01-14-2009 06:23 AM - edited 03-04-2019 12:50 AM
I have a 2800 and on the interface to the provider, there are increasing amounts of unknown protocol drops and I am hearing that the router is down and people are getting dropped.
01-14-2009 08:48 AM
Hello Aaron,
unknown protocol drops can be originated by different causes:
for example IS-IS hello packets sent by service provider router.
or some L2 signalling protocol not supported by the router itself.
They shouldn't be the reason for the network problem you see not directly at least.
you need to investigate when the router is reachable what error messages appear in the router log.
Also check cpu usage with
sh proc cpu history
and memory usage with
sh proc mem
Or if the site is still isolated see if you can lead someone to perform basic checks for you via a console connection.
Hope to help
Giuseppe
Hope to
01-14-2009 08:50 AM
nothing in the sh log. how can I tell what protocol it is by debugging?
01-14-2009 09:02 AM
Hello Aaron,
being unknown you cannot you should use a sniffer capture instead.
the only fatal error a provider could do nowdays is to change your access from IPv4 to ipv6.
Or you are under a DOS attack with forged packets (but they must be routable so at least the ip header exists in this case debug ip packet if the unknown rate is not high can be used ) that can hit the router cpu.
Hope to help
Giuseppe
03-11-2009 11:41 AM
I have noticed this issue as well with IOS 12.4(15)T7 and T8 on a Cisco 2811.
Here's the odd part though - those numbers ONLY seem to increase when I issue a show interface s0/0/0 command. I am SSH'd to the router. I will issue the command and see the unknown protocol drops count increase by one.
I have even issued the command once, then logged off after taking note of the number. I'll log on the next day, issue the command and notice that it only increased by one more number! It seems that they are not increasing for any other reason.
Hope this helps.
Shane
03-11-2009 12:26 PM
Hello Shane,
with a so low increment rate there are no issues for your router.
You have seen a close relationship with SSH activity: I guess that ser0/0/0 is the interface that receives the SSH packets of your session.
You should be fine, however it is a good thing that you have reported your findings here this can help somebody else.
Hope to help
Giuseppe
03-11-2009 12:42 PM
Hiya Giuseppe -
Well, I took a look a little further in to this matter and discovered that the FastEthernet interface connected to the local switch is showing a lot more of these unknown protocol drops. It sure seems like DTP is the cause.
I connect to the router over the WAN (a site-to-site VPN tunnel) to an IP assigned to the FastEthernet0/1 interface (connected to the switch), so in essence my SSH traffic is indeed traversing the S0/0/0 interface.
I agree that it's not causing any issues, it's just something I want to clean up.
Thanks for the reply!
Shane
03-26-2009 12:42 PM
I found this very helpful as I ran into this today. I have a 2821 running 124-15.T8 and have the same issue. I could not find any Cisco documentation on what protocol drops are. At least I know it is not anything to worry about. I ran the same test. I logged out of the router and logged back in 10 mins later and the numbers only incremented by 1. It seems the number increments only when I do the sh interface s/0/0/0:0. The errors show up on the LAN interface also.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide