Tell me more x
, there is a new speed test available. Give it a try, leave feedback!
dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
5217
share rss forum feed


authurmell

join:2012-07-18
united kingd

[HELP] Slow & No internet: Router misconfigured or malware attac

Hi, I have just taken over an existing corporate network consisting of a Windows 2003 server DC, 2 x cisco catalyst switches 2960, 2 x catalyst switches 3560 and a router 1803. (fyi there is also another unconnected Router and 1 unconnected Exchange server)

The customer complains that the internet is very slooow for all clients in the network at all times and sometimes there is NO internet access at all, at which point they switch the router On and Off to restore the internet. Most clients complain of websites loading with missing buttons, that is, NOT fully loading.

I hooked up the console on the Router and saw that it is constantly spewing non-stop log alerts about traffic being denied and dropped on normal ports, especially 80, with the following reasons over and over again from most clients:


I suspect malware attacks since Anti-virus has not been implimented properly and some clients dont even have any while the server has NONE, but is it possible that the Access List 104 which appears everywhere is misconfigured? Or do I just need to update the IOS software? Someone help!

Below is a portion of the Tech Support Log which contains everything (I hope) you need to help me solve this issue, Pleeeease!


THANK YOU for reaching this point!!! Can you help?


weoo

@bms.com

Re: [HELP] Slow & No internet: Router misconfigured or malware a

Looks like you have an attack coming from your internal network. Check the computers with the Ip's listed in the log.

aryoba
Premium,MVM
join:2002-08-22
kudos:6
reply to authurmell
It looks like the router has ZBF in place which I'm never a big fan of due to questionable inspection process compared to similar process in an actual firewall hardware (i.e. Cisco ASA 5505, Juniper SRX 100).

A quick dirty solution would probably be implementing CBAC instead of ZBF. A long-term suggested solution will be to put a dedicated firewall between the router and the Catalyst 3560 switch to offload the firewall work and to have more reliable inspection process.


authurmell

join:2012-07-18
united kingd

1 edit
reply to weoo
thanks, am sure there's lots of malware threats...I will start with installing MSE on all clients and scanning with Malwarebytes and SpywareTerminator.............

What AV should I recommend on the Server???


authurmell

join:2012-07-18
united kingd
reply to aryoba
am on v12.4 so yes ZBF is in play thank you. But can you link me to a cisco/non-cisco resource about 'changing from ZBF to CBAC' or give me a quick idea of what is involved? I have never seen the CLI command or SDM option to choose between classic and Zone-based firewall when configuring it......

Are the CRC errors on ATM interface likely due to the dropped packets?


authurmell

join:2012-07-18
united kingd
reply to authurmell
No one has mentioned the strict http inspection that may cause legit web pages not to load intermittently, for example I am getting Yahoo Mail issues:


Could it be that a reset action for strict-http is "too strict" and therefore affecting too many normal websites??? I cant get to the router to check the application settings moment, so is there a way to tell whether it is set to allow, alarm or reset just by looking at my extensive logs?

HELLFIRE
Premium
join:2009-11-25
kudos:21
reply to authurmell
Looks like it's a CBAC conifg with APPFW running.

The first things I'd check are as follows here

I also agree that your appfw may be alittle TOO restrictive as follows :


Anything registering as Instant Message or P2P use of HTTP and the router will reset the connection.
Either set it all to allow / alarm as follows :


or shut it off entirely.

One other thing I'd check is if this is a DSL connection, you may want to check the MTU is set right.
I've seen the MTU be as low as 1380 to as high as 1494bytes. The least intrustive way to test this
is to pick a URL (preferablly hosting a webpage) and ping with progressively larger packet sizes with
the DF bit set and see if packets get all the way through or not.

My 00000010bits.

Regards


authurmell

join:2012-07-18
united kingd

1 edit
@ HELLFIRE See Profile
thanks for the link and clearing up the type of firewall issue, it was always CBAC and then when the software was updated to v12 it was never changed to ZBF, so its most definitely still CBAC.

With regards to the application http, am I right to think that the IM and P2P resets could be responsible for the partially downloaded yahoomail pages? I had initially assumed it was yahoo's fault:---> »help.yahoo.com/communiti ··· 492463a3

Now, if I shut off 'application http' or change it to allow/alarm, does it affect the other individual rules set under 'application im yahoo', 'application im aol' and 'application im msn'?

The line is supposed to be a 2MB SDSL, so do the MTU values you propose still apply?

HELLFIRE
Premium
join:2009-11-25
kudos:21
reply to authurmell
Reset would terminate the connection ENTIRELY rather than partially downloading an entire page, at least if you
were looking from a TCP perspective, so I suspect that's not the case.

If you shut off or change 'application http' it only affects the settings for 'application http.'

DSL is DSL so IIRC MTU still does apply. There was a really nice explanation of how MTU and DSL / ATM works in this
forum, I just don't recall the thread name or when it was posted.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:6
said by HELLFIRE:

DSL is DSL so IIRC MTU still does apply. There was a really nice explanation of how MTU and DSL / ATM works in this forum, I just don't recall the thread name or when it was posted.

It should be available under this forum's FAQ


authurmell

join:2012-07-18
united kingd
okay thx, I'll get searching...


authurmell

join:2012-07-18
united kingd
reply to HELLFIRE
I noticed high cpu utilization which may explain the sloooow performance, so I hope someone can spot the culprit in these results because I can't; I have observed that Appfw IM DNS Res, IP Input and Collect Stat Counter processes have the highest cpu utilization BUT how do I still get 77% utilization? Am i missing something???

(show memory statistics, show process memory, show process cpu and show process cpu history:)


HELLFIRE
Premium
join:2009-11-25
kudos:21
reply to authurmell
2Mb line and your CPU's running THAT high?!

If you can, do a sh proc cpu sort | ex 0.00%__0.00%__0.00% and post that up.

I'd also get some graphs going of the DSL and LAN interfaces and see what the traffic loads are.

Regards


authurmell

join:2012-07-18
united kingd
okay will do... BTW does an application exist that presents cisco logs in diagram formart, easily?? Anything to make it easier to digest...I know about grep but just cant find anything at all like 'log parser lizard.'

HELLFIRE
Premium
join:2009-11-25
kudos:21
When you say "presents cisco logs in diagram formart" what exactly are you looking for? A graphical presentation of
the number of times an alert has occurred?

Regards


authurmell

join:2012-07-18
united kingd
yes please, pie charts, bar graphs, line, etc. for non-technical client representations...at the moment I make my own estimated diags.

am on summer hols right now and the client is just getting by with switching the router off/on whenever the above problems occur, but I will keep track of all suggestions to impliment.

HELLFIRE
Premium
join:2009-11-25
kudos:21
reply to authurmell
Not aware of any off the top of my head. Others may chime in.

While there's log analyzers, they may not be one that will do what you're looking for.

Trying to get straight in my mind, you want to set up some sort of syslog where you're denying inbound packets,
and you want to get a graphical view of how many times X client is blocked? Is that what you're thinking?

Also while syslog is pretty handy, it's not the end all to all. SNMP performance graphs, and if possible NetFlow
traffic analysis is a really good idea, and those are easy enough to implement.

Just my 00000010bits

Regards