[j-nsp] Identifying pfe icmp throttled traffic

Nilesh Khambal nkhambal at juniper.net
Sun Mar 8 17:49:18 EDT 2009


Richard,

You can try "debug icmp error" from pfe. However, depending on load  
this might fill up the syslog buffer really fast. Messages are also  
throttled at 10 pps. You can disable the message generation using  
"undebug icmp error". Before enabling debug run command "show icmp  
statistics" from each dpc/pfe to find out which fpc is generating  
those error stats and then run debug on that fpc.

I would not recommened it unless it is really important.

Thanks,
Nilesh




On Mar 8, 2009, at 2:27 PM, "Richard A Steenbergen" <ras at e-gerbil.net>  
wrote:

> Is there any way to log/view some of the ICMP packets being handled by
> the pfe processor? I've got a router which is being hit by what  
> appears
> to be a large amount of TTL expiring packets (either someones  
> traceroute
> run amuck, a DoS, or a forwarding loop I suppose), but without being
> able to see the packets there isn't much way to tell.
>
> A "clear pfe statistics ip icmp" followed by a show immediately after
> shows the pfe is throttling icmp generation at a pretty good rate.
>
> ICMP Statistics:
>       11025 requests
>           0 network unreachables
>        1983 ttl expired
>           0 ttl captured
>           0 redirects
>           0 mtu exceeded
>           0 icmp/option handoffs
>
> ICMP Errors:
>           0 unknown unreachables
>           0 unsupported ICMP type
>           0 unprocessed redirects
>           0 invalid ICMP type
>           0 invalid protocol
>           0 bad input interface
>        8952 throttled icmps
>           0 runts
>
> ICMP Discards:
>           0 multicasts
>          42 bad source addresses
>           0 bad dest addresses
>           0 IP fragments
>           0 ICMP errors
>
> But since this is TTL exceed being handled entirely by the PFE none of
> these packets are making it to the lo0 filter to be logged. It's not
> breaking "much", just traceroute for that router hop, but it'd be  
> really
> nice if there was a way to find the source of the problem packets and
> plug it. Any ideas?
>
> -- 
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1  
> 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list