06-23-2010 07:09 AM - edited 03-04-2019 08:52 AM
Hi Experts & Friends,
I need your help in letting me know how to troubleshoot the Bandwidth choke issue. Internet has become very very slow today. By entering the "show interface" command I am seeing the RX Load as 255/255. However TX load is 6/255, Reliability as 255/255. I know tx load & Reliability in this case is very normal.
Since RX Load is very abnormal here i used "route cache flow" to find out the traffic passing thru my interfaces. I found my Internet proxy server (125.201.17.1) is making this traffic.But i am unable to find out wherther all the traffic i am seeing orginated from 125.201.17.1 are legitimate internet traffic or some DoS attack
I am worried to block /Disconnect the said Proxy server from the LAN as it is the gateway for all my users internet traffic
How to troubleshoot this issue safely
thanks in advance
sairam
Solved! Go to Solution.
06-23-2010 02:19 PM
The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:
ip flow-top-talkers
sort-by bytes
top 5
on your PUBLIC interface:
ip flow ingress
Then let it run for a few seconds, then look at the results:
sh ip flow top-talkers
It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.
** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?
HTH,
John
06-23-2010 07:25 AM
Where is the proxy server in relation to your router that's experiencing this? Is it on the outside of the router, or is it behind it? If it's behind it, can you look at your proxy server to see what's generating all of the traffic? It would be someone downloading something (I would think from the direction you're stating). Maybe someone is downloading a large file or streaming music?
If the proxy server is outside of this router, then someone is sending something to some other device that's behind this router. Do you have an FTP or web server behind this router that accepts uploads?
HTH,
John
06-23-2010 01:40 PM
Hi John,
Thanks for your suggestion and help.
Porxy server is behind the Router and not outside. Otherthan that, I want to know what could be the reason behind the increase in RX load to 255/255. How to trouble shoot in the general sense and solve this issue. What is the general practice followed in the industry
regards,
sairam
06-23-2010 02:19 PM
The first step is to find out what's causing the traffic. If it's incoming traffic, it can be someone transmitting a lot of traffic from user traffic or a virus. You need to enable netflow on the outside interface ingress (ip flow ingress). I don't know what type router you have, but try this:
ip flow-top-talkers
sort-by bytes
top 5
on your PUBLIC interface:
ip flow ingress
Then let it run for a few seconds, then look at the results:
sh ip flow top-talkers
It will show you the source and destination addresses. You shouldn't have any source and destination as the same. After you see what the incoming traffic source is, try to find out where it's going. If it's going to your proxy server, then try to correlate the proxy server to an address on the inside. I don't manage proxy servers so I can't help you there unfortunately, but I'm sure that there are log files stating destination addresses somewhere on the server. If you don't find anything, you may just try to block the source in an ACL. You shouldn't be seeing your proxy server as an incoming connection on the public side unless you enabled netflow in the wrong direction or the wrong interface. Then you'd see source being the proxy server to an outside destination.
** Edit ** I forgot to ask. Are you seeing the load on your LAN or WAN interface?
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide