Netvanta 1335 getting hammered by 100%CPU, seens to be related to ntpd
mr.duck Jan 12, 2017 12:12 PMHowdy, I'm looking for a way to bidirectionally pass all traffic to/from our inside VLAN1 (the 10.10.10.x lan) and VLAN 2 (which has public IP addresses from an advertised /26) to our upstream provider on VLAN21, but get rid of traffic which is saturiating our cpu, probably on port 123.
Until a few days ago everything was working well, then our old 1335 died (power supply has totally failed, no lights, no fan, after 4 continuous years powered up.) Our upstream IP service is 50Mbit, shared by a bunch of users in our building, each of which has a static IP assigned by me personally. One inside computer (on port 0/2) is manually assigned x.x.x.67, which I use to access the Netvanta when needed.
Fortunately we have a spare Netvanta 1335, which came up fine. We upgraded the firmware to R11.10.6.E,
Symptom is that after several hours of normal use, the Netvanta CPU use goes to 100% and it becomes impossible to even telnet locally, and of course service to/from the big world goes almost totally dead (although once in a while a packet gets through.)
When this occurs, the command
#show processes cpu
indicates that ntpd is using 70%+ of the cpu.If I unplug the CAT6 cable to our fiber interface, that drops top 0 and I can at least access the Netvanta locally.
This seems to indicate that we are under some sort of DDos attack.
If I disable the sntp server (#no ip sntp server) then the problem seems to go away, although, of course we haven't got a way to sync the Netvanta clock to time.nist.gov. 'show processes cpu' then does not even show an entry for ntpd, which is what I would expect.
Strangely, I did this yesterday,but after about 8 hours, the problem recurred and 'show processes cpu' again showed that ntpd was running and getting hammered, which I really don't understand.
What I want is to have the Netvanta sync its time but NOT act as a time server at all, and to drop all ntp traffic coming from the outside, but pass all other traffic. I do not know how to do this.
You will note that in the config file I have pasted below there is no firewall active and I have an entry for VLAN100 which is unused and could go away.
Your help is much appreciated. (feel free to trash my amateur config efforts, btw..)
/Mr. Duck
(config below, passwords, IP addresses are XXed out)
------------------
!
!
! ADTRAN, Inc. OS version R11.10.6.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335, part number 1700515E2
! Serial number L...........AC810
!
!
hostname "something"
enable password somecrappypassword
!
!
clock timezone -5-Eastern-Time
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip routing
!
!
name-server 4.2.2.2 4.2.2.1
!
no ip route-cache express
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password "someotherpassword"
!
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
vlan 1
name "Default"
!
vlan 2
name "Internal x.x.x.x/26"
!
vlan 21
name "Outside trunk stuff"
!
vlan 100
name "VLAN0100"
!
!
interface switchport 0/1
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/2
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/3
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/4
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/7
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/8
no shutdown
!
interface switchport 0/9
no shutdown
!
interface switchport 0/10
no shutdown
!
interface switchport 0/11
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/12
no shutdown
!
interface switchport 0/13
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/14
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/15
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/16
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/17
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/18
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/19
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/20
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/21
no shutdown
!
interface switchport 0/22
no shutdown
!
interface switchport 0/23
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/24
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
!
interface gigabit-switchport 0/1
no shutdown
!
interface gigabit-switchport 0/2
description WAN
speed 100
spanning-tree bpdufilter enable
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport access vlan 21
no lldp send-and-receive
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
! IPv4 access-policy will not be used until IPv4 firewall is enabled
ip route-cache express
no shutdown
!
interface vlan 2
description internal
ip address x.x.x.65 255.255.255.192
no ip route-cache express
no shutdown
!
interface vlan 21
ip address out.side.fiber.ip 255.255.255.252
ip access-policy Public
! IPv4 access-policy will not be used until IPv4 firewall is enabled
no awcp
no ip route-cache express
no shutdown
!
interface vlan 100
ip address x.x.x.100 255.255.255.254
no ip route-cache express
no shutdown
!
!
ip access-list standard admin-access
permit host x.x.x.67
permit host 10.10.10.2
permit host x.x.x.68
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended admin
!
ip access-list extended "external stuff on .67"
permit ip any host x.x.x.67 log
!
ip access-list extended self
remark Traffic to Netvanta
permit ip any any log
!
ip access-list extended web-acl-6
remark Allow
permit ip any host x.x.x.67
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host out.side.fiber.ip log
!
!
ip policy-class Allow
allow list web-acl-6 policy "Allow x.x.x.67" stateless
!
ip policy-class Allow-x.x.x.67
allow list web-acl-6 policy "Allow x.x.x.67" stateless
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 21 overload
!
ip policy-class Public
nat destination list wizard-pwfd-1 address 10.10.10.2
!
!
ip route 0.0.0.0 0.0.0.0 out.side.fiber.ip-1
!
no tftp server
no tftp server overwrite
http server
no http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
http ip access-class admin-access in
http ip secure-access-class admin-access in
!
sip udp 5060
sip tcp 5060
!
line con 0
login
!
line telnet 0 4
login
password root2001
no shutdown
ip access-class admin-access in
line ssh 0 4
login local-userlist
shutdown
ip access-class admin-access in
!
end
---------
(config ends above the dashes)