RE: The cat came and stayed..

["Erin Carroll" <amoeba () amoebazone com>]

I kept hoping that this subject would work its way around to a
pen-test-related issue but this seems to have devolved into a routing debug
issue. Further posts on this subject, unless pen-test related, will be
rejected.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"  

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Buz Dale
> Sent: Wednesday, March 28, 2007 3:53 PM
> To: WALI
> Cc: pen-test () securityfocus com
> Subject: Re: The cat came and stayed..
>
> I'm going to ask some questions to clarify my spotty 
> networking knowledge. Essentially,  you have routers 
> connecting buildings "A" and "B" and when you turn off the 
> routing and make them layer two devices (Bridging mode) 
> things work as expected.  To me this implicates a layer three problem.
> Perhaps an IP conflict with the router, a machine 
> masquerading as the gateway (perhaps responding to arps for 
> the gateway ip) or a bad route. I would start looking at 
> layer three misconfigurations.  Maybe a dhcp server is giving 
> a bad gateway or somesuch.  What happens when you traceroute 
> between the networks?  Do you have extra hops? Are there 
> specific places with time lags?
>
> Thanks,
> Buz
>
> On 3/28/07, WALI <hkhasgiwale () gmail com> wrote:
> > By the time you have finished reading this, I am sure you 
> would have 
> > come across the most fascinating networking issue haunted by our 
> > friendly ghost Casper.
> >
> > With reference to my earlier thread, (Re: When cat comes 
> chasing...), 
> > this time the cat came and stayed. Having exploited most of my 
> > resources , I finally decided to involve our ISP hoping that this 
> > would be the end of it...but it wasn't supposed to be that way.
> >
> > So, to cut a long story short, ISP had provided us with 
> EoATM 100 mbps 
> > link between two locations, say A and B.
> >
> > But, since the line was given, we felt that we were not only having 
> > intermittent problems that required switch reset but also 
> felt that we 
> > were not getting the right speed and the data transfer 
> rates(FTP copy 
> > and other
> > stuff) was really not befitting a 100Mbps link.
> >
> > In order to make sure, this time the ISP guy brought some 
> equipment to 
> > our premises and confirmed that speed at Layer 2 is indeed 100.
> >
> > There are two cisco routers across Sites A and B and two media 
> > changers at each end converting Fiber to UTP. Media 
> converters are also set at 100Mbps.
> > Now a strange thing is that when we configure the two 
> routers (Site A 
> > and
> > B) in 'bridging' mode and start data transfer across, the speed 
> > becomes incrementally fast ( which should be taken as normal at all 
> > times). There is also another 100Mbps link provided by the 
> same ISP to 
> > us between Buildings A and  C, which works just fine, as it 
> should be.
> > The moment we enable our routers at Site A and B in Routing 
> mode, We 
> > get to suffer delays and all data transfers slow down, without 
> > bringing any core/edge switches into the picture.
> >
> > Various things have been done to reach some conclusion:
> >
> > 1. Ip Router configurations has been reset and put to bare minimum 
> > needed with ipcef enabled, all QoS commands disabled.
> > 2. Configurations has been checked with all combinations of Speed 
> > Auto/100 FullDuplex/Auto with best results coming out of FD/100 but 
> > still far below satisfactory.
> > 3. Equipment which serves between Site A and C has been temporarily 
> > put between Site A and B, with same non-satisfactory results.
> > 4. Earthing issues/Electrical disruption in the Room where 
> routers are 
> > located has been looked into. Routers on both sides have 
> been changed 
> > to rule out hardware issues. We also did a test on the line by 
> > bringing our routers into another room ruling out some 
> electrical disturbance of any sort.
> > Seems like, at Layer 2, despite being showing us full 
> 100mbps, Layer 3 
> > and above transfers are unable to provide the required service. 
> > Opening applications across the two buildings is very slow 
> as most of 
> > our servers reside at Site A with user base at Site B.
> >
> > Currently this ISP engineer has provided us with a patched 
> pure fibre 
> > link between Sites A and B without any intervening ISP equipment in 
> > between and we have connected our two core switches in both 
> buildings 
> > directly to the UTP interface of Media converter but that's not the 
> > permanent solution. ISP Engineer is also trying hard to find this 
> > ghost problem. He says that he has found no problems on his 
> side and 
> > the only thing that comes in the middle is a MPLS enabled 
> router. But even he is a bit baffled.
> > What else can we look at?
> >
> > Thanks for taking time to read this whole ghost story. If you have 
> > read this all, I am sure you won't stop thinking ;)
> >
> > At 12:57 AM 3/24/2007 +0100, Antonin Kral wrote:
> > > Hi Wali,
> > >
> > > * WALI <hkhasgiwale () gmail com> [2007-03-24 00:50] wrote:
> > > > Crazy Solution: I take out any patch cable and 
> re-inserts it, the 
> > > > problem gets resolved. I reset any switch, the problem gets 
> > > > resolved. I disconnect any uplink cable between the 
> four switches 
> > > > or do a ARP reset thru command line, the problem gets 
> resolved for couple of hours or even days.
> > > This sounds like problems with spanning tree in the 
> network. Do you 
> > > run STP? Take a look at the topology changes reported by 
> stp. Or one 
> > > more thing - this could happen because of over-fulling CAM 
> > > (switching) tables of particular switch. Check if you are 
> not running 
> > > out of memory somewhere.
> > >
> > >     Cheers,
> > >
> > >         Antonin
> >
> > ---------------------------------------------------------------------
> > > ---
> > > This List Sponsored by: Cenzic
> > >
> > > Need to secure your web apps?
> > > Cenzic Hailstorm finds vulnerabilities fast.
> > > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=7
> > > 01600000008bOW
> >
> > ---------------------------------------------------------------------
> > > ---
> ----------------------------------------------------------------------
> > --
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=70
> > 1600000008bOW
> ----------------------------------------------------------------------
> > --
>
>
> -- 
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697 (In GA)
> 1-706-583-2005
> Office of Information and Instructional Technology University 
> System of Georgia GMT -5:00
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php
> ?camp=701600000008bOW
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------