Solved: Cisco 4404 WLC causing a DOS attack several times a day

JohnAndrews2322 · ‎02-12-2013

Hi Everyone

Excuse if this is a duplicate post, but I have searched the forums, but no joy. I also posted it in wireless security as this is where I felt it fits.

Anyway onto my issue:

I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.

However, over the last month or two we have had an issue where we have had high load on our WAN.

We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.

Yes, 46 x 5mb = no WAN for about 2-5 minutes.

ARGH!

So can anyone sugest where I start to look? I am happy to post configs etc. Firmware 7.0.230

Cheers

Scott Fella · ‎02-13-2013

Here is an lwapp traffic study which you can review. 5246 & 5247 are the same when referencing 12222 & 12223.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080901caa.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez · ‎02-12-2013

that's one of the capwap ports.

are your AP across the WAN in Local or FlexConnect/HREAP mode?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

JohnAndrews2322 · ‎02-12-2013

Hi Steve

Yes it is the capwap port. The remote access points are in hreap mode and servicing trusted network access (802.1x) and guest access is tunnelled across the wan with local breakout from the 4404 via a dedicated vlan. The guest wireless is wpa2.

As the traffic originates from the 4404 and goes to all access points we don't believe it is a network breach. I always hate the phrase "it affects everyone", it usually does not, however in this instance the packeteer shows it does connect to every access point.

DNS is also configured so when new access points are connected they get auto join and get a base configuration.

This issue has been going on since at least Christmas and we put a packeteer box between our wan and our local network. We can say it is the 4404.

Stephen Rodriguez · ‎02-12-2013

are you using HREAP Groups? and with teh WLAN PSK or 802.1x?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Leo Laohoo · ‎02-12-2013

What version is your WLC running on?

JohnAndrews2322 · ‎02-13-2013

Hi Steve / Leola

Appologies for the tardy response - timezones -)

OK, am I using hreap groups - no.

The admin (trusted) machines have certificates issued by an AD certificate controller. The wireless SSID is pushed out via the AD group policy and the WLC set to 802.1x.

So, when a trusted machine starts up, it automatically connects and the user is on.

Breaks out to the default VLAN (HREAP local switching)

For guest users, I use WPA and WPA2 PSK. Do not use local h-reap breakout, so all traffic is sent over the WAN and breaks out at HQ into its own dedicated VLAN.

Leola, I am using 7.0.230.

Cheers

Christian

Scott Fella · ‎02-13-2013

So can the excess traffic be from a guest user hogging up the bandwidth? Your internal secure SSID is using 802.1x, so any reauth will come back to the WLC also. Has the amount of guest users increased?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

JohnAndrews2322 · ‎02-13-2013

Hi Scott

Sorry if my explination was not clear - basically every could of hours the WLC connects to all the access points across the WAN and transmits about 5mb of data. It does this at the same time, to ALL access points, so no WAN for a couple of minutes.

We are a Xen desktop environment, so this has a BIG impact on our user community.

JohnAndrews2322 · ‎02-13-2013

Packetshaper graphs showing the load the WLC puts on our network:

And the entire WAN throughput at the time:

Scott Fella · ‎02-13-2013

Yeah I don't know as I have never had any clients report any sort of issue that you are seeing even on low bandwidth links.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-13-2013

Here is an lwapp traffic study which you can review. 5246 & 5247 are the same when referencing 12222 & 12223.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080901caa.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

JohnAndrews2322 · ‎02-14-2013

Scott

Fantastic answer and this is exactly the 'issue' we are experiencing - just need to work out how to switch it off now.

I have marked it as answered as it helps your ratings.

Scott Fella · ‎02-14-2013

Well on newer codes v7.x, I believe there is a setting in the AP itself to enable link latency. It's used for low link bandwidths and can possible help. How much, I don't really know since I can't really test that in a lab.

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70lwap.html#wp1344052

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

JohnAndrews2322 · ‎02-15-2013

Scott
That is a good option, and works for our environment. i will schedule some time in the near future - we work with the itil change control structure.

So just to say - thank you for your help!

Sent from Cisco Technical Support iPad App