Re: [cisco-ttl] PIX'de cpu %95'lere cikiyor

From: A.Murat BAYRAM (mbayram_at_yyu.edu.tr)
Date: Mon Sep 27 2004 - 09:01:15 GMT

  • Next message: huseyin: "[cisco-ttl] problem"

    Tekrar herkese merhaba

    Enis hocamin verdigi portlara ek olarak bir miktar daha portu Core switchte her
    vlan icin ayri ayri hem in hem out olarak kapattim. (Bunu cok daha onceden yapmak
    gerektigini anlamis oldum, 3 gunluk cikti asagida). Ama networkte pix uzerinden
    halen cok fazla connection yapan hostlar var. Bunlari nokta tespiti yaptim,
    gercekten de bu pclerde netstat yaptigimda yüzlerce rastgele baglanti yapmaya
    calistigini gordum ve portlar cok degisken. Bu pclerin sayisi gittikce artacak gibi
    gorunuyor.

    Pixde, cok baglanti yapan iplere;
    show local-host <ip-address> detail komutuyla baktigimda 900'den fazla max active
    connection yaptiklarini goruyorum. (bir ornek cikti asagida)

    Pixde baglanti sayisi sinirlandirmasi getirsem masum kisilere bir sakincasi dokunur
    mu? "Maximum connections" ve "Maximum embryonic connections" var. Embryonic
    conection; baslamis ancak henuz establish olmamis baglantilar anlaminda sanirim. Bu
    iki connectiondan hangisine sinirlama getirmeliyim, ikisine birden mi ve kac yapmam
    uygun olur? Yoksa sinirlandirma koymak sorunlara yol acar mi?

    Bir baska sorum; pixden gecen her trafigi snort'a (veya baska tavsiye
    edebileceginiz ids varsa ona) gondermek istiyorum. Pix'e bunun icin ne demem lazim?

    Tesekkurler
    --------------------------------

    Ornek Ciktilar;

    PixFirewall# sh local-host 10.160.0.239 detail
    Interface inside: 472 active, 952 maximum active, 0 denied
    local host: <10.160.0.239>,
        TCP connection count/limit = 9/unlimited
        TCP embryonic count = 9
        TCP intercept watermark = unlimited
        UDP connection count/limit = 2/unlimited
      AAA:
      Xlate(s):
        UDP PAT from inside:10.160.0.239/1058 to outside:193.255.143.55/42015 flags rD
        TCP PAT from inside:10.160.0.239/2453 to outside:193.255.143.55/53249 flags rD
        TCP PAT from inside:10.160.0.239/2515 to outside:193.255.143.55/53251 flags rD
        TCP PAT from inside:10.160.0.239/2726 to outside:193.255.143.55/53256 flags rD
        TCP PAT from inside:10.160.0.239/2748 to outside:193.255.143.55/53257 flags rD
        TCP PAT from inside:10.160.0.239/2979 to outside:193.255.143.55/53266 flags rD
        TCP PAT from inside:10.160.0.239/3004 to outside:193.255.143.55/53268 flags rD
        UDP PAT from inside:10.160.0.239/3171 to outside:193.255.143.55/43343 flags rD
        UDP PAT from inside:10.160.0.239/3172 to outside:193.255.143.55/43344 flags rD
        UDP PAT from inside:10.160.0.239/3173 to outside:193.255.143.55/43345 flags rD
        UDP PAT from inside:10.160.0.239/3174 to outside:193.255.143.55/43346 flags rD
        UDP PAT from inside:10.160.0.239/3175 to outside:193.255.143.55/43347 flags rD
        UDP PAT from inside:10.160.0.239/3176 to outside:193.255.143.55/43348 flags rD
        UDP PAT from inside:10.160.0.239/3177 to outside:193.255.143.55/43349 flags rD
        UDP PAT from inside:10.160.0.239/3179 to outside:193.255.143.55/43350 flags rD
        UDP PAT from inside:10.160.0.239/3180 to outside:193.255.143.55/43351 flags rD
        UDP PAT from inside:10.160.0.239/3181 to outside:193.255.143.55/43352 flags rD
        TCP PAT from inside:10.145.0.240/1360 to outside:193.255.143.59/1084 flags rD
      Conn(s):
        TCP outside:64.26.62.254/25 inside:10.160.0.239/2453 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/2515 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/2726 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/2748 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/2979 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/3004 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/3213 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/3237 flags saA
        TCP outside:64.26.62.254/25 inside:10.160.0.239/3417 flags saA

    -------------------------
    VAN_MSFC1#sh access-lists 115
    Extended IP access list 115
        deny udp any any eq 135
        deny tcp any any eq 135 (4257 matches)
        deny tcp any any eq 445 (5254 matches)
        deny tcp any any eq 593 (1329 matches)
        deny tcp any any eq 4444 (1603 matches)
        deny tcp any any eq 1433 (7226 matches)
        deny tcp any any eq 1434 (6251 matches)
        deny tcp any any eq 1900 (4054 matches)
        deny udp any any eq 1433 (1901 matches)
        deny udp any any eq 1434 (1479 matches)
        deny udp any any eq 1900 (13904 matches)
        deny tcp any any eq 5554
        deny tcp any any eq 9996
        deny tcp any any eq 3127 (5638 matches)
        deny tcp any any eq 559 (1277 matches)
        deny tcp any any eq 1025 (3194 matches)
        deny udp any any eq 1026 (45647 matches)
        deny udp any any eq 1027 (24620 matches)
        deny tcp any any eq 2745 (10348 matches)
        deny tcp any any eq 2535 (2042 matches)
        deny tcp any any eq 5000 (268 matches)
        deny tcp any any eq 3410 (3399 matches)
        deny tcp any any eq 6129 (532 matches)
        deny tcp any any eq 65506 (16 matches)
        permit ip any any (7822160 matches)

    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
    Now with Pop-Up Blocker. Get it for free!
    http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/26EolB/TM
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     



    This archive was generated by hypermail 2.1.5 : Mon Sep 27 2004 - 13:04:33 GMT