[c-nsp] 6509-IOS Firewalls causing RST storm that max CPU
Reuben Farrelly
reuben-cisco-nsp at reub.net
Sat Feb 12 19:42:20 EST 2005
Hi Grant,
At 01:26 p.m. 13/02/2005, Grant Moerschel wrote:
>Hello all,
>I have an environment with two 6509 switches linked together via a trunk
>passing one vlan. Both chassis run 12.2.18sxd3 IOS firewall code. We
>use ip inspect inbound on both sides of the vlan providing the link. We
>are seeing strange behavior (often with ftp) that when the client ends a
>connection correctly using fins (fin, then fin, then ack, then ack), the
>server will shortly thereafter send a rst to the client which will kick
>off a rst storm ping pong match back and forth between the client and
>server to the point that it makes one sup2 go to 99% cpu and the sup720
>on the other side go to 80%.
I'm seeing something very similar, except with an 837 ADSL router using ip
inspect (no audit) and a linux box. Most recent image 12.3.11T3 but many
images before it also have this behaviour. It seems that sometimes with an
FTP transfer (last one that did this was to ftp-sj.cisco.com actually..)
the transfer will end and the router and linux box will have a ping-pong
fight bouncing traffic between them. The 837 maxes out at about 500
packets/sec on eth0 and sits on 99% CPU. Throughput then really starts to
suck ;-(
Workaround has been to reboot either the router or the host, a bit ugly imho...
reuben
More information about the cisco-nsp
mailing list