How to detect a router dropping connections...

Carter Bullard carter at qosient.com
Fri Sep 5 10:53:18 EDT 2003


Hey Réal,
Argus provides some support for this type of problem.
Because argus is a bi-directional flow monitor, it is
basically a connectivity monitor.  Each argus record
has the connectivity status of the flow that is
being reported, and using ra() you can pick out records
that have problems with connectivity.

When a router cannot forward traffic, it may send an
ICMP Unreachable message back to the initiator.  Argus
will use ICMP messages in its connectivity status logic,
and indicate if a router is rejecting the flow, or if it
cannot support the route of a flow.  There are about 8-10
informational ICMP messages, and argus preserves the
semantics of all of these messages, such as reporting
the router that send it, etc...

Using these two properties of argus, you can at least
detect when a router goes away, and if it goes away
because of a reported unreachable condition.  Using ra(),
the "ICMP mapped to this flow" indicator is the 'I', and
using tools like raxml() you can read the exact condition
that the router complained about.

So, ..., use ra() to grab flows from an argus that can
see the complainers machine, and look to see if there
are any 'I' indicators.  In the status field (last
field to the right) you will see the UN* indication,
where the 3rd letter will indicate if its host unreachable,
network unreachable, filter problem, etc....  In many
cases that is enough to tell you if the router just
got a bad route from a peer, or if the output interface
is down, etc...

Records that just don't have any replies in them help
to isolate what traffic is having problems, and ra() has
filter keywords like "con" and "not con" that help you
to find records where there is or isn't connectivity.
Finding the starting point of when connectivity is lost
in many ways is 50% of the solution, as you may be able
to correlate the loss of connectivity with some network
event (reconfiguration, on the hour events) that you
are aware of.

This is just a beginning, as there are a lot of things
you can do, such as when you have multiple argi in a
network, that allow you to isolate problems.  With
multiple argi you can do reachability testing (A sent
a packet, did B receive it?), which helps you to isolate
errors.

If there is more that I can help you with, don't hesitate
to send mail to the list!!!

Carter


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Real Melancon
> Sent: Thursday, September 04, 2003 7:37 PM
> To: <
> Subject: How to detect a router dropping connections...
>
>
> Hello List,
>
> We have a router doing some weird things , and people started
> complaining
> about dropped connections, etc... but only at specific times.
>
> This afternoon I could ping the box, but i was unable to
> telnet to it  !
>
> Is there a way to identify  or isolate the problem with argus data ?
>
> Thanks !
>
>
>
> --------------------------------------------------------------
> ------------------
> Réal Melançon.
> Unix/Telecomm. Administrator
> Uniboard Canada (http://www.uniboard.com)
> 3080 Boul. Le Carrefour
> Laval (Québec)  H7T 2R5
> Tél./Phone: 450-973-1001 (poste 2252)
> Fax: 450-682-0550
> Courrier électronique/E-mail: real.melancon at uniboard.com
> Assistance TI / IT Support: 1-877-775-0016
> / supportti at uniboard.com
> --------------------------------------------------------------
> ------------------
>
>






More information about the argus mailing list