Finding the station/IP using/abusing most of the bandwidth – PIX/ASA

Here is a short how-to I wrote some (well ,long) time ago for the newcomers  to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can’t connect, sometimes PIX crashes periodically (depends on case – every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.
Here are the steps to try to see what is going on:
 
1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory
and this  after all causes crash/slowness of processing/
 
 Mambo# show memory
Free memory:        42557840 bytes
Used memory:        24551024 bytes
————-     —————-
Total memory:       67108864 bytes
 
2) as you may know PIX is a NAT machine – every connection (outbound/inbound)
should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called
NAT table) (ASA note:you may disabel NAT ,not to say it may work in Transparent mode)
 
Mambo# show xlate count
1613 in use, 5246 most used
; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550
 
; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful
;inspection, to see their count use :
 
Mambo# show conn count
5271 in use, 34824 most used
 
; next command will show on which interface there is more traffic – to know what side of the PIX is being attacked
 
Mambo# show traffic
outside:
        received (in 980818.730 secs):
                1113941822 packets      498552059 bytes
                1004 pkts/sec   0 bytes/sec
        transmitted (in 980818.730 secs):
                1170564303 packets      2054434346 bytes
                1000 pkts/sec   2002 bytes/sec
inside:
        received (in 980818.730 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 980818.730 secs):
                76 packets      4560 bytes
                0 pkts/sec      0 bytes/sec
dmz:
        received (in 980818.730 secs):
                186616723 packets       3287127501 bytes
                1 pkts/sec      3001 bytes/sec
        transmitted (in 980818.730 secs):
                196403614 packets       1465915834 bytes
 
Now the main part – how to find out which IP is abusing the resources:
 
 
Mambo#  show local-host  |  incl host|count|embryonic
 
local host: <10.10.1.142>, conn(s)/limit = 0/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.53>, conn(s)/limit = 106/0
            embryonic(s)/limit = 106/0, incomplete(s) = 0
local host: <10.10.1.205>, conn(s)/limit = 14/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.191>, conn(s)/limit = 4/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.193>, conn(s)/limit = 4/0
            embryonic(s)/limit = 1/0, incomplete(s) = 0
………………………………………………………………………..
local host: <10.10.1.36>, conn(s)/limit = 22/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.180>, conn(s)/limit = 1/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
 
Legend:
 
local host     :  Local IP of station in LAN
conn(s)/limit  :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit  :  number of embryonic (half-open) connections to this IP and their limit
 
Looking at this output we could easily find station with most connections.
 
Next, to get more info (if needed)
 
 Mambo#  sh local-host 10.10.1.19
Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <10.10.1.19>, conn(s)/limit = 105/0
            embryonic(s)/limit = 45/0, incomplete(s) = 0
  AAA:
  Xlate(s):
    PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)
    PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)
    PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)
    PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)
    PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)
    PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)
    ……………………………………………….
 
    PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)
;NOTE – here 216.163.137.3 is IP of outside interface of PIX
 
To temporary block some station – it will not be able to create new connections
and exsiting ones will be deleted. This block is active until next reboot.
  Mambo#  shun 10.10.1.19
To see active shuns:
  Mambo#  show shun
To disable shun
  Mambo#  no shun  10.10.1.19
Personal NOTE: Such call is a sure sign of unordered/amateurish network administration . And it always starts with the key phrase – “Your line is down, we have no Internet”. On my answer, after I look at MRTG
graphs of the client line and see 100% usage, that “Of course , you are using up  all your bandwidth” they reply “It is impossible, can you tell me who is abusing the line ?” While I may spend 10 mins
 explaing this ‘sysadmin’ that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10
 mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.