Cisco 3800 series Router - general failure

[drizzt9999]

Hi there.

I have a 3800 series router at my company which has been recently set up and has had some strange behaviour.

More or less, every day at more or less a given hour it stops functioning. By "stopping" I mean to become extremely slow and rapidly sliding into an halt. Can't even telnet it, like as if the processor was, suddenly, overloaded.
Only way to recover is to reboot (reload) it.
The rest of the time its working fine.

It is difficult to access the CLI when it breaks down. If I am pinging an outside addresss (or any address) from a machine connected to the router, breakdown is immediate and without warning, showing no gradual delay in pings until timeout.

Malicious user activity is not to be excluded, but what kind of attack could produce this result and what's the best way to block it?

What debug variables do you sugest me to watch for when using syslog to try to track down this problem and its origin?

Thanks for any help

 

[burtsbees]

A DoS attack could cause this...tcp intercept is good for preventing this. It happens at the same time? To rule out hardware, if you can afford to do this, perhaps you can unplug it from the network. Does it act okay immediately upon reboot? Has it ever acted up again after a reboot, and if so, how long after?
If you suspect an inside job, you could try a packet sniffer...at least get the ip address...I'm not too hip on the logging part myself. What time does this happen anyway? Is it inconsistent at all, like maybe it seems like it is close to the same time to where you make think this is important? How long does it take for it to go down to it's knees? Was there a router there before this one? Can you place this router on a different segment?

 

[drizzt9999]

Hi. Thanks for your reply.

The sequence of events was something along these lines:

1. Router was setup.
2. worked ok for around 4 (business) days.
3. first problem noticed.
4. since then, every day, more or less at same time, one of the days, happened twice.
5. after a week or so, a period of another 4 days with no problems (including weeked, this time), then the same pattern. (router has been up for no more than 15 days so far).

As for timing, it is not 100% consistent, although it does happens usually around the same time (like a process being started up somewhere by someone).

There was no router in this position (on the network) before.

Once it starts happening it is almost immediate. If I happen to be connected to the router telnet interface starts slowing down very fast and then becomes impossible to write anything (very slow), but does not drops connection). As for conection to the exterior, if I am pinging to an external server from an internal network the pings are perfectly normal until breakdown, then a timeout occurs and it remains like that.

Reboot (around 200 seconds) returns the router to normal operational status.

 

[burtsbees]

Here is an area I am not very well at...I would start with debug commands, but nothing intensive if this did not occur in on 2 week instance...debug ip packet maybe? But if it starts crawling, then you won't be able to view it, and a reboot clears the output...tough one...maybe someone else may see thih...

Burt

 

[plshlpme]

when it starts to slow down.. ide try to do a
sh proc cpu
and figure out what is eating up the cpu...
if you can wait long enough maybe it will crash and reload itself..

then you should have a crashfile in the flash and when you do a sho ver it will tell you that it crashed due to mermory error and address xxx

those can then be given to cisco tac to tell you what is happening..

it could be ios.. hardware.. etc they will probably tell give you an rma if it looks to be hardware.