DP230
asked on
Cisco 3925 hang
Dear wizards, my router was hang this afternoon. Internet for email system was interrupted for about 20 mins. we could not telnet or connect to it via console port, and had to reset the router to bring it back.
so how can we know what happened? where can we find the logs? was it a signal of DDoS attack? and if so, how can we mitigate it?
so how can we know what happened? where can we find the logs? was it a signal of DDoS attack? and if so, how can we mitigate it?
which changes done before hanging ?
ASKER
nothing from my side, there are 2 other sysadmins in my team but i dont think they touched it. anyway how can I check that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good answer.
In addition to checking if there is #debug
Or access list ends of log
In addition to checking if there is #debug
Or access list ends of log
ASKER
@predrag: many thanks for your advise, I followed your instructions and see nothing special except these:
That interface g0/2 is connected to the Core switch. Should I increase its threshold and other interface's? And which number should we use?
And I have to note that these days there are many users upload data files into our Server via this Router (normally 24/7 - we are migrating emails, so they were uploading their data files). Should this be a reason?
Or do you think it was an attack from LAN?
Sep 25 14:43:10.149: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:43:45.395: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:44:16.655: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:44:47.967: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:45:17.979: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:45:48.483: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:50:32.419: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
Sep 25 15:05:22.790: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:05:54.500: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:06:35.482: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:07:13.246: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:33:58.808: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
That interface g0/2 is connected to the Core switch. Should I increase its threshold and other interface's? And which number should we use?
interface GigabitEthernet0/0
description "ISP1"
ip address y.y.y.y 255.255.255.252
ip access-group SECURITY-IN in
ip access-group SECURITY-OUT out
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
[b]interface GigabitEthernet0/2
description Connect to SW1-3750
ip address 172.16.2.26 255.255.255.248[/b]
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map test2
duplex auto
speed auto
!
interface GigabitEthernet0/3
description "ISP2"
ip address x.x.x.x 255.255.255.248
ip access-group SECURITY-IN in
ip access-group SECURITY-OUT out
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
And I have to note that these days there are many users upload data files into our Server via this Router (normally 24/7 - we are migrating emails, so they were uploading their data files). Should this be a reason?
Or do you think it was an attack from LAN?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much!
You are very welcome