FW: [Fwd: Fwd: [c-nsp] 6509-IOS Firewalls causing RST storm that max
CPU]
Brian Stiff (bstiff)
bstiff at cisco.com
Tue Feb 22 16:09:38 EST 2005
Hi Grant and Reuben-
This was just brought to my attention. The IOS Firewall development
team will look into this behavior and see if we can determine what is
causing your reset storm activity. I'll catch up with you off-list to
pursue this further.
If anyone else recognizes this as similar behavior to something
happening on your network (particularly if you have opened a TAC case),
please email me off the list.
Regards,
Brian
Brian Stiff
Technical Marketing Engineer
IOS Router Security Marketing
Cisco Systems, Inc.
720.562.6462
>
> Begin forwarded message:
>
> > From: Reuben Farrelly <reuben-cisco-nsp at reub.net>
> > Date: February 12, 2005 4:42:20 PM PST
> > To: gm at wavegard.com, cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] 6509-IOS Firewalls causing RST storm
> that max CPU
> >
> > Hi Grant,
> >
> > At 01:26 p.m. 13/02/2005, Grant Moerschel wrote:
> >> Hello all,
> >> I have an environment with two 6509 switches linked together via a
> >> trunk passing one vlan. Both chassis run 12.2.18sxd3 IOS firewall
> >> code. We use ip inspect inbound on both sides of the vlan
> providing
> >> the link.
> >> We
> >> are seeing strange behavior (often with ftp) that when the client
> >> ends a connection correctly using fins (fin, then fin,
> then ack, then
> >> ack), the server will shortly thereafter send a rst to the client
> >> which will kick off a rst storm ping pong match back and forth
> >> between the client and server to the point that it makes
> one sup2 go
> >> to 99% cpu and the sup720 on the other side go to 80%.
> >
> > I'm seeing something very similar, except with an 837 ADSL router
> > using ip inspect (no audit) and a linux box. Most recent image
> > 12.3.11T3 but many images before it also have this behaviour. It
> > seems that sometimes with an FTP transfer (last one that
> did this was
> > to ftp-sj.cisco.com
> > actually..)
> > the transfer will end and the router and linux box will have a
> > ping-pong fight bouncing traffic between them. The 837
> maxes out at
> > about 500 packets/sec on eth0 and sits on 99% CPU. Throughput then
> > really starts to suck ;-(
> >
> > Workaround has been to reboot either the router or the host, a bit
> > ugly imho...
> >
> >
> > reuben
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ---------------------------------------------------------
> Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
>
> Suspicion breeds confidence.
>
More information about the cisco-nsp
mailing list