Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1860
Views
5
Helpful
3
Replies

CUCM - RTMT System Log Message SYN Flooding, Port 2000

Go to solution
melinda.clancy
Level 1
Level 1

‎09-15-2016 09:49 AM - edited ‎03-13-2019 09:36 PM

I have CUCM 10.5.  I monitor the RTMT for errors. In RTMT System log, I see "possible SYN flooding on port 2000.  Sending cookies."  This is only happening on two of my Subscribers.  It is not happening on the other two Subscribers or the Publisher.

I have attempted to find the answer to why this is happening, but I cannot find anything for SYN flooding on port 2000. Sending cookies.

If anyone has an answer to this, please let me know.

Thanks,

Melinda

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎09-20-2016 07:51 PM

Hi Melinda,

This could be either a network connectivity or a performance issue on these subs. You may get the outputs of the following to see if there is any core dump or error that shows up on these subs

show status

utils core active list

utils diagnose test

Check for any SDL OOS or CPU/Mem pegging alerts as well.

Manish

View solution in original post

3 Replies 3

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎09-20-2016 07:51 PM

Hi Melinda,

This could be either a network connectivity or a performance issue on these subs. You may get the outputs of the following to see if there is any core dump or error that shows up on these subs

show status

utils core active list

utils diagnose test

Check for any SDL OOS or CPU/Mem pegging alerts as well.

Manish

Go to solution
melinda.clancy
Level 1
Level 1
In response to Manish Gogna

‎09-22-2016 02:47 PM

This appears to be the correct answer as we had a fiber issue (fiber ring).  I talked to the network guy and he is not sure why this might be happening.  But as soon as the fiber was fixed, the SYN flooding stopped.  I also had an issue with the PUB and Subs hitting the NTP server.

 

I truly appreciate the responses, as it gave me trouble shooting information.

 

Thanks to both for your knowledge.

 

Melinda

0 Helpful

Go to solution
Aseem Anand
Cisco Employee
Cisco Employee

‎09-20-2016 09:30 PM

Check if there are any cluster authentication errors using the output of the command "Show network cluster".

Also check event viewer application and system logs to see if there are any transient connection attempts from IP phones on port 2000. You may setup captures on CUCM using the link below on port 2000 to see from which devices are you getting these requests:

https://supportforums.cisco.com/document/44376/packet-capture-cucm-appliance-model

Please make sure:

1 . You are not using VMWare snapshots as they tend to affect CPU performance.

2.  If you have a VG224 or VG320 etc, make sure you shutdown any unused ports as they tend to send out repeated registration requests.

Aseem

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents