Finding the station/IP using/abusing most of the bandwidth – PIX/ASA

in Cisco
#Cisco

Here is a short how-to I wrote some (well ,long) time ago for the newcomers  to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences. Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can't connect, sometimes PIX crashes periodically (depends on case - every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections. Here are the steps to try to see what is going on:   1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory and this  after all causes crash/slowness of processing/    Mambo# show memory

Free memory:        42557840 bytes
Used memory:        24551024 bytes
-------------     ----------------
Total memory:       67108864 bytes

2) as you may know PIX is a NAT machine - every connection (outbound/inbound) should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called NAT table) (ASA note:you may disable NAT ,not to say it may work in Transparent mode)   Mambo# show xlate count

1613 in use, 5246 most used
; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550
 
; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful
;inspection, to see their count use :
```  

Mambo# **show conn count**

5271 in use, 34824 most used

 
; next command will show on which interface there is more traffic - to know what side of the PIX is being attacked
 
Mambo# **show traffic**

outside:         received (in 980818.730 secs):                 1113941822 packets      498552059 bytes                 1004 pkts/sec   0 bytes/sec         transmitted (in 980818.730 secs):                 1170564303 packets      2054434346 bytes                 1000 pkts/sec   2002 bytes/sec inside:         received (in 980818.730 secs):                 0 packets       0 bytes                 0 pkts/sec      0 bytes/sec         transmitted (in 980818.730 secs):                 76 packets      4560 bytes                 0 pkts/sec      0 bytes/sec dmz:         received (in 980818.730 secs):                 186616723 packets       3287127501 bytes                 1 pkts/sec      3001 bytes/sec         transmitted (in 980818.730 secs):                 196403614 packets       1465915834 bytes

 
Now the main part - how to find out which IP is abusing the resources:
 
 
Mambo#  **show local-host  |  incl host|count|embryonic**  
``` 
local host: <10.10.1.142>, conn(s)/limit = 0/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.53>, conn(s)/limit = 106/0
            embryonic(s)/limit = 106/0, incomplete(s) = 0
local host: <10.10.1.205>, conn(s)/limit = 14/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.191>, conn(s)/limit = 4/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.193>, conn(s)/limit = 4/0
            embryonic(s)/limit = 1/0, incomplete(s) = 0
...................................................................................
local host: <10.10.1.36>, conn(s)/limit = 22/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.180>, conn(s)/limit = 1/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0

Legend:   local host     :  Local IP of station in LAN
conn(s)/limit  :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit  :  number of embryonic (half-open) connections to this IP and their limit
  Looking at this output we could easily find station with most connections.   Next, to get more info (if needed):    Mambo#  sh local-host 10.10.1.19

Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <10.10.1.19>, conn(s)/limit = 105/0
            embryonic(s)/limit = 45/0, incomplete(s) = 0
  AAA:
  Xlate(s):
    PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)
    PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)
    PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)
    PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)
    PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)
    PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)
    .......................................................
 
    PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)

;NOTE - here 216.163.137.3 is IP of outside interface of PIX   To temporary block some station - it will not be able to create new connections and exsiting ones will be deleted. This block is active until next reboot.   Mambo#  shun 10.10.1.19
To see active shuns:
  Mambo#  show shun To disable shun:
  Mambo#  no shun  10.10.1.19
Personal NOTE: Such call is a sure sign of unordered network administration . And it always starts with the key phrase - "Your line is down, we have no Internet". On my answer, after I look at MRTG graphs of the client line and see 100% usage, that "Of course , you are using up  all your bandwidth" they reply "It is impossible, can you tell me who is abusing the line ?" While I may spend 10 mins  explaing this sysadmin that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10  mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.