Community discussions

MikroTik App
  4. RouterOS
  5. General

CCR1009 Memory Leak

Post Reply
 
yogender
just joined
Topic Author
Posts: 23
Joined: Mon May 23, 2016 6:07 pm

CCR1009 Memory Leak

Mon May 23, 2016 6:21 pm

Hey Guys!
I have a mikrotik CCR1009-8G-1S-1S+ deployed at workplace, whose memory is increasing steadily until only 40-50mb free is left after which the router reboots.
The same process is happening again and again and repeats roughly about two times daily.
I have attached a screen.
Please tell if any other file is to be provided for consideration.
Thanks
You do not have the required permissions to view the files attached to this post.
Top
 
biomesh
Long time Member
Long time Member
Posts: 574
Joined: Fri Feb 10, 2012 8:25 pm

Re: CCR1009 Memory Leak

Mon May 23, 2016 6:30 pm

You will have to provide more details - ROS version, post your config, etc. Myself and plenty others use a CCR1009 with no memory leak issues, so this must be a version/config issue.
Top
 
yogender
just joined
Topic Author
Posts: 23
Joined: Mon May 23, 2016 6:07 pm

Re: CCR1009 Memory Leak

Mon May 23, 2016 6:35 pm

Latest version 6.35.2 is installed, what other config do you require?
I have dude installed and SNMP traffic flow, etc enabled.
Do I need to attach supout.rif file ?
Top
 
yogender
just joined
Topic Author
Posts: 23
Joined: Mon May 23, 2016 6:07 pm

Re: CCR1009 Memory Leak

Mon May 23, 2016 7:29 pm

@biomesh
Find attached supout.rif file.
Thanks
Top
 
yogender
just joined
Topic Author
Posts: 23
Joined: Mon May 23, 2016 6:07 pm

Re: CCR1009 Memory Leak

Mon May 23, 2016 7:31 pm

It was not attached in last post.
You do not have the required permissions to view the files attached to this post.
Top
 
biomesh
Long time Member
Long time Member
Posts: 574
Joined: Fri Feb 10, 2012 8:25 pm

Re: CCR1009 Memory Leak

Mon May 23, 2016 11:43 pm

If you are getting supout.rif's, you should email that to mikrotik support (support[at]mikrotik.com:) - since this is a user based support forum, it does not help us.

You can post your device's config export (/export) so we can see what could be the issue.

I would start by emailing support directly though. There could be an issue that they are currently working on that is or was fixed with a RC version.
Top
 
yogender
just joined
Topic Author
Posts: 23
Joined: Mon May 23, 2016 6:07 pm

Re: CCR1009 Memory Leak

Tue May 24, 2016 7:30 am

Here is the /export output :


/interface ethernet
set [ find default-name=ether1 ] name=ether1<NEXTRA/45Mb>
set [ find default-name=ether2 ] name=ether2<AIRTELBROBAND/16Mb>
set [ find default-name=ether5 ] name=ether5<LAN>
/interface pppoe-client
add add-default-route=yes default-route-distance=3 interface=\
ether2<AIRTELBROBAND/16Mb******************************
/interface vrrp
add interface=ether5<LAN> name=vrrp1 priority=250
/ip firewall layer7-protocol
add name=ios_updates regexp="^.+(mesu.apple|appldnld.apple).*\$"
add name=torrentsites regexp="^.*(get|GET).+(torrent|\r\
\nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|\r\
\ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\r\
\nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\r\
\nflixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=windows_updates regexp="^.+(windowsupdate|update.microsoft|download.win\
dowsupdate|wustat.windows|ntservicepack.microsoft|stats.microsoft).*\$"
/ip pool
add name=91-lan-pool ranges=192.168.2.1-192.168.5.254
/ip dhcp-server
add address-pool=91-lan-pool disabled=no interface=ether5<LAN> name=91-lan-dhcp
/queue type
add kind=pcq name=download-2Mb pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=2097152 pcq-src-address6-mask=64
add kind=pcq name=upload-2Mb pcq-classifier=src-address pcq-dst-address6-mask=\
64 pcq-rate=2097152 pcq-src-address6-mask=64
/queue simple
add comment=Vibhas disabled=yes name=queue3 queue=default/default target=\
192.168.2.20/32,192.168.5.215/32 total-queue=default
add name=queue1 packet-marks="" queue=default/default target=\
192.168.5.215/32,192.168.1.9/32,192.168.5.190/32
add comment="Limit every Users at 2Mb/4Mb using PCQ." name=2Mb/4Mb-Limit queue=\
upload-2Mb/download-2Mb target=192.168.0.0/21
/queue tree
add max-limit=45M name=in parent=global queue=default
add max-limit=45M name=out parent=global queue=default
add limit-at=10M max-limit=45M name=voip-in packet-mark=voip-in parent=in \
priority=1 queue=default
add limit-at=10M max-limit=45M name=voip-out packet-mark=voip-out parent=out \
priority=1 queue=default
/snmp community
set [ find default=yes ] addresses=192.168.1.9/32,0.0.0.0/0,192.168.3.64/32
/dude
set enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.0.1 interface=vrrp1 network=192.168.0.1
add address=192.168.0.11/21 interface=ether5<LAN> network=192.168.0.0
add address=103.245.118.66/29 interface=ether1<NEXTRA/45Mb> network=\
103.245.118.64
add address=103.245.118.68 interface=ether1<NEXTRA/45Mb> network=103.245.118.68
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.5.215 mac-address=00:1A:4D:F6:C7:FC server=91-lan-dhcp
/ip dhcp-server network
add address=192.168.0.0/21 dns-server=\
192.168.0.1,103.14.124.5,103.14.124.6,8.8.8.8 gateway=192.168.0.1 netmask=\
21
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=8196KiB \
max-udp-packet-size=8196 servers=\
192.168.0.1,103.14.124.5,103.14.124.6,8.8.8.8
/ip firewall address-list
add address=103.245.118.64/29 list=external-nets
add address=192.168.0.0/21 list=internal-nets
/ip firewall filter
add action=drop chain=forward comment=windows_blocked layer7-protocol=\
windows_updates
add action=drop chain=forward comment=android-update-block port=5228 protocol=\
udp
add action=drop chain=forward comment=android-update-block port=5228 protocol=\
tcp
add action=drop chain=forward comment=ios_blocked layer7-protocol=ios_updates
add action=drop chain=forward comment=V_p2p_Drop p2p=all-p2p src-address=\
192.168.0.0/21
add action=drop chain=forward comment=V_torrentsites layer7-protocol=\
torrentsites src-address=192.168.0.0/21
add action=drop chain=forward comment=V_dropDNS dst-port=53 layer7-protocol=\
torrentsites protocol=udp src-address=192.168.0.0/21
add action=drop chain=forward comment=V_keyword_drop content=torrent \
src-address=192.168.0.0/21
add action=drop chain=forward comment=V_trackers_drop content=tracker disabled=\
yes src-address=192.168.0.0/21
add action=drop chain=forward comment=V_get_peers_drop content=getpeers \
src-address=192.168.0.0/21
add action=drop chain=forward comment=V_info_hash_drop content=info_hash \
src-address=192.168.0.0/21
add action=drop chain=forward comment=V_announce_peers_drop content=\
announce_peers src-address=192.168.0.0/21
add action=drop chain=forward comment="All p2p Traffic Block" p2p=all-p2p
add action=drop chain=forward comment="All p2p Traffic Block" port=6881-6999 \
protocol=tcp
add action=drop chain=forward comment="All p2p Traffic Block" port=6881-6999 \
protocol=udp
add action=drop chain=forward comment="Torrent Block" content=.torrent
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=drop chain=virus comment="Drop 53 DoS attack" dst-port=53 protocol=\
tcp
add action=drop chain=virus comment="Drop 53 DoS attack" dst-port=53 protocol=\
udp
add action=add-src-to-address-list address-list=spammer address-list-timeout=2d \
chain=virus comment="Drop 80 DoS attack" connection-limit=40,32 dst-port=80 \
limit=20,5:packet protocol=tcp src-address-list=!smtpOK
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d \
chain=virus comment="add to spammer list" connection-limit=30,32 dst-port=\
25 limit=10,5:packet protocol=tcp src-address-list=!smtpOK
add action=drop chain=virus comment="SMTP SPAM stopper!" dst-port=25 protocol=\
tcp src-address-list=!smtpOK
add action=drop chain=virus comment="Drop 80 DoS attack" dst-port=80 protocol=\
tcp
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=input connection-limit=100,32 protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1d \
chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1d10m chain=detect-ddos
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list=\
"port scanners"
add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp \
tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=\
syn
add action=drop chain=forward comment="Block Bogus IP Address" src-address=\
0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=input comment="Drop SSH brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port Scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input src-address-list="port scanners"
add action=drop chain=input comment="Filter FTP to Box" dst-port=21 protocol=\
tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=jump chain=forward comment="Separate Protocol into Chains" \
jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=udp comment="Blocking UDP Packet" dst-port=69 protocol=\
udp
add action=drop chain=udp dst-port=111 protocol=udp
add action=drop chain=udp dst-port=135 protocol=udp
add action=drop chain=udp dst-port=137-139 protocol=udp
add action=drop chain=udp dst-port=2049 protocol=udp
add action=drop chain=udp dst-port=3133 protocol=udp
add action=drop chain=tcp comment="Bloking TCP Packet" dst-port=69 protocol=tcp
add action=drop chain=tcp dst-port=111 protocol=tcp
add action=drop chain=tcp dst-port=119 protocol=tcp
add action=drop chain=tcp dst-port=135 protocol=tcp
add action=drop chain=tcp dst-port=137-139 protocol=tcp
add action=drop chain=tcp dst-port=445 protocol=tcp
add action=drop chain=tcp dst-port=2049 protocol=tcp
add action=drop chain=tcp dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp dst-port=20034 protocol=tcp
add action=drop chain=tcp dst-port=3133 protocol=tcp
add action=drop chain=tcp dst-port=67-68 protocol=tcp
add chain=icmp comment="Limited Ping Flood" icmp-options=0 limit=5,5:packet \
protocol=icmp
add chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add chain=icmp icmp-options=8 limit=5,5:packet protocol=icmp
add chain=icmp icmp-options=11 limit=5,5:packet protocol=icmp
add action=drop chain=icmp protocol=icmp
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add chain=input comment="Connection State" connection-state=established
add chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=virus comment="Sockets des Troie" dst-port=1 protocol=udp
add action=drop chain=virus comment=Death dst-port=2 protocol=tcp
add action=drop chain=virus comment="Senna Spy FTP server" dst-port=20 \
protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting comment="voip-in packet mark hangout" \
dst-address-list=external-nets new-packet-mark=voip-in passthrough=no \
protocol=udp src-port=19302-19309
add action=mark-packet chain=prerouting comment="voip-out packet mark hangout" \
dst-port=19302-19309 new-packet-mark=voip-out passthrough=no protocol=udp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark hangout" \
dst-address-list=external-nets new-packet-mark=voip-in passthrough=no \
protocol=tcp src-port=19305-19309
add action=mark-packet chain=prerouting comment="voip-out packet mark hangouts" \
dst-port=19305-19309 new-packet-mark=voip-out passthrough=no protocol=tcp \
src-address-list=internal-nets
/ip firewall nat
add action=netmap chain=srcnat disabled=yes src-address=192.168.1.9 \
to-addresses=103.245.118.68
add action=netmap chain=dstnat disabled=yes dst-address=103.245.118.68 \
to-addresses=192.168.1.9
add action=masquerade chain=srcnat comment=91_Main_Masquerade src-address=\
192.168.0.0/21
add action=dst-nat chain=dstnat dst-address=103.245.118.66 dst-port=8991 \
protocol=tcp to-addresses=192.168.1.17 to-ports=80
add action=dst-nat chain=dstnat comment=DVR dst-address=103.245.118.66 \
dst-port=8000 protocol=tcp to-addresses=192.168.1.50 to-ports=8000
add action=dst-nat chain=dstnat comment=PRTG dst-address=103.245.118.66 \
dst-port=91 protocol=tcp to-addresses=192.168.1.9 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8000 in-interface=\
ether1<NEXTRA/45Mb> protocol=tcp to-addresses=192.168.5.215 to-ports=80
/ip route
add check-gateway=ping distance=1 gateway=103.245.118.65
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=ether5<LAN>
/ip traffic-flow target
add dst-address=192.168.1.9 port=10004
/lcd
set time-interval=hour
/snmp
set enabled=yes trap-generators=interfaces trap-interfaces=all trap-target=\
192.168.1.9,192.168.3.64,0.0.0.0 trap-version=2
/system clock
set time-zone-name=Asia/Kolkata
/system identity
set name="MikroTik Router Del.OKhla Hub(primary)"
/system leds
set 0 interface=sfp-sfpplus1
set 1 interface=sfp-sfpplus1
set 2 interface=sfp1
/system ntp client
set enabled=yes primary-ntp=123.108.200.124 server-dns-names=in.pool.ntp.org
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR protected-routerboot=\
disabled
/system script
add name=E-mail owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system b\
ackup save name=email;\r\
\n/tool e-mail send to=\"*****\" subject=([/syste\
m identity get name].\" backup\") file=email.backup;\r\
\n:log info \"Backup e-mail sent.\";"
Top
Post Reply
  4. RouterOS
  5. General