Router utilization

nasheer.ahmad · ‎09-04-2008

Hi,

I am facing a different problem on the router.Suddenly our link was getting very slow.When we ping to my datacenter from where my ppp link was connected,we are getting time on around 4000msec and in the router rx will show as 243/255 and tx will show as 20/255.

This problem will occur on morning 11:00 and in the afternoon around 15:00hrs and will stay up to 1 hour and become normal.

Pls suggest me what shall i do to resolve this issue.

regds

Nasheer

spremkumar · ‎09-04-2008

Hi Nasheer

You can enable netflow in your router and can find out which scheduled transaction chokes up the link.

you can make use of ip route-cache flow command under the ethernet interface and use show ip cache flow to see the transactions.

based on the same you can identify which ip or ips and which application transaction chokes the whole link.

Also make sure that you change the bandwidth of the interface using bandwidth command to the appropiate one instead of the default value.

regds

Joseph W. Doherty · ‎09-04-2008

From your stats, it appears your seeing inbound congestion, that's likely in a FIFO queue. Edwin's post provides information to identify the "culprit(s)", but unless you can have the sources change their behavior, you might need to consider increasing your bandwidth or look at QoS options to better manage your bandwidth. With QoS, is often possible for ping times to barely increase, except for the bandwidth hogs, even when the link is 100% full.

paul.matthews · ‎09-05-2008

That't 95% utilisation. The first thing is to identify the traffic - you have a host of options available to you. Does the LAN side of the router show a corresponding increase?

Netflow is the obvious router based method to identify sources, but NBAR may help identify what the traffic is, or if you don't like the idea of trying those. what about putting an analyser on the LAN to capture the traffic and have a look at it.

That should answer the "is this valid traffic or a DOS attack?" question. You then have to decide what to do, and to a degree that depends upon what the traffic is.

It is difficult to control what you receive, but you do have some options to influence it depending on the traffic.

If you know what the traffic is when you see is (something doing regular downloads?) you can look at what to do. Is it something tht you can get someone to schedule to run overnight instead? If the traffic is TCP, you could potentially rate limit it to slow it, using WRED type options.

As you are using a serial line, you may have the option to run compressions to get a little more, but compression is not always very effective.

It may just be that the business needs a bigger pipe in the end.

Paul.

karmesh_12 · ‎09-07-2008

Nasheer,

baed on my experience, you need to know what other devices are sitting in between the router, Is there any packethsaper, riverbed ,NIPS installed in between? If there are other devices, you may check the utilization in them should there is any traffics causing the congestion. Another thing is you need to know the load the routers supports. Is there any email traffics or application traffics that are eating the traffics. Another possible thing is threat attacks scanning virus vulnerability ports such as port 445, 2967. I believe there should be high communication that particular time and as suggested by prem, you may use netflow to track it down.

msrohman · ‎09-10-2008

Our network had a problem like this before. It turned out all of the PCs at one of the sites was trying to download virus signatures at the same time from a server at our central site.

We had to run a packet capture to discover this.

HTH

Mike

syedsadiq · ‎09-10-2008

This could be because of your usual traffic pattern in-line with your business requirement. Please check the link utilization in this duration. Also check for any errors on the interface.