Interpret Crash file on Cisco switch2960

Hello People,

Greetings!!

It be grateful if I could get some advise and help in understanding a thing here:
Few days ago my switch 2960 and crashed and recovered in ten minutes.
1. The sh ver says "system returned to ROM by address error at PC 0xBDB37C, address 0x0".
The sh flash: has a crashfile in it.

There are three things I would like to know very much:
1. What does the error address at PC ....mean and what can be concluded by it.
2. How to download the crash file from the flash and interpret it and what i can expect from it, if am able to understand/read it.
3. I suspect an insider in my LAN who has generated some strange traffic that has caused this and can I trace that person's IP add and If I wanna trace it what can be done or how to monitor & analyse traffic originating from that IP/person's PC.

I greatly appreciate your answers for the above.
Thanks All,

Regards,
Redpix

Hi Redpix,

1. What does the error address at PC ....mean and what can be concluded by it.

As far as I know, it basically means that the CPU is trying to access a memory location that is not allocated.

It can be related to an IOS version bug. What is the version/name of the IOS file your using, If the file name has a 'T' in it, this means that it has new features that are probably in beta/test. Try to replace it with an IOS that does not have a T.

Several forums also suggest that such a problem can be caused by NBAR. Try disabling NBAR (if your switch supports it) for each interface/vlan that has it on, like this:

[code:1]
switch(config)#interface FastEthernet 0/1
router-2621(config-if)#no ip nbar protocol-discovery
router-2621(config-if)#exit
[/code:1]

2. How to download the crash file from the flash and interpret it and what i can expect from it, if am able to understand/read it.

Example to show crash file:
[code:1]switch# more flash:crashinfo_20070321-094503
[/code:1]

I have never inspected a crash file so I'm no use here. Hope others can answer.

3. I suspect an insider in my LAN who has generated some strange traffic that has caused this and can I trace that person's IP add and If I wanna trace it what can be done or how to monitor & analyse traffic originating from that IP/person's PC.

Perhaps the easiest way to trace and/or monitor traffic is using either NetFlow or Syslog. Both work in collaboration with your Cisco network devices. For Netflow:

- Manageengine's NetFlow Analyzer: www.manageengine.com/products/netflow/download-free.html

- Solarwinds NetFlow Analyzer: www.solarwinds.com/products/freetools/netflow_analyzer.aspx

For Syslog,

- KiwiSyslog server: www.solarwinds.com/products/freetools/kiwi_syslog_server/

There are many other tools using Netflow or Syslog. The above are just a few.

Hope this helps.

Hello SOlo,

Thanks very much, happy to see the post.

The IOS version does not have a T and the version is stable.
I was able to download the crash file however I was able to know that a Cisco Output interpreter tool is needed to interpret the crash file, i do not have access to the tool

Well, I hope to find out the insider who had caused the switch to crash if I can from the crashfile itself.

Well as suggested can I wil try to the tools, how about TCP dump can it be handy here.

Am working on this still....
Thanks for your help SOlo.. wil get back to you

Best Regards,
Redpix

Your most welcome

I believe tcpdump is a linux based tool. However, there are new features in IOS 12.4 that allow traffic monitoring similar to tcpdump where you have the ability to capture packets traveling through the router, export the captured data to a PCAP file so you can view it in WireShark (or the like). Check the monitor capture command here:
www.cisco.com/en/US/docs/ios/netmgmt/con...n_Guide_Chapter.html

You could also get briefer details using debug ip packet or debug ethernet-interface