Solved

Dropped traffic detected by firewall

Posted on 2011-03-25
3
468 Views
Last Modified: 2012-05-11

I have a CA monitoring server (on Win2003) that poll a HP-UX server on a
certain Tcp port to see if the HP-UX server is still listening on that port.

There's a firewall between the 2 servers & the firewall has been
reporting that the specific Tcp port's traffic was dropped with the
source being the Win2003 server & destination is the HP-Ux box

Though the HP-Ux box had been experiencing 100% CPU utilization
quite often, I was told a 100% CPU HP-Ux would not drop traffic.

The Win2003 CA box also monitors other servers on other ports
but firewall did not report such phenomenon.


I don't think there's any duplex/speed/auto-negotiation issue as
the outputs below show:

A check on the switch port that the Win2003 box connects to did
not reveal any abnormality (input/output errors, collisions, etc) as
"show interface" outputs issued 3 minutes apart below show:

#sh int gig 0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e16.fb9a (bia 0017.0e16.fb9a)
  Description: Uplink-Downlink Win2003 box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 16/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is RJ45
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:04, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:01:38
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 63893000 bits/sec, 13693 packets/sec
  5 minute output rate 210000 bits/sec, 69 packets/sec
     1455739 packets input, 850292957 bytes, 0 no buffer
     Received 3569 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 3170 multicast, 0 pause input
     0 input packets with dribble condition detected
     6819 packets output, 2415514 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

#sh int gig0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e16.fb9a (bia 0017.0e16.fb9a)
  Description: Uplink-Downlink Win2003 box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 17/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is RJ45
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:26, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:05:31
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 68137000 bits/sec, 14602 packets/sec
  5 minute output rate 215000 bits/sec, 69 packets/sec
     5040726 packets input, 2943850964 bytes, 0 no buffer
     Received 11982 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 10627 multicast, 0 pause input
     0 input packets with dribble condition detected
     24806 packets output, 9048669 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

===================================

A check on the switch port that the HP-Ux box connects to did
not reveal any abnormality (input/output errors, collisions, etc) too
as "show interface" outputs issued 3 minutes apart below show:


#sh int gig 0/17
GigabitEthernet0/17 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e5a.2491 (bia 0017.0e5a.2491)
  Description: HP-UX box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:02:51
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 598000 bits/sec, 268 packets/sec
  5 minute output rate 321000 bits/sec, 270 packets/sec
     36085 packets input, 8695934 bytes, 0 no buffer
     Received 18 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 17 multicast, 0 pause input
     0 input packets with dribble condition detected
 --More--     36726 packets output, 5742743 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


#sh int gig 0/17
GigabitEthernet0/17 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0017.0e5a.2491 (bia 0017.0e5a.2491)
  Description: HP-UX box
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:06:07
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 511000 bits/sec, 248 packets/sec
  5 minute output rate 308000 bits/sec, 253 packets/sec
     81256 packets input, 18815380 bytes, 0 no buffer
     Received 39 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 36 multicast, 0 pause input
     0 input packets with dribble condition detected
 --More--     82681 packets output, 12864144 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


What should I do next to diagnose this?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
kuoh earned 500 total points
ID: 35229175
The firewall is detecting dropped traffic, because it is the one doing the dropping, not the servers.  You should research what the original rules were that were allowing the traffic through and if they have been changed or if IP addresses have changed.

KuoH
0
 

Author Comment

by:sunhux
ID: 35232429

You're right, the firewall blocked the traffic as there's no rules in it that
permit the traffic to pass thru.

I think too far
0
 

Author Closing Comment

by:sunhux
ID: 35232450
ok
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question