Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1180
Views
10
Helpful
5
Replies

CiscoWorks LMS Generating Heavy ICMP Traffic

Go to solution
ahamadfaiz
Level 1
Level 1

‎06-25-2013 02:26 AM

Hi All,

We have CiscoWorks LMS in our network. While going through the firewall logs, I see that this server is generating heavy ICMP traffic to multiple subnets in the network.

I did check the Ping Sweep settings but it is disabled. I cannot understand why it is still genrating so much of ICMP traffic.

Version: LMS3.2.1

Thanks in advance.

Faiz

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee
In response to ahamadfaiz

‎06-25-2013 06:21 AM

The other two processes which could ping are :

1. Common services Devcie polling.

We configure a Device Polling policy and schedule a Device Polling job to check whether the devices can be reached. We

can use one or all of the following protocols only to poll devices:

- ICMP (Ping)

- SNMP v3

- SNMP v2c/V1

Please check if any polling job is configured at:

Common Services > Device and Credentials > Admin > Device Polling > Device Polling Settings

For more details please check following link:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/dcr.html#wp1863226

2. DFM polling the device

DFM uses a high-performance, asynchronous ICMP poller. The poller uses two threads: one sends polls, and the other receives polls. These separate operations allow polling to continue at a stable rate. For details check ICMP Polling.

You can try to suspend the device monitoring for some time to see if DFM is polling the device. You can stop monitoring a device by selecting it and clicking the Suspend button in the DDV.

For details on how to do it check Suspending Device and Element Monitoring.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

5 Replies 5

Go to solution
ahamadfaiz
Level 1
Level 1

‎06-25-2013 03:20 AM

Hi,

Additionally I disabled the

Device and Credentials > Admin > Device Polling > Device Poll Settings > Activate Device Polling to Check Reachability option as well. However, I could still see icmp traffic in the firewall logs.

Request your assistance.

Regards,

Faiz

0 Helpful

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee
In response to ahamadfaiz

‎06-25-2013 03:33 AM

It may be UT that is configured to Ping Sweep. A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which range of IP addresses map to live end hosts (computers). You can use a single ping to find out whether a specific end host exists on the network.

A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network.

When Ping Sweep is enabled in Campus Manager, the UTPing program in NMSROOT/campus/bin will be invoked during acquisition to send out a sweep of pings for each subnet.

Before collecting information from a device, the subnets connected to the device are pinged. This serves as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information. After pinging, acquisition process starts collecting end host information from the device.

You can modify Ping Sweep option from the Admin tab in Campus User Tracking window.

To modify Ping Sweep options:

Select Campus Manager  > Administration > User Tracking.

The Campus Manager User Tracking window appears.

Select Administration > Acquisition > Ping Sweep.


The Ping Sweep dialog box appears, Choose any of the following:

Disable Ping Sweep

Perform Ping Sweep on all subnets

Exclude subnets from Ping Sweep

When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude from Ping Sweep. You can select subnets from the list of available subnets and add to the list of subnets to be excluded.

Specify the Wait Interval, if Ping Sweep is enabled.

Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not flooded with ping packets.

For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10 seconds.

If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10 seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on Device 1. Same happens with Device 2.

Click Apply.

User Tracking does not perform Ping Sweep on large subnets.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **
0 Helpful

Go to solution
ahamadfaiz
Level 1
Level 1
In response to Vinod Arya

‎06-25-2013 05:41 AM

Hi Vinod,

Thank you for the response.

But, as I have mentioned in the first post, I have tried this option. The Ping Sweep is disabled under the path you mentioned.

Moreover, I tried the following as well:

> Stopped LMS services to ensure that there is no virus on the server and LMS itself is generating this traffic. There were no hits when the services were stopped. Hence LMS is the one generating the traffic.

> Tried stopping the LMS Processes CSDiscovery and DCRDevicePoll. But this not help either.

I see that the Configure Subnet Acquisition is enabled. Will that be causing this traffic.

I am really not getting a hold of this. Please assist.

Regards,

Faiz

0 Helpful

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee
In response to ahamadfaiz

‎06-25-2013 06:21 AM

The other two processes which could ping are :

1. Common services Devcie polling.

We configure a Device Polling policy and schedule a Device Polling job to check whether the devices can be reached. We

can use one or all of the following protocols only to poll devices:

- ICMP (Ping)

- SNMP v3

- SNMP v2c/V1

Please check if any polling job is configured at:

Common Services > Device and Credentials > Admin > Device Polling > Device Polling Settings

For more details please check following link:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/dcr.html#wp1863226

2. DFM polling the device

DFM uses a high-performance, asynchronous ICMP poller. The poller uses two threads: one sends polls, and the other receives polls. These separate operations allow polling to continue at a stable rate. For details check ICMP Polling.

You can try to suspend the device monitoring for some time to see if DFM is polling the device. You can stop monitoring a device by selecting it and clicking the Suspend button in the DDV.

For details on how to do it check Suspending Device and Element Monitoring.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Go to solution
ahamadfaiz
Level 1
Level 1
In response to Vinod Arya

‎07-04-2013 08:12 AM

Hi Vinod,

I am sorry for the delayed response.

I disabled the device polling and there were no hits on the firewall after that.

Thank you so much.

Regards,

Faiz

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents