Re: [nsp] CAR bug

From: c.spurgeon@mail.utexas.edu
Date: Sat Jan 29 2000 - 11:40:13 EST


>Perhaps it's the extra processing incurred by looking deeper into the
>packet (for the icmp type), or it's simply an IOS bug. Has anyone seen
>anything like this?

Yes, we were bitten by this, or something very like it.

Attempts to rate limit ICMP at our site using CAR in a 7513 with
vip2/50s and 11.1(n)CC code came to an end the day that router
apparently started blocking all ICMP to certain subnets on the campus.

The CAR ACL we used was the same that Ken started with: it didn't have
any net addrs in it, it simply identified ping traffic as the stuff we
wanted to rate limit.

We first noticed the problem due to the fact that one of the subnets
CAR chose to dynamically block supported the primary name server for
the campus. This creativity on CAR's part led to some "interesting"
name server failures.

The name server could get to most sites on the Internet, but some
sites (notably www.microsoft.com) weren't responding. Our guess was
that perhaps pmtu was involved, and blocking all ICMP was killing it
off.

During the whole snafu, the counters in "show int rate-limit" were not
incrementing. However, as soon as it was noticed that all ping to/from
the Internet failed on the name server subnet but not on other subnets
on campus, CAR rate limit commands were removed from the border router
and the problem was resolved.

-Charles

Charles E. Spurgeon
ACITS/Networking Services
c.spurgeon@mail.utexas.edu
512.475.9265



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT