Steps for reviewing data on the TCP queues
This topic provides the steps to be taken to determine whether data accumulated on the queues for TCP connections is contributing to a storage problem. The steps to be taken depend on whether you are using the intrusion detection services (IDS) and, if you are using IDS, how you have IDS configured.
Procedure
Complete the steps under the first bullet that describes your configuration:
- If you are using IDS, and you have IDS TCP Queue Size attack detection enabled, and your IDS policy for the TCP Queue Size attack type indicates that connections should be reset, then TCP connections with excessive or old data accumulated on their queues are automatically reset. Data accumulated on TCP queues should not be contributing to the storage problem. Proceed to Step 3 in Steps for reviewing a storage problem.
- Complete the following steps if you are using IDS, and
you have IDS TCP Queue Size attack detection enabled, and your IDS
policy for the TCP Queue Size attack type indicates that events should
be logged to the system console:
- Look for console message groups that begin with message
EZZ8761I and that indicate an event type of TCP Queue Constrained
on message EZZ8762I. This message group indicates that
the TCP connection identified by messages EZZ8764I and EZZ8765I had
excessive or old data accumulated on one of its queues. The following
is an example of this message group:
EZZ8761I IDS EVENT DETECTED EZZ8730I STACK TCPCS3 EZZ8762I EVENT TYPE: TCP QUEUE CONSTRAINED EZZ8763I CORRELATOR 21 - PROBEID 040A0001 EZZ8764I SOURCE IP ADDRESS 4.4.4.4 - PORT 301 EZZ8765I DESTINATION IP ADDRESS 3.3.3.3 - PORT 300 EZZ8766I IDS RULE TCPQueSz EZZ8767I IDS ACTION QueSzAction
The correlator value in message EZZ8763I identifies a unique instance of excessive or old data accumulated on a queue for a TCP connection. When the excessive or old data is removed from the queue, a similar message group that indicates an event type of TCP Queue Unconstrained on message EZZ8762I is issued. The same correlator value is used in the message group for this TCP Queue Unconstrained event as was used in the corresponding message group for the TCP Queue Constrained event.
- If none of these message groups have been issued, the data accumulated on TCP queues is not contributing to the storage problem. Proceed to Step 3 in Steps for reviewing a storage problem.
- If these message groups have been issued, then go to Step 2.
- For each TCP Queue Constrained message group located
in step 1, look for a console message group that begins with message
EZZ8761I and that indicates an event type of TCP Queue Unconstrained
and includes the same correlator value as the TCP Queue Constrained
message group. The following is an example of this message
group:
EZZ8761I IDS EVENT DETECTED EZZ8730I STACK TCPCS3 EZZ8762I EVENT TYPE: TCP QUEUE UNCONSTRAINED EZZ8763I CORRELATOR 21 - PROBEID 040A0002 EZZ8764I SOURCE IP ADDRESS 4.4.4.4 - PORT 301 EZZ8765I DESTINATION IP ADDRESS 3.3.3.3 - PORT 300 EZZ8766I IDS RULE TCPQueSz EZZ8767I IDS ACTION QueSzAction
- If this message group has been issued, the excessive or old data that was on the queue for this TCP connection has been processed and is not contributing to the storage problem. Continue with the next TCP Queue Constrained message group located in step 1.
- If this message group has not been issued, the excessive or old data is still on the queue for this TCP connection. Resolve the problem that is causing the data to not be processed, or reset the connection to release the storage.
- If the storage problem is not resolved, proceed to Step 3 in Steps for reviewing a storage problem.
- Look for console message groups that begin with message
EZZ8761I and that indicate an event type of TCP Queue Constrained
on message EZZ8762I. This message group indicates that
the TCP connection identified by messages EZZ8764I and EZZ8765I had
excessive or old data accumulated on one of its queues. The following
is an example of this message group:
- Complete the following steps if either you are using IDS,
and you have IDS TCP Queue Size attack detection enabled, and your
IDS policy for the TCP Queue Size attack type indicates that events
should not be logged, or TRMD and syslogd are not both active:
- Issue the Netstat ALL/-A command to determine whether
a lot of application data has accumulated on the queues for TCP connections.
- If no connections are found with a significant amount of data on their queues, then data accumulated on TCP queues is not contributing to the storage problem. Proceed to Step 3 in Steps for reviewing a storage problem.
- If connections are found with a significant amount of data on their queues, then go to Step 2.
- For each connection with a significant amount of data on any of its queues, resolve the problem that is causing the data to not be processed, or reset the connection to release the storage.
- If the storage problem is not resolved, proceed to Step 3 in Steps for reviewing a storage problem.
- Issue the Netstat ALL/-A command to determine whether
a lot of application data has accumulated on the queues for TCP connections.
- Complete the following steps if none of the previous bullets
describes your configuration:
- Look in the syslogd output for messages EZZ8662I, EZZ8664I,
or EZZ8666I. These messages indicate that excessive or old data is
accumulating on the receive, send, or out-of-order queue for a TCP
connection. The correlator value in these messages identifies a unique
instance of excessive or old data accumulated on a queue for a TCP
connection. This same correlator value will appear in a EZZ8663I,
EZZ8665I, or EZZ8667I message that is issued when the excessive or
old data has been removed from the TCP queue.
- If EZZ8662I, EZZ8664I, and EZZ8666I messages do not appear in syslogd, then data accumulated on TCP queues is not contributing to the storage problem. Proceed to Step 3 in Steps for reviewing a storage problem.
- If EZZ8662I, EZZ8664I, and EZZ8666I messages do appear in syslogd, then go to Step 2.
- For each EZZ8662I, EZZ8664I, or EZZ8666I message located
in step 1, look for a corresponding EZZ8663I, EZZ8665I, or EZZ8667I
message that includes the same correlator.
- If a corresponding message with the same correlator has been issued, the excessive or old data that was on the queue for this TCP connection has been processed and is not contributing to the storage problem. Continue with the next EZZ8662I, EZZ8664I, or EZZ8666I message located in step 1.
- If a corresponding message with the same correlator has not been issued, the excessive or old data is still on the queue for this TCP connection. Resolve the problem that is causing the data to not be processed, or reset the connection to release the storage.
- If the storage problem is not resolved, proceed to Step 3 in Steps for reviewing a storage problem.
- Look in the syslogd output for messages EZZ8662I, EZZ8664I,
or EZZ8666I. These messages indicate that excessive or old data is
accumulating on the receive, send, or out-of-order queue for a TCP
connection. The correlator value in these messages identifies a unique
instance of excessive or old data accumulated on a queue for a TCP
connection. This same correlator value will appear in a EZZ8663I,
EZZ8665I, or EZZ8667I message that is issued when the excessive or
old data has been removed from the TCP queue.