Solved

Dropped traffic detected by firewall

Posted on 2011-03-25
3
442 Views
Last Modified: 2012-05-11

I have a CA monitoring server (on Win2003) that poll a HP-UX server on a
certain Tcp port to see if the HP-UX server is still listening on that port.

There's a firewall between the 2 servers & the firewall has been
reporting that the specific Tcp port's traffic was dropped with the
source being the Win2003 server & destination is the HP-Ux box

Though the HP-Ux box had been experiencing 100% CPU utilization
quite often, I was told a 100% CPU HP-Ux would not drop traffic.

The Win2003 CA box also monitors other servers on other ports
but firewall did not report such phenomenon.


I don't think there's any duplex/speed/auto-negotiation issue as
the outputs below show:

A check on the switch port that the Win2003 box connects to did
not reveal any abnormality (input/output errors, collisions, etc) as
"show interface" outputs issued 3 minutes apart below show:

#sh int gig 0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e16.fb9a (bia 0017.0e16.fb9a)
  Description: Uplink-Downlink Win2003 box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 16/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is RJ45
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:04, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:01:38
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 63893000 bits/sec, 13693 packets/sec
  5 minute output rate 210000 bits/sec, 69 packets/sec
     1455739 packets input, 850292957 bytes, 0 no buffer
     Received 3569 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 3170 multicast, 0 pause input
     0 input packets with dribble condition detected
     6819 packets output, 2415514 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

#sh int gig0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e16.fb9a (bia 0017.0e16.fb9a)
  Description: Uplink-Downlink Win2003 box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 17/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is RJ45
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:26, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:05:31
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 68137000 bits/sec, 14602 packets/sec
  5 minute output rate 215000 bits/sec, 69 packets/sec
     5040726 packets input, 2943850964 bytes, 0 no buffer
     Received 11982 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 10627 multicast, 0 pause input
     0 input packets with dribble condition detected
     24806 packets output, 9048669 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

===================================

A check on the switch port that the HP-Ux box connects to did
not reveal any abnormality (input/output errors, collisions, etc) too
as "show interface" outputs issued 3 minutes apart below show:


#sh int gig 0/17
GigabitEthernet0/17 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e5a.2491 (bia 0017.0e5a.2491)
  Description: HP-UX box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:02:51
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 598000 bits/sec, 268 packets/sec
  5 minute output rate 321000 bits/sec, 270 packets/sec
     36085 packets input, 8695934 bytes, 0 no buffer
     Received 18 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 17 multicast, 0 pause input
     0 input packets with dribble condition detected
 --More--     36726 packets output, 5742743 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


#sh int gig 0/17
GigabitEthernet0/17 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e5a.2491 (bia 0017.0e5a.2491)
  Description: HP-UX box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:06:07
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 511000 bits/sec, 248 packets/sec
  5 minute output rate 308000 bits/sec, 253 packets/sec
     81256 packets input, 18815380 bytes, 0 no buffer
     Received 39 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 36 multicast, 0 pause input
     0 input packets with dribble condition detected
 --More--     82681 packets output, 12864144 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


What should I do next to diagnose this?
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
kuoh earned 500 total points
ID: 35229175
The firewall is detecting dropped traffic, because it is the one doing the dropping, not the servers.  You should research what the original rules were that were allowing the traffic through and if they have been changed or if IP addresses have changed.

KuoH
0
 

Author Comment

by:sunhux
ID: 35232429

You're right, the firewall blocked the traffic as there's no rules in it that
permit the traffic to pass thru.

I think too far
0
 

Author Closing Comment

by:sunhux
ID: 35232450
ok
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now