We help IT Professionals succeed at work.

Network congestion at about 22 minute intervals.  Cause?

Bobby Ashton
Bobby Ashton asked
We have a network segment that every 22 minutes approximately gets very congested for about 10 seconds or so, causing various apps to get disconnected.  We have a multiple vlan environment and only one vlan is affected.  We believe it is being flooded with UDP packets.  The switches  are Cisco with all ports running 100 or gigabit speeds.  We have about 4 servers, about 40 PC's, 7 or 8 printers, and three copiers on that segment.  We usually see the issue on our network by an app that displays on a large monitor that is running on one of the PC's.  The app connects to the internet and displays real-time information.  What happens is there is a notification that the  app has lost it's connection to the internet server.  Other apps are affected at the same time.  We have verified that other lan segments are not affected and the Internet connection for the affected vlan is on another segment.  We need to know how to trace the source of the information.  We have removed the servers and a number of the workstations for a period of time with no change in the issue.

Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
I just had a router go nuts at a client last week, flood our system with packets (broadcast storm), and we had to shut down and start up this router to stop the packets. So far that has worked but we need to upgrade the firmware on this device.

To your point now:  Look for incoming packet floods (ask your ISP), make sure all router devices have newest firmware, and restart these devices. That is where I would start
Muhammad SajjadSystems & Networks Administrator
you can use any network monitoring tool (freeware) and keep it on for capturing packets, especially when usually facing this issue, at the same time your data packet capturer will tell you huge traffic generated by the specific source.

I had an 80% similar case and was lucky to find the solution through this practice.
Try PRTG to monitor all of the sw2itch interfaces.  A simple look at the graph will tell you which port the flood is coming from.  

Then you can diagnose further.  Often, simply knowing which machine it is, is useful and you just have a look at that machine.  

You could also set up a monitor port and use wireshark to identify the type of traffic, if as casual look at the machine in  question doesn't produce results.
Distinguished Expert 2018
I'm guessing you don't have some sort of monitoring software or tool. Get one, just as cited in previous suggestions. Wireshark would be one tool that would help immensely. Do you have managed switches? That would be another way to help you trace where the problem is (checking the ports that are members of that VLAN).

Based on what you've mentioned with guess work, did you try removing the printers? Have you also checked for any rogue devices on that network?
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- John (https:#a42356483)
-- Muhammad Sajjad (https:#a42356386)
-- masnrock (https:#a42356491)
-- John Hurst (https:#a42356380)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer