Topic: Urgent - server unreachable

[GaryO]

Have a Dell Poweredge which has been running 5.6 for over a year without problem. In the last week it seems both NIC's have stopped responding - can't ping external or internal. Console manager is still up and running and the link lights flash away merrily but nothing.
Anyway, frustrated I started afresh with 6.0, didn't do a restore incase I restored some corruption. Worked fine but last night, bang, exactly the same thing. I'm tending to thing it's a hardware glitch of some sort but if someone can tell me which logs to look at to trace this problem would be much appreciated.

[verhoem]

Can be a lot of different causes.
Tried arp -a to see if a least network is responding ?
Tried booting from p.e. knoppix to see if networkcard are functioning properly.
Look at /var/log/messages* for nic messages by
grep -i nic /var/log/messages*

Good luck !

[wyron]

I'm afraid your MoBo is to blame.
Please everybody, don't stop offering second opinions on account of me, I only remember the same thing happening a couple of years back, and a mobo replacement took care of things.

[GaryO]

Couldn't read the messages file - was too big! Deleted it, rebooted and saw the following message with different src IP addresses filling the log up - anyone explain what they are?

s1 kernel: denylog:IN=eth1 OUT= MAC=00:02:b3:d8:43:31:00:0b:fd:cf:52:63:08:00 SRC=65.29.53.182 DST=212.240.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=43405 PROTO=UDP SPT=41714 DPT=4662 LEN=32

[verhoem]

Hi,

I am not a firewall (iptables) guru, but it looks like a systeem attached to your Eth1 interface is doing a lot of broadcasts, is the source ipadres familiar to you ? Try to disconnect this systeem. I'm very interested I the come, please reply

[GaryO]

The source IP is always different, the log now is absolutely huge. Our leased line has just failed again - been unstable over the last few days - maybe the two incidents are connected somehow?

[Anonymous]

is eth1 connected to your leases line router ?

[RichardS]

Hmm, if i look at your log entry

s1 kernel: denylog:IN=eth1 OUT= MAC=00:02:b3:d8:43:31:00:0b:fd:cf:52:63:08:00 SRC=65.29.53.182 DST=212.240.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=43405 PROTO=UDP SPT=41714 DPT=4662 LEN=32

and the fact that you say that the "link lights flash away merrily" there is the possibility that your computer or an computer connected to it is running an edonkey or overnet P2P filesharing program. The entry "DPT=4662" (DPT = DesTination Port)points to it. I asume that the DPT is always the same ? Any "naughty" users at your location ?


RichardS