Issue Description
AR28-80 is attached with S3026 and S6503 which are for access of users. When problem occurs, user services do not communicate; log into AR28-80, and type the command, but the equipment respond very slowly.
Alarm Information
Execute dis cpu command to check the CPU utilization of VSIF process, and it reaches 98%.
Handling Process
1. Shut down the equipment connecting to ports of AR28-80 one by one. Once S3026 is shut, services recover. So it is made sure that the network segment connecting with S3026 fails.
2. According to checkup for ports of S3026, there is little broadcast packet, so the problem is not arising from L2 loop.
3. A great deal of multicast packets are found at three ports. Mirror one of the port, and a great deal of multicast packets are found, with destination port as 1434. Terminals under the three ports are installed with SQL Server 2000. Check the specific version of SQL Server 2000, and SQL Server 2000 is not installed with patch.
4. Disable port 1434 at AR28-80, and install the latest patch for SQL Server 2000, solving the problem.
Root Cause
The possible reasons include:
1. Loop.
2. Attack.
3. Virus.
Suggestions
For equipment at access layer that supports ACL, it should be configured with ACL against virus.
