Home page logo
/

nanog logo nanog mailing list archives

Re: FW: TNT issues "workaround"
From: jlewis () lewis org
Date: Sat, 23 Aug 2003 18:42:49 -0400 (EDT)


On Sat, 23 Aug 2003, Ross Chandler wrote:

I seem to be having the same or similar problems with my Cisco boxes
also , they either reboot or the pris hang , users get busy's but no
one is logged in at all , when I do a show isdn status it shows b
channels in use but no one on, the only way to fix is reboot the box ,
and it seems to be timed , everyday at 1400 and 2200 hours , since
Monday anybody body heard of ciscos acting funny this week?

Perhaps your fast switching route cache is filling up memory. If you're
willing to risk it enable CEF on all interfaces.

Some of the older cisco access-servers don't even support CEF.  The cisco
failures seem to be memory starvation/fragmentation issues caused by out
of control route-cache growth caused by the nachi worm's attempt to ping
so many different hosts so quickly while looking for systems to spread to.

You can work around the issue by:

a) using policy routing to pass all dialup traffic through a route-map 
that sends 92 byte echo/echo-reply packets to null0.

b) blocking all echo/echo-reply coming in from dial-up users (i.e. apply 
an input acl to your virtual-template and/or group-async interfaces).

c) disabling route caching on the egress interface of the access server.

I'm doing a mix of a (on the access-servers that this works on) and b 
where a doesn't work...and tested c this morning and found it appears to 
work.
  
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]