asked on

Cisco 3925 hang

Dear wizards, my router was hang this afternoon. Internet for email system was interrupted for about 20 mins. we could not telnet or connect to it via console port, and had to reset the router to bring it back.

so how can we know what happened? where can we find the logs? was it a signal of DDoS attack? and if so, how can we mitigate it?

nader alkahtani

which changes done before hanging ?

DP230

ASKER

nothing from my side, there are 2 other sysadmins in my team but i dont think they touched it. anyway how can I check that?

ASKER CERTIFIED SOLUTION

Predrag Jovic

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

nader alkahtani

Good answer.
In addition to checking if there is #debug
Or access list ends of log

DP230

ASKER

@predrag: many thanks for your advise, I followed your instructions and see nothing special except these:

Sep 25 14:43:10.149: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:43:45.395: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:44:16.655: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:44:47.967: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:45:17.979: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:45:48.483: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 14:50:32.419: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
Sep 25 15:05:22.790: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:05:54.500: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:06:35.482: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:07:13.246: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16
Sep 25 15:33:58.808: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/2: the fragment table has reached its maximum threshold 16

Open in new window

That interface g0/2 is connected to the Core switch. Should I increase its threshold and other interface's? And which number should we use?

interface GigabitEthernet0/0
 description "ISP1"
 ip address y.y.y.y 255.255.255.252
 ip access-group SECURITY-IN in
 ip access-group SECURITY-OUT out
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
[b]interface GigabitEthernet0/2
 description Connect to SW1-3750
 ip address 172.16.2.26 255.255.255.248[/b]
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map test2
 duplex auto
 speed auto
!
interface GigabitEthernet0/3
 description "ISP2"
 ip address x.x.x.x 255.255.255.248
 ip access-group SECURITY-IN in
 ip access-group SECURITY-OUT out
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!

Open in new window

And I have to note that these days there are many users upload data files into our Server via this Router (normally 24/7 - we are migrating emails, so they were uploading their data files). Should this be a reason?

Or do you think it was an attack from LAN?

SOLUTION

Predrag Jovic

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

DP230

ASKER

Thank you very much!

nader alkahtani

You are very welcome