Re: [cisco-ttl] CEF problemi from Mesut CAP on 2009-05-22 (Cisco Teknik Tartisma Listesi Arsivi)

From: Mesut CAP <mesutcap_at_....>
Date: Fri, 22 May 2009 08:04:26 +0300

Merhaba;
IOS upgrade ile sorun cozuldu. Kullandigim IOS cat4500-entservices-mz.122-50.SG2.bin.
Bug tool'a bakmistim ama farkedemedim yada yazilmamis. Eski IOS cat4500-entservices-mz.122-46.SG.bin
Tesekkurler iyi calismalar.

On 5/15/09, Serhat Uslay <serhat.uslay_at_zurich.com.au> wrote:
>
> Mesut,
> Ayni session in devamini iki farkli firewall da goremedim, ayni kaynaktan
> gelen degisik portlu yeni trafik gidiyor ikinci firewalla zaten sequence
> numbers da farkli, (asagida degisik renklerle gosterdim !)
> Yani ayni flow ayni firewall uzerinden akmaya devam ediyor. Belki
> VakifBank bir den fazla HTTP flow yaratip onlarin ayni firewalldan
> gelmesini bekliyordur FW NAT yapacagi icin.
> Bunu Cisco ile bir gorus, ip cef load balancing dan port hashini kaldir,
> boylece load balancing algoritmasi icine port girmeden sadece source ve
> destination IP bazinda load balance yaparsan belki problem duzelir.
> Birde
>
>
> show ip cef 195.142.247.11 ve show ip cef 195.142.247.10
> ciktilarinda
> " per-destination sharing" gorebiliyormusun ?
>
>
>
>
> sonuc alirsan haber ver lutfen, iyi calismalar
>
> Serhat
>
>
>
> Mesut CAP <mesutcap_at_gmail.com>
> Sent by: cisco-ttl_at_yahoogroups.com
> 13/05/2009 11:15 PM
> Please respond to
> cisco-ttl_at_yahoogroups.com
>
>
> To
> cisco-ttl_at_yahoogroups.com
> cc
>
> Subject
> Re: [cisco-ttl] CEF problemi
>
>
>
>
>
>
> Merhaba Serhat;Firewallarda diagnose ciktilari asagida. Benim
> bilgisayarimdan vakifbank internet bankaciliginda islem yaptigim sirada
> asagidaki loglar üretiliyor. Ayni sessiona ait 2 firewall 'ada paket
> gidiyor. Cisco'nun dokumanlarinda CEF le alakali bolumlerde ayni flowa ait
> sessionlar ayni route lari kullanir diyor ama bizde 2 route ta es zamanli
> kullaniliyor ve banka baglantiyi hakli olarak kapatiyor.
> Loglarda Firewall-1 de 26 ile baslayan satir numaralari 87 satir
> numarasi
> ile birlikte Firewall-2 ye geciyor, boyle birsey nasil olabilir anlamadim.
> Source ayni destination ayni flow ayni. Cok ilginc...
>
> Firewall-1 # diagnose sniffer packet mgmt1 'host 10.0.81.47'
> interfaces=[mgmt1]
> filters=[host 10.0.81.47]
>
>
> 35.425041 10.0.81.47.4985 -> 195.142.247.11.443: syn 2622145687 Flow
> burada basliyor !!
> 35.425164 195.142.247.11.443 -> 10.0.81.47.4985: syn 278876019 ack
> 2622145688
>
> 35.454684 10.0.81.47.4985 -> 195.142.247.11.443: ack 278878928
> .........devam ediyor....
>
>
> 2622157290
> 61.957198 195.142.247.11.443 -> 10.0.81.47.4985: 279495160 ack 2622157290
> 61.957688 10.0.81.47.4985 -> 195.142.247.11.443: ack 279496620
> 61.957701 195.142.247.11.443 -> 10.0.81.47.4985: 279496620 ack 2622157290
> 61.957711 195.142.247.11.443 -> 10.0.81.47.4985: 279498080 ack 2622157290
> 61.957721 195.142.247.11.443 -> 10.0.81.47.4985: 279499540 ack 2622157290
> 61.958367 10.0.81.47.4985 -> 195.142.247.11.443: ack 279501000
> 61.958387 195.142.247.11.443 -> 10.0.81.47.4985: 279501000 ack 2622157290
> 61.958400 195.142.247.11.443 -> 10.0.81.47.4985: 279502460 ack 2622157290
> 61.958410 195.142.247.11.443 -> 10.0.81.47.4985: 279503920 ack 2622157290
> 61.958421 195.142.247.11.443 -> 10.0.81.47.4985: 279505380 ack 2622157290
> 61.959041 10.0.81.47.4985 -> 195.142.247.11.443: ack 279505380
> 61.959059 195.142.247.11.443 -> 10.0.81.47.4985: 279506840 ack 2622157290
> 61.959071 195.142.247.11.443 -> 10.0.81.47.4985: 279508300 ack 2622157290
> 61.959082 195.142.247.11.443 -> 10.0.81.47.4985: psh 279509760 ack en son
> sequence numbers
> 2622157290
> 61.959375 10.0.81.47.4985 -> 195.142.247.11.443: ack 279508300
> 61.959712 10.0.81.47.4985 -> 195.142.247.11.443: ack 279509940
>
>
>
> ***************************************************************************************************************
> Firewall-2 # diagnose sniffer packet mgmt1 'host 10.0.81.47'
> interfaces=[mgmt1]
> filters=[host 10.0.81.47]
> 87.419471 10.0.81.47.4954 -> 195.142.247.10.80: psh 1221527956 ack
> 24991464 Bu ayri bir session, DA farkli, source port farkli
> 87.433458 195.142.247.10.80 -> 10.0.81.47.4954: psh 24991464 ack
> 1221528666
> 87.573184 10.0.81.47.4954 -> 195.142.247.10.80: ack 24991972
> 130.255747 10.0.81.47.4986 -> 195.142.247.11.443: syn 3330305057 Bu
> ayni SA ama source port farkli ! yani yeni bir session ...
> 130.255875 195.142.247.11.443 -> 10.0.81.47.4986: syn 500446719 ack
> 3330305058
> 130.256083 10.0.81.47.4986 -> 195.142.247.11.443: ack 500446720
> 130.256326 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305058 ack
> 500446720
> 130.256404 10.0.81.47.4987 -> 195.142.247.11.443: syn 78147496
> 130.256500 195.142.247.11.443 -> 10.0.81.47.4987: syn 2846954191 ack bu
> da yeni bir session Source port farkli
> 78147497
> 130.256648 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330305267 bir
> onceki session devami
> 130.257148 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846954192
> 130.257361 10.0.81.47.4987 -> 195.142.247.11.443: psh 78147497 ack
> 2846954192
> 130.257623 195.142.247.11.443 -> 10.0.81.47.4987: ack 78147706
> 130.280976 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846954192 ack
> 78147706
> 130.281904 10.0.81.47.4987 -> 195.142.247.11.443: psh 78147706 ack
> 2846954314
> 130.293715 195.142.247.11.443 -> 10.0.81.47.4986: 500446720 ack 3330305267
> 130.293726 195.142.247.11.443 -> 10.0.81.47.4986: 500448180 ack 3330305267
> 130.294254 10.0.81.47.4986 -> 195.142.247.11.443: ack 500449640
> 130.294358 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449640 ack
> 3330305267
> 130.294610 195.142.247.11.443 -> 10.0.81.47.4987: 2846954314 ack 78148415
> 130.294619 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846955774 ack
> 78148415
> 130.295167 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846956151
> 130.297417 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305267 ack
> 500449771
> 130.297479 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330305449
> 130.312411 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449771 ack
> 3330305449
> 130.313160 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305449 ack
> 500449814
> 130.332046 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449814 ack
> 3330306115
> 130.523751 10.0.81.47.4986 -> 195.142.247.11.443: ack 500450515
> 135.633441 10.0.81.47.4987 -> 195.142.247.11.443: psh 78148415 ack
> 2846956151
> 135.670260 195.142.247.11.443 -> 10.0.81.47.4987: ack 78149336
> 135.671410 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846956151 ack
> 78149336
> 135.671795 195.142.247.11.443 -> 10.0.81.47.4987: 2846957599 ack 78149336
> 135.671883 195.142.247.11.443 -> 10.0.81.47.4987: 2846959059 ack 78149336
> 135.672263 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846960519
> 135.672413 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846960519 ack
> 78149336
> 135.854855 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846961042
> 137.416836 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330306115 ack
> 500450515
> 137.450109 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330306902
> 137.485653 195.142.247.11.443 -> 10.0.81.47.4986: psh 500450515 ack
> 3330306902
> 137.485871 195.142.247.11.443 -> 10.0.81.47.4986: 500451963 ack 3330306902
> 137.486520 10.0.81.47.4986 -> 195.142.247.11.443: ack 500453423
> 137.486624 195.142.247.11.443 -> 10.0.81.47.4986: psh 500453423 ack
> 3330306902
> 137.665413 10.0.81.47.4986 -> 195.142.247.11.443: ack 500454060
>
>
> [Non-text portions of this message have been removed]
>
>
>
> ------------------------------------
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
> da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.Yahoo! Groups Links
>
>
>
>
>
>
> lll
> Zurich is proud to support football as an Official Partner of the Hyundai
> A-League
>
>
>
>
> ----
> This email is intended for the named recipient only. It may contain
> information which is confidential, commercially sensitive, or copyright. If
> you are not the intended recipient you must not reproduce or distribute any
> part of the email, disclose its contents, or take any action in reliance. If
> you have received this email in error, please contact the sender and delete
> the message. It is your responsibility to scan this email and any
> attachments for viruses and other defects.
> To the extent permitted by law, Zurich and its associates will not be liable
> for any loss or damage arising in any way from this communication including
> any file attachments. We may monitor email you send to us, either as a reply
> to this email or any email you send to us, to confirm our systems are
> protected and for compliance with company policies. Although we take
> reasonable precautions to protect the confidentiality of our email systems,
> we do not warrant the confidentiality or security of email or attachments we
> receive.
>
> [Non-text portions of this message have been removed]
>
>
Received on Sun May 24 2009 - 16:47:23 CEST

This archive was generated by hypermail 2.2.0 : Sun May 24 2009 - 16:47:23 CEST