[c-nsp] Cisco 7600 TTL and MTU Failures

[Aleksandar Ristoski]

e-mule and similar p2p programs which look for closest server by sending 
ICMP's with TTL = 1 and increasing...

BR, Aleksandar.




On Tuesday 11. April 2006 08:13, Palis Michalis wrote:
>Thanks for your uselull info.. But what is actually the cause of TTL and MTU
>failures? In my case it seems tha their is a large number of TTL MTU
>failures.
>
>Thanks again
>----- Original Message -----
>From: "Blake Willis" <cnsp at 2112.net>
>To: <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
>Sent: Friday, April 07, 2006 12:29 PM
>Subject: Cisco 7600 TTL and MTU Failures
>
>> On Fri, 7 Apr 2006, Palis Michalis wrote:
>>> I think that MTU and TTL failures get hardware dropped from the router?
>>> Is it true?
>>
>> Yassas Michalis,
>>
>>  The PFC does do the acutal dropping, but the packets have to be punted up
>> to the MSFC process-switched level in order to have TTL or MTU exceeded
>> message generated.  This is why the rate-limiter is very useful for
>> preventing high cpu utilisation by the "IP Input" process.
>>
>>  You can use 'sh ip traffic' to see how many messages your MSFC is
>> actually generating, which is a good way to tune the rate-limiter.  In
>> order to find the actual traffic that's being process-switched, 'sh int
>> stats' will show you the interface counters for the various switching
>> paths.  'sh buffers input-interface Xn/n header' will then show the header
>> details of any packets held in the buffer while waiting for the cpu.
>>
>>  See also cisco.com/warp/public/473/6k_high_cpu.pdf and
>> cisco.com/warp/public/63/ts_inputdrops_12000_18004.html.
>>
>>  -Blake
>>
>> ---
>>  Blake Willis
>>  Network Engineer
>>  blake at 2112 dot net
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/