RE: cisco 7200 performance issue

[Luciano Z <user_luciano () yahoo com br>]

I forgot the version information :-)
It´s a 12.2(12b) box.

Another interesting information is that the router
does not use SSH, it is connected to a console server.
This is configuration is not a regular policy, I still
have boxes that use telnet :-(

Follow-up on this incident:
We report the problem to cisco and the recommendation
that we got is 'apply an access-list'. Well, this is a
problem to implement. The message we received on the
router syslog affected the CPU too (it´s like doing a
"debug all" on the console). With the access-list this
could be solved. The only question I have is why does
RSHELL messages need to be logged while connections to
others tcp ports doesn´t? It would be interesting to
have a feature to disable logging on service ports
that are not in use (suggestion to the cisco guys
here? :-)


Some of the replys I got recommended this to but let´s
analyze the problem of implementing access-lists on
this box. This is a access layer box so we have about
80 active customers connected to this router. If we
apply an access-list to protect the router by droping
all packets destinated to the router´s interface (and
it´s loopbacks) we will end up with an access-list
with at least 80 lines (imagine the problem to manage
this while activating/deactivating customers). So this
is not a solution, at least at this network layer.

One thing we did here after the incident is a review
of the "schedule allocate" configuration. We first
used the values on that classic paper about router
securiy wrote by cisco but now we change it a bit and
will test this to evalute this new value.

Well, thanks for all the replys I got.
If we have some new information I´ll post here.

[]
luciano






 --- Paul Benedek <paul.benedek () excis co uk> escreveu:
> Hi Luciano,
>
> What is the IOS version that you are running?  This
> could be a bug.  It
> would be worth looking at the field notices on CCO
> to determine if this is
> IOS related.
>
> Regards
>
> Paul Benedek
>
> -----Original Message-----
> From: Luciano Z [mailto:user_luciano () yahoo com br] 
> Sent: 21 May 2003 20:45
> To: incidents () securityfocus com
> Subject: cisco 7200 performance issue
>
> Hi!
>
> I was responding an incident last night and saw a
> strange performance problem with a cisco 7200.
>
> When I issued a "sh interface" on the two fast
> ethernets of my box it was show that I got only
> 6Mbps
> traffic and normal packet per second rate but when I
> "sh logg" the box I got a lot of
> "%RCMD-4-RSHPORTATTEMPT: Attempted to connect to
> RSHELL from x.y.z.w" messages with spoofed sources.
>
> Investigating a little more I discovered that this
> traffic was pushing the CPU to 98% to 100% of
> utilization. Back to the output of "sh logg" I saw
> that the box was logging 2 to 3 RSHELL messages per
> second. In my opinion this coulnd´t affect the CPU
> so
> much. The router have 256M of RAM and it´s a 7200!
>
> I coulnd´t gather more info about this incident
> because it stopped before I could get the data. The
> strange thing it´s that the high CPU utilization
> stopped too.
>
> I don´t know if this is a problem of this cisco
> model
> or if I´m missing something. Any ideias?
>
> []
> lwulff
_______________________________________________________________________
> Yahoo! Mail
> O melhor e-mail gratuito da internet: 6MB de espaço,
> antivírus, acesso POP3,
> filtro contra spam. 
> http://br.mail.yahoo.com/
----------------------------------------------------------------------------
> *** Wireless LAN Policies for Security & Management
> - NEW White Paper ***
> Just like wired networks, wireless LANs require
> network security policies 
> that are enforced to protect WLANs from known
> vulnerabilities and threats. 
> Learn to design, implement and enforce WLAN security
> policies to lockdown
> enterprise WLANs.
>
> To get your FREE white paper visit us at:    
> http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
>  

_______________________________________________________________________
Yahoo! Mail
O melhor e-mail gratuito da internet: 6MB de espaço, antivírus, acesso POP3, filtro contra spam. 
http://br.mail.yahoo.com/

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------