What is the cpu's running at now , if it's still high then you may have not gotten all the bad guys .
You can use Netflow on the interfaces to see who is doing what ,like one address going to many different addresses etc . This was our main troubleshooting tool during the Nachi outbreak during the summer .
I used the logging function on the access point, in this case it was a FW, to help pin point the badies which still had the Nachi virus on the inside LAN. This may not be an ideal solution as the routers are already under pressure, however check the CPU again and it may provide a method to mop up the straglers.
I wouldn't think the router should run out of memory just from throughput alone. Are these your edge routers having the problem? Maybe your taking on a lot more routes than before.
Baddos.. you might think not but various things can kill a router under a very heavy load. Several version of Cisco IOS has a bug that under heavy loads of small packets such as a Citrix/MetaFrame farm will die with buffer errors. You will see a very high discard rate of small buffers and after a period of time, the router stops routing.
NAT is a second error prone piece of code. Having a router with a large number of EIGRP routes in memory can kill it.
These are all examples that I have run into over the last few years. It can take alot to kill a router but it's doable.
The easiest way to find the Nachi virus is to look at your NAT tables. I had one computer infected with it, and in a day or so my router was bogged down with about 40,000 ICMP NAT entries from a single address.
show ip nat stat
show ip nat trans
Anyways, I am assuming you do the "show proc mem" command? That should tell you where all the memory is being allocated to on the router. A "show proc cpu" will also give you hints. That is all assuming you are not using some sort of management software to monitor.
If it is your NAT, then simply trace the infected computers by the IP addresses. If you ever want to flush the dynamic NAT table, use the "clear ip nat trans*" command.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.