Re: [c-nsp] TAC hits a new record level of aggravation...
Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624; Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
I was having weird issues but realized that it was because the file was too big. Not that there was an error message to that effect or anything. On Feb 1, 2014 6:59 AM, Pavel Skovajsa pavel.skova...@gmail.com wrote: Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624 Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA5520 latency OSPF drops
Hi, We are having a problem with high latency and OSPF drops on an ASA5520. The portion of our network in question is connected as follows: Internal Network---3750---2950G---ASA5520---2950G---2921---External World The two 2950G's shown above are actually the same device; we are using VLANs to segment the traffic. We're running OSPF between the 3750 and the ASA5520, and between the ASA5520 and the 2921. Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! Pings from the Internal Network to the 3750 and 2950G are fine. The OSPF adjacency between the ASA5520 and the 2921 is not affected. This would seem to suggest an issue between the 2950G and the ASA5520. There are some input errors showing on the inside interface of the ASA5520, but very few compared with the traffic that passes through the interface (0.009%). There is no evidence of errors on the 2950G interface(s), even when show controllers Ethernet-controller is issued. The 3750 is showing: Feb 1 06:12:03: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Feb 1 06:17:03: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Feb 1 06:18:54: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Feb 1 07:40:35: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Feb 1 07:46:55: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Feb 1 07:59:46: %OSPF-5-ADJCHG: Process 2, Nbr x.x.x.x on FastEthernet1/0/1 from LOADING to FULL, Loading Done Strangely, it is not showing any FULL to DOWN events. The ASA is not logging OSPF drops, but show ospf neighbor does show that the neighbor has only been up since the last drop. We do not see any evidence of CPU or traffic spikes (either in terms of bandwidth, connection counts, or number of unicast packets traversing the link). RAM on the ASA5520 went up very slightly during this morning's events, but hardly enough to care about. MTU is set to 1500 on all implicated 3750, 2950G and ASA interfaces. We are rather stumped. The ASA is running 8.2(4) . we're thinking of upgrading to 8.2(5). We are also considering: - bypass the 2950G - replace the ASA5520 with a spare - replace the 3750 with a spare All these options imply 3am maintenance windows. Any ideas before we start to have a few sleepless nights? :) Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
Yes, I have run into this over and over during this last week. I ended up emailing the files due to the issues. I also had problems with the HTTP upload as well. -jeff On Feb 1, 2014, at 9:54 AM, Pavel Skovajsa pavel.skova...@gmail.com wrote: Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624; Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
I tried two operating systems and four browsers yesterday. I couldn't upload files that were just a few hundred KB. /chris On Sat, Feb 1, 2014 at 9:54 AM, Pavel Skovajsa pavel.skova...@gmail.comwrote: Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624 Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
On 01/02/2014 16:27, Adam Greene wrote: Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! check show cpu detailed and show conn count on the ASA. If either of these are very high, you could be experiencing a denial of service attack. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
Could we petition for an HTML 1.0, old-school, no-javascript, no Java apps, alternative TAC site? Then look at the usage statistics between the two? :) And bring back ftp.cisco.com :) Jeff On 2/1/2014 12:41 PM, Chris Marget wrote: I tried two operating systems and four browsers yesterday. I couldn't upload files that were just a few hundred KB. /chris On Sat, Feb 1, 2014 at 9:54 AM, Pavel Skovajsa pavel.skova...@gmail.comwrote: Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624 Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
On 02/01/2014 08:27 AM, Adam Greene wrote: Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! Pings from the Internal Network to the 3750 and 2950G are fine. What about pings from the external world to the ASA? ALso, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
On 02/01/2014 09:46 AM, Jeff Kell wrote: Could we petition for an HTML 1.0, old-school, no-javascript, no Java apps, alternative TAC site? Add an explicit no JavaScript to the mix and I sign. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
Nick, thanks. Connection count has not exceeded 31504 in the last 18 months, and the ASA 5520 supports up to 280,000 I believe. Unfortunately, have not yet found the right MIB to monitor CPU utilization, and the issue is sporadic, so it is hard to get cpu stats manually when it is happening. The only clue I have so far is that during the issues, RAM utilization increases from about 290M to about 308M. These values are still quite low, though. You're right, it may be a DoS, I just wonder what kind, with these characteristics. Unicast packets are quite low during the events ... I will start monitoring multicast, too. -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Saturday, February 01, 2014 12:46 PM To: Adam Greene; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 latency OSPF drops On 01/02/2014 16:27, Adam Greene wrote: Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! check show cpu detailed and show conn count on the ASA. If either of these are very high, you could be experiencing a denial of service attack. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
Octavio, What about pings from the external world to the ASA? These appear normal, since the ASA5520---2921 OSPF session is not dropping. Also, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. Good idea. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. Tough since they occur so sporadically, and up to now have been relatively brief. I wonder if there is some way to trigger a capture upon a specific event occurring. Or maybe will we just have to keep tons of logs which roll over, and hope we catch something. We generally have about 40Mbps pumping through the unit. That's a lot of data, and a fast rollover. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? Yes, cold spares. Devices are not HA. I have seen posts about OSPF failing in 8.2 when the active host of a failover pair fails, due to a bug, but that doesn't seem to be our case here as far as I can tell. Any other ideas welcome. Sounds like people's thoughts are tending toward DoS ... Thanks, Adam -Original Message- From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org] Sent: Saturday, February 01, 2014 1:24 PM To: Adam Greene Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 latency OSPF drops On 02/01/2014 08:27 AM, Adam Greene wrote: Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! Pings from the Internal Network to the 3750 and 2950G are fine. What about pings from the external world to the ASA? ALso, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
On 01/02/2014 19:33, Adam Greene wrote: Unfortunately, have not yet found the right MIB to monitor CPU utilization, and the issue is sporadic, so it is hard to get cpu stats manually when it is happening. no need. Just monitor the packet count in and out of the box from the switch that it connects to. If the drops correspond to an increase in packet load, then you've found the culprit. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
On 01/02/2014 19:39, Adam Greene wrote: We generally have about 40Mbps pumping through the unit. it's the packet count that causes high cpu load, not the bps throughput. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
The ASA can be brought to its knees by small packets with not a very large PPS... its the ring buffer system it uses. Which brings to mind the current flavour du jour of ddos, that of NTP amplification. I'd do a span of your 2950G links to eg a Linux box with tcpdump and get a pretty picture of what's passing through. .. or being blocked/dropped Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
and because it's wrong to make statements without documentation: http://geant3.archive.geant.net/service/edupert/Resources/Documents/Firewall_Performance_TIP2013.pdf that's a 'highend' 5585x dying with just 1Mpps Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
Hi, since you don't lose the OSPF session between 5520 and 2921, I would say that this is not related to ASA CPU, DoS from Internet etc. This would also suggest that 2950G in general works ok. The vlan that connects 3750 to 5520 exists only in 2950G and only these 2 devices are connected? Would it be possible that there is some kind of spanning tree instability issue in this VLAN that causes this? Other than this, I would watch the ASA logs carefully, possibly upgrade to the latest 8.2 in case that there is a bug that could lead to some kind of blocking of the input queue. Also I think there is a show memory xxx command that allows you to see how much memory is allocated / freed per process since boot. This might give you a hint on which process allocates these few megabytes when the issue occurs. Regards, John On Sat, Feb 1, 2014 at 8:39 PM, Adam Greene maill...@webjogger.net wrote: Octavio, What about pings from the external world to the ASA? These appear normal, since the ASA5520---2921 OSPF session is not dropping. Also, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. Good idea. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. Tough since they occur so sporadically, and up to now have been relatively brief. I wonder if there is some way to trigger a capture upon a specific event occurring. Or maybe will we just have to keep tons of logs which roll over, and hope we catch something. We generally have about 40Mbps pumping through the unit. That's a lot of data, and a fast rollover. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? Yes, cold spares. Devices are not HA. I have seen posts about OSPF failing in 8.2 when the active host of a failover pair fails, due to a bug, but that doesn't seem to be our case here as far as I can tell. Any other ideas welcome. Sounds like people's thoughts are tending toward DoS ... Thanks, Adam -Original Message- From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org] Sent: Saturday, February 01, 2014 1:24 PM To: Adam Greene Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 latency OSPF drops On 02/01/2014 08:27 AM, Adam Greene wrote: Every so often (it started three months ago, about once per month, now it's about once per week, but it's not regular), we're getting very high latency on pings from our Internal Network to the ASA5520, and the OSPF adjacency between the 3750 and the ASA5520 is dropping. The issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! Pings from the Internal Network to the 3750 and 2950G are fine. What about pings from the external world to the ASA? ALso, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Packet-level iSCSI debugging
Evening all! We've having some ongoing weird iSCSI problems that we're trying to track down. Specifically, we're logging a huge amount of disconnects in our ESX hosts that connect to our EMC Clariion storage arrays. Our VMs are still running well despite this, but the sheer number of errors is getting somewhat alarming. Our core is a pair of Nexus 5548s with a few 2200 Fabric Extenders thrown in the mix. We're using 10-gig TwinAx and -SR Fiber connections. iSCSI is on its own dedicated vlan and mapped using standard access ports to each ESX host. I'm not seeing any significant errors on the interfaces themselves, and the utilization is well below 10gigs. The CPU on the EMC isn't high at all, but still, something's behaving strangely. So my question is...are there any apps that will listen on my iSCSI vlan and detect any weird network anomalies? I'd like something iSCSI specific. Basically I'd like to make sure there aren't any strange traffic floods, responses from multiple IPs, stupid RSTs, and so forth. Worst case I'll throw up a Wireshark box, span the traffic and eyeball it, but automated tools are always much easier. Any help or tips are much appreciated. - Mike -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Transparent WAN Encryption
Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 6503 Sup2T Engine block outbound TCP or UDP Port traffic
Hi Everyone, I have a SUP2t engine running IOS s2t54-ADVIPSERVICESK9-M version and I am wondering if there is a way to filter or block TCP or UDP port traffic. I know how to NULL route IP 's but I don't know if there is a way to block or deny traffic based on destination port's also based on IP ranges. Any ideas would be much appreciated. Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6503 Sup2T Engine block outbound TCP or UDP Port traffic
On Feb 2, 2014, at 11:28 AM, Joseph Hardeman jwharde...@gmail.com wrote: I know how to NULL route IP 's but I don't know if there is a way to block or deny traffic based on destination port's also based on IP ranges. http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/