[cisco-voip] a strange flood of packets from ccm

Tue May 4 18:02:20 EDT 2004

I have received 88236 keepalive package in 190 min, separated by few
milliseconds of gap. That means I have received an average of 232 packets
for every 30 seconds or 464 per minute. This on publisher that is the
secondary server. The primary is the subscriber.
I have 600 phones but up and running around 500. So this seems compliant
to your indication.

So this means that is not a keepalive flood. I'm tring to understand what
a kind of service starts packets like this:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/10-19:18:14.402112 0:B:5F:EB:FB:FF -> 0:50:73:3F:7E:A1 type:0x800
len:0xD6
10.89.5.1:24646 -> 10.89.23.240:17004 UDP TTL:127 TOS:0xB8 ID:56600
IpLen:20
DgmLen:200
Len: 172
80 08 AF 9D 0B 09 A7 80 00 00 06 92 55 55 55 55  ............UUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55              UUUUUUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

consider that the source address is the publisher (secondary server in ccm
cluster) the destination is a cisco ios voice gateway mod. 3745 connected
via wan (MPLS network).

nb. I have used awk,vi and bc for doing calc. My casio calc doesn't
support embedded linux! ;-)

--
Leonardo D'Urso              alter.net Srl
e-mail: durso at alter.it       Via Attilio Ambrosini, 177
VOICE: +39-06-5405740        I-00147 Roma
FAX:   +39-06-5405883        Italy

On Tue, 4 May 2004, Wes Sisk wrote:

> Default is:
> phone KA to active CM: every 30 seconds
> phone KA to backup CM: every 60 seconds.
>
> This is the active server for how many phones?
> This is the backup server for how many phones?
>
> A good awk script, SQL SELECT, Excel Spreadsheet, or even just a Casio
> calculator will help you find your answer.
>
> /Wes
>
> > -----Original Message-----
> > From: cisco-voip-bounces at puck.nether.net
> > [mailto:cisco-voip-bounces at puck.nether.net]On Behalf Of Leonardo D'Urso
> > Sent: Tuesday, May 04, 2004 4:08 PM
> > To: cisco-voip at puck.nether.net
> > Subject: RE: [cisco-voip] a strange flood of packets from ccm
> >
> >
> >
> > hi there,
> >
> > log start at: 05/04/2004 15:12:26.079
> > log ends at:  05/04/2004 15:12:50.111
> > number of keepalives: 915
> >
> > so I think that this is the flood. I know that CCM and phones use
> > keepalives but this seems I have a paranoic firmware on phones ;-)
> >
> >
> >
> > --
> > Leonardo D'Urso              alter.net Srl
> > e-mail: durso at alter.it       Via Attilio Ambrosini, 177
> > VOICE: +39-06-5405740        I-00147 Roma
> > FAX:   +39-06-5405883        Italy
> >
> > On Tue, 4 May 2004, Wes Sisk wrote:
> >
> > > Leo,
> > >
> > > This is normal.  This just means that the CM process on this
> > node received a
> > > SCCP KeepAlive from the device with TCPHandle=000003290.  This device is
> > > actively registered to another CM node in the cluster so this
> > CM node will
> > > basically ignore the message.
> > >
> > > /Wes
> > >
> > > > -----Original Message-----
> > > > From: cisco-voip-bounces at puck.nether.net
> > > > [mailto:cisco-voip-bounces at puck.nether.net]On Behalf Of
> > Leonardo D'Urso
> > > > Sent: Tuesday, May 04, 2004 12:56 PM
> > > > To: cisco-voip at puck.nether.net
> > > > Subject: RE: [cisco-voip] a strange flood of packets from ccm
> > > >
> > > >
> > > >
> > > > thanks Wes, for reply. In the trace I have seen a lot of this
> > > > packets:
> > > >
> > > >  <trace><Date>05/04/2004 15:10:56.514
> > > > </Date><Cluster>CCMPUB1-Cluster</Cluster><CMHost>10.89.5.1<
> > > > /CMHost><TraceType>Trace</TraceType><CTag>1,100,93,1.81286</CTag><
> > > > SrcDev></SrcDev><SrcIp>10.89.52.17</Sr
> > > > cIp><CTMapKey/><CTMapVal/><info>Cisco CallManagerStationInit -
> > > > KeepAliveMessage received on backup CM li nk. Setting KeepAlive Timer.
> > > > DeviceName=, TCPHandle=000003290, IPAddr=10.89.52.17,
> > Port=6994, Device
> > > > Controller=[0,0,0]</info></trace>
> > > >
> > > > I think this could be related to the flood.
> > > >
> > > > --
> > > > Leonardo D'Urso              alter.net Srl
> > > > e-mail: durso at alter.it       Via Attilio Ambrosini, 177
> > > > VOICE: +39-06-5405740        I-00147 Roma
> > > > FAX:   +39-06-5405883        Italy
> > > >
> > > > _______________________________________________
> > > > cisco-voip mailing list
> > > > cisco-voip at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-voip
> > >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
>