I started to monitor my Cisco c6006 running catos ver 8.2(1) and ower Cisco css11000 contentswitches this week.
It begin with my css11000 in redundent mode, failed over to the other css11000.
Than one of my c6006 in full production booted with no logging entry, just like power outage!!!!!
Than my second c6006 on another UPS and all the regular staff rebooted 8 hour later.
Both show two line in 3 seconds with this on the syslog, 10 and 51 min before they rebooted.
2005 Oct 19 "time" +01.00 %TCP-2-TCP_MAXESTABLISHED:Possible TCP ACK attack. Maximum established connection limit 32 reached. Will drop unused connection
The short time i used jffnms on the c6006 i was realy happy with it.
I think this is the telnet and ssh monitor part in jffnms show a bug in the Cisco catos release.
tanks
Christer
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
JFFNMS uses NMAP for TCP port discovery.
Your Cisco may be reacting to that.
You can disable Autodiscovery for your host if you want, or disable TCP Port autodiscovery in the complete system.
And as you said, we also connect to whatever open port NMAP founds every 5 minutes to check if its still open. You can disable that too.
You should report this incidents to Cisco TAC.
Javier
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hello
I started to monitor my Cisco c6006 running catos ver 8.2(1) and ower Cisco css11000 contentswitches this week.
It begin with my css11000 in redundent mode, failed over to the other css11000.
Than one of my c6006 in full production booted with no logging entry, just like power outage!!!!!
Than my second c6006 on another UPS and all the regular staff rebooted 8 hour later.
Both show two line in 3 seconds with this on the syslog, 10 and 51 min before they rebooted.
2005 Oct 19 "time" +01.00 %TCP-2-TCP_MAXESTABLISHED:Possible TCP ACK attack. Maximum established connection limit 32 reached. Will drop unused connection
The short time i used jffnms on the c6006 i was realy happy with it.
I think this is the telnet and ssh monitor part in jffnms show a bug in the Cisco catos release.
tanks
Christer
JFFNMS uses NMAP for TCP port discovery.
Your Cisco may be reacting to that.
You can disable Autodiscovery for your host if you want, or disable TCP Port autodiscovery in the complete system.
And as you said, we also connect to whatever open port NMAP founds every 5 minutes to check if its still open. You can disable that too.
You should report this incidents to Cisco TAC.
Javier