normal' ports on your network..
access-list 110 deny icmp any any echo
access-list 110 permit ip any any
interface fast 0
ip access-group 110 in
ip accounting output-packets
ip route-cache flow
Then use:
"sho access-list 110" to see the hit-count increase on the deny entry - yes | no = clue
"sho ip accounting output-packets" highest number of packets to inside IP = clue
"sho ip cache flow" shows source/destination pairs and ports (in hex)
Sort your ethereal capture by port number. look for any specific port that has a lot of activity that is outside the "normal' ports on your network..
I agree with lrmore,
You will find many ports open but the majority of which will have nothing traffic wise of the magnatude or the storm you are getting. The offending port(s) will be spewing out packets. If you have your machines on a managed switch like a cisco 2924 you could type from enable mode "sho int accounting" and if need be clear the interface counters and watch the ports. "clear counters" and then just keep re-running the "sho int accounting" command.
Mike
You will find many ports open but the majority of which will have nothing traffic wise of the magnatude or the storm you are getting. The offending port(s) will be spewing out packets. If you have your machines on a managed switch like a cisco 2924 you could type from enable mode "sho int accounting" and if need be clear the interface counters and watch the ports. "clear counters" and then just keep re-running the "sho int accounting" command.
Mike
ASKER
I think I found a solution here - Though maybe i'm running down the wrong highway.
I examined the majority of the packets and they were dns. So i dug in a little bit deeper and found out that the primary dns server at my isp had been changed without letting me know. I plugged in the new numbers into my dns forewarders and in my IP NAME-SERVER on my c1720 and it seems to be running smoothly right now. (i can at least get here to communicate with you gurus.)
Does this make sense/
andy
I examined the majority of the packets and they were dns. So i dug in a little bit deeper and found out that the primary dns server at my isp had been changed without letting me know. I plugged in the new numbers into my dns forewarders and in my IP NAME-SERVER on my c1720 and it seems to be running smoothly right now. (i can at least get here to communicate with you gurus.)
Does this make sense/
andy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmm - dns wasn't the answer -
I didn't get much from the cisco - when the problems hapenning i can't access the router
catch 22
I didn't get much from the cisco - when the problems hapenning i can't access the router
catch 22
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if u can post/host a text file of the ethereal traffic somewhere we can all have a look.