We block ICMP 'from' the router to the LAN that supports the network on which the IM Service is running. At this time I don't log those events to syslog. We see no ICMP traffic emanating from the LAN where the service resides to the router (I do block with two exceptions and log that). The Nagios device is not shielded from ICMP (though it could and will be as of now). We were seeing some high traffic from two customer networks at about the same time. We will investigate that.
Thanks for the suggestion Mel. - Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mel Beckman Sent: Tuesday, November 04, 2003 10:04 AM To: InterMapper Discussion Subject: RE: Nagios false down reads Mike, I've been seeing problems like this in networks that turns out to be the Blaster and Nachi virii in their "broadcast" mode -- when they try to ping every IP address on the local subnet, which results in massive broadcast packets on large (e.g. 10.0.0.0/8) subnets. Many routers discard ICMP packets when faced with so much broadcast traffic. I don't believe Intermapper will sense the broadcast traffic, because it may not be a high bits per second data rate, just a high packets per second. Have you put a sniffer on your network to see if you've got a broadcast flood going on? -mel >I rarely am watching the screen at the exact moment when the probe is >reported as down, so I can't tell you the "Reason" from the Satus Window. >Here's what I have right now. > >The Debug log has nothing for the probe. > >The outage log looks like this: > >Mon, Nov 03, 2003 03:58 PM Cheyenne Temp 29 seconds Mon, >Nov 03, 2003 03:58 PM >Mon, Nov 03, 2003 04:01 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 04:01 PM >Mon, Nov 03, 2003 05:30 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 05:30 PM >Mon, Nov 03, 2003 07:20 PM Cheyenne Temp 58 seconds Mon, >Nov 03, 2003 07:19 PM >Mon, Nov 03, 2003 07:42 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 07:42 PM >Mon, Nov 03, 2003 07:59 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 07:59 PM >Mon, Nov 03, 2003 09:45 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 09:44 PM >Mon, Nov 03, 2003 11:13 PM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 11:13 PM >Tue, Nov 04, 2003 12:00 AM Cheyenne Temp 28 seconds Mon, >Nov 03, 2003 11:59 PM > > The event log looks like this: > >11/03 19:19:33 DOWN Cheyenne Temp:: (Was up for 1 hour, 49 minutes, >2 >seconds) >11/03 19:20:31 UP Cheyenne Temp:: (Was down for 58 seconds) >11/03 19:42:03 DOWN Cheyenne Temp:: (Was up for 21 minutes, 32 seconds) >11/03 19:42:31 UP Cheyenne Temp:: (Was down for 28 seconds) >11/03 19:59:03 DOWN Cheyenne Temp:: (Was up for 16 minutes, 32 seconds) >11/03 19:59:31 UP Cheyenne Temp:: (Was down for 28 seconds) >11/03 21:44:32 DOWN Cheyenne Temp:: (Was up for 1 hour, 45 minutes, >1 >second) >11/03 21:45:00 UP Cheyenne Temp:: (Was down for 28 seconds) >11/03 23:13:02 DOWN Cheyenne Temp:: (Was up for 1 hour, 28 minutes, >2 >seconds) >11/03 23:13:30 UP Cheyenne Temp:: (Was down for 28 seconds) >11/03 23:59:32 DOWN Cheyenne Temp:: (Was up for 46 minutes, 2 >seconds) > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Christopher L. >Sweeney >Sent: Tuesday, November 04, 2003 8:53 AM >To: InterMapper Discussion >Subject: Re: Nagios false down reads > >At 8:30 AM -0700 11/4/03, Mike Lieberman wrote: >>Are packets from Nagios devices easily lost, or occasionally not sent, > >for some reason? > > > >We are using a remote temp probe which supports Nagios via IM. The > >Nagios code seems to work, and the temps are properly read. There is > >good open bandwidth between the probe and the IM service, (by a DS3 >>which during these down events may have under 10% utilization). Never >>the less we see frequent "down" events. Setting the timeout to a >>longer >setting just makes the "Down" >>longer before the "UP". It doesn't appear to be a delayed packet as >>much as a missed, unsent or discarded packet. >> >>Does anyone have anything else similar happening with Nagios supported >>equipment under IM? >> > >What does the status window give as a reason for these down events? >It would be worth checking the debug log, too, to see if IM is having >difficulty setting up and executing the Nagios command from time to time. > >-- Christopher > >-- >================================================ >Christopher L. Sweeney >[EMAIL PROTECTED] >http://www.dartware.com/ > >____________________________________________________________________ >List archives: >http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ >To unsubscribe: send email to: [EMAIL PROTECTED] > > >____________________________________________________________________ >List archives: >http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ >To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
