Huawei V200R001C01, Troubleshooting Manual

Page 1: ...Huawei AR2200 S Series Enterprise Routers V200R001C01 Troubleshooting Issue 01 Date 2012 01 06 HUAWEI TECHNOLOGIES CO LTD ...

Page 2: ...be within the purchase scope or the usage scope Unless otherwise specified in the contract all statements information and recommendations in this document are provided AS IS without warranties guarantees or representations of any kind either express or implied The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensu...

Page 3: ... level of risk which if not avoided will result in death or serious injury WARNING Indicates a hazard with a medium or low level of risk which if not avoided could result in minor or moderate injury CAUTION Indicates a potentially hazardous situation which if not avoided could result in equipment damage data loss performance degradation or unexpected results TIP Indicates a tip that may help you s...

Page 4: ... grouped in braces and separated by vertical bars A minimum of one item or a maximum of all items can be selected x y Optional items are grouped in brackets and separated by vertical bars Several items or no item can be selected 1 n The parameter before the sign can be repeated 1 to n times A line starting with the sign is comments Change History Updates between document issues are cumulative Ther...

Page 5: ...MP Connection Cannot Be Established 26 2 5 2 The NMS Fails to Receive Trap Messages from the Host 29 2 6 NQA Troubleshooting 31 2 6 1 A UDP Jitter Test Instance Fails to Be Started 31 2 6 2 A Drop Record Exists in the UDP Jitter Test Result 33 2 6 3 A Busy Record Exists in the UDP Jitter Test Result 35 2 6 4 A Timeout Record Exists in the UDP Jitter Test Result 37 2 6 5 The UDP Jitter Test Result ...

Page 6: ...otocol Status of Their Connected MFR Interfaces Is Up 93 5 3 2 Troubleshooting Cases 98 5 4 DCC Troubleshooting 99 5 4 1 Failed to Initiate Calls 99 5 4 2 Failed to Receive Calls 103 5 5 ISDN Troubleshooting 107 5 5 1 Link Failed to Be Established on ISDN Interfaces 107 5 6 PPPoE Troubleshooting 113 5 6 1 PPPoE Dialup Fails 113 5 7 PPP Troubleshooting 117 5 7 1 Protocol Status of a PPP Interface I...

Page 7: ...nterrupted 206 8 1 2 The PIM Neighbor Relationship Remains Down 209 8 1 3 The RPT on a PIM SM Network Fails to Forward Data 212 8 1 4 The SPT on a PIM SM Network Fails to Forward Data 216 8 1 5 MSDP Peers Cannot Generate Correct S G Entries 221 8 1 6 The Multicast Device Cannot Generate IGMP Entries or MLD Entries 226 9 QoS 231 9 1 Traffic Policy Troubleshooting 232 9 1 1 Traffic Policy Fails to T...

Page 8: ...Troubleshooting 305 10 4 1 SYN Flood Attacks Are Detected on a Network 305 10 5 ACL Troubleshooting 307 10 5 1 Packet Filtering Firewall Fails Because of Invalid ACL Configuration 307 10 6 NAT Troubleshooting 309 10 6 1 Internal Users Fail to Access the Public Network 309 10 6 2 External Hosts Fail to Access Internal Servers 312 10 6 3 Internal Host with a Conflicting IP Address Fails to Access an...

Page 9: ...Fail to Be Established by Using IKE Negotiation 351 12 2 3 IPSec Fails to Be Configured by Using an IPSec Policy Template 358 12 2 4 NAT Traversal in IPSec Fails 365 12 2 5 GRE over IPSec Fails 372 12 2 6 Troubleshooting Cases 379 Huawei AR2200 S Series Enterprise Routers Troubleshooting Contents Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd viii ...

Page 10: ... This Chapter 1 1 Board Registration Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 1 Hardware Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 1 ...

Page 11: ...roadmap is as follows l Check whether the board is starting l Check whether the board is in an unregistered state after the board has finished startup l Check whether the board was reset If the board was reset locate the cause Figure 1 1 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 1 Hardware Issue 01 2012 01 06 Huawei Proprietary and Confidential C...

Page 12: ...nel Procedure Step 1 Check whether the board is starting A board takes several minutes to complete registration after power on This period is called the startup time The startup times for specific boards are follows l The startup time of the SRU is less than 3 minutes If the device restarts after the system software is upgraded the startup time is less than 5 minutes l The startup time of an LPU i...

Page 13: ...e system software has been loaded to the board correctly For details see Board Software Loading Troubleshooting l If information about board resetting is displayed rectify the fault according to the instructions in the command output If the fault persists go to step 3 Step 3 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting ...

Page 14: ...rts and examples 2 4 Mirroring Troubleshooting This chapter describes common causes of mirroring faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs 2 5 SNMP Troubleshooting 2 6 NQA Troubleshooting 2 7 NTP Troubleshooting 2 8 CWMP Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 2 System Issue 01 2012 01 06 Huawei Pro...

Page 15: ...igh system CPU usage occurs when CPU usage of some tasks remains high This fault is commonly caused by one of the following l A large number of packets are sent to the CPU when loops or DoS packet attacks occur l STP flapping frequently occurs and a large number of TC packets are received causing the device to frequently delete MAC address entries and ARP entries l The device generates a large num...

Page 16: ...e results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel The following procedures can be performed in any sequence The command output in the following procedures varies based on the device model The following procedures describe how to view related information Procedure S...

Page 17: ... 0 lacp 0 0 lldp 33959 0 ntp 0 0 ospf 1569 0 pim 0 0 pppoe 0 0 radius 0 0 rip 0 0 snmp 0 0 ssh 0 0 stp 0 0 tcp 7671 0 telnet 71149 0 ttl expired 656 0 udp helper 0 0 unknown multicast 6 0 unknown packet 94189 0 vrrp 0 0 l If the value of the Drop field of a certain type of packets is great and CPU usage is high packet attacks occur Go to step 6 l If the value of the Drop field is within the specif...

Page 18: ...ltiple interfaces of a device belong to the same VLAN if a loop occurs between two interfaces packets are forwarded only between these interfaces in the VLAN Consequently CPU usage of the device becomes high Run the display current configuration command to check whether the device is enabled to generate an alarm when MAC address flapping is detected loop detect eth loop alarm only l If this functi...

Page 19: ... device End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 2 2 Telnet Troubleshooting 2 2 1 The User Fails to Log in to the Server Through Telnet Common Causes This fault is commonly caused by one of the following l The route is unreachable and the user cannot set up a TCP connection with the server l The number of users logging in to the server reaches the upper threshold l An A...

Page 20: ...ist in the ACL Is the fault rectified Yes Permit the IP address of the user in the ACL Is the authentication mode configured Is the fault rectified Configure the authentication mode Seek technical support Yes Yes Yes No No No No No No No No No Yes Yes Yes Yes Yes Are all the current VTY channels in use Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If...

Page 21: ...ver through VTY channels to 15 Huawei system view Huawei user interface maximum vty 15 Step 3 Check that an ACL is configured in the VTY user interface view Huawei user interface vty 0 4 Huawei ui vty0 4 display this user interface vty 0 4 acl 2000 inbound authentication mode aaa user privilege level 3 idle timeout 0 0 If an ACL is configured but the IP address of the client to be permitted is not...

Page 22: ...mon causes of the fault that the user fails to log in to the server through SSH and provides the corresponding troubleshooting flowcharts and examples 2 3 1 The User Fails to Log in to the Server Through SSH This section describes the troubleshooting flowchart and provides a step by step troubleshooting procedure for the fault that the user fails to log in to the server through SSH Common Causes T...

Page 23: ...ds SSH server key generating interval 0 hours SSH Authentication retries 3 times SFTP server Disable The command output shows that the SFTP server is not enabled The user can log in to the server through SSH only after SSH services are enabled in the system Run the following command to enable the SSH server Huawei system view Huawei sftp server enable Step 3 On the SSH server check that the access...

Page 24: ...ype command Step 6 Check whether the number of SSH login users has reached the maximum For the STelnet and Telnet services both STelnet users and Telnet users log in to the server through VTY channels The number of available VTY channels ranges from 5 to 15 When the number of users attempt to log in to the server through VTY channels is greater than 15 the new connection cannot be established betw...

Page 25: ...ver Disable If the client logging in to the server adopts SSHv1 the version compatible capability needs to be enabled on the server Huawei system view Huawei ssh server compatible ssh1x enable Step 9 Check whether first time authentication is enabled on the SSH client Run the display this command in the system view on the SSH client to check whether first time authentication is enabled After first...

Page 26: ...mirror packets to the monitoring device by port mirroring Common Causes This fault is commonly caused by one of the following l The mirrored port does not receive any packets l The mirrored port or observing port is configured incorrectly for example the interface index is incorrect Troubleshooting Flowchart After port mirroring is configured on the AR2200 S the monitoring device does not receive ...

Page 27: ...e link fault Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the mirrored port receives packets Run the display interface command multiple times to view information about the mirrored port The...

Page 28: ...e mirrored port to specify the observing port index correctly l If the mirrored port configuration is correct go to step 3 Step 3 Check whether the observing port sends packets to the monitoring device Run the display interface command multiple times to view information about the observing port The Output field in the command output specifies the number of packets sent by the observing port l If t...

Page 29: ...ored port and the monitored network is Down l No traffic policy is applied or no packets match the traffic policy l The observing port index specified in the traffic behavior is different from the index of the configured observing port Troubleshooting Flowchart After traffic mirroring is configured on the AR2200 S the monitoring device does not receive any mirrored packets Figure 2 4 shows the tro...

Page 30: ...ving port Up Does mirrored port receive packets Does observing port send packets Yes Yes Is traffic policy applied correctly Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the mirrored p...

Page 31: ...he fault of the traffic policy first l If the number of packets matching the traffic policy is not 0 go to step 3 Step 3 Check whether the observing port sends packets to the monitoring device Run the display interface to view information about the observing port The Output field in the command output specifies the number of packets sent by the observing port l If the number of packets sent by the...

Page 32: ...he Internet Eth2 0 0 is the mirrored port and Eth2 0 1 is the observing port After the configuration is complete the IT department cannot see mirrored packets on the monitoring device when the R D department employees access the Internet Figure 2 5 Network diagram of port mirroring Router Monitoring Device Eth2 0 0 Eth2 0 1 Internet LAN switchA R D Department User Fault Analysis 1 Run the display ...

Page 33: ...ot be seen on the monitoring device the possible cause is that the mirrored port or observing port is configured incorrectly Mirrored Packets Cannot Be Seen on the Monitoring Device After Traffic Mirroring Is Configured Fault Symptom As shown in Figure 2 6 the R D department sales department and IT department are on different network segments The sales department and IT department connect to the I...

Page 34: ...Traffic Policy Information Policy tp1 Classifier default class Behavior be none Classifier tc1 Behavior tb1 statistic enable Port mirroring to observe port 1 The preceding information indicates that the traffic classifier tc1 and the traffic behavior tb1 are bound to the traffic policy and tb1 is configured with the traffic mirroring action Run the display traffic classifier user defined command t...

Page 35: ... matching rule for incoming packets onGigabitEthernet2 0 0 Step 7 Run the quit command to exit from the traffic classifier view Step 8 Run the interface GigabitEthernet 2 0 0 command to enter the interface view Step 9 Run the traffic policy tp1 inbound command to apply the traffic policy tp1 to GigabitEthernet2 0 0 End Summary When configuring traffic mirroring ensure that the traffic policy match...

Page 36: ...ubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Run the ping command to check whether the host and the NMS can successfully ping each other l If the ping fails see The Ping Operation Fails to locate the problem so that the host and NMS can ping each other l If the ping succeeds the host and the NMS are re...

Page 37: ...l Run the display snmp agent usm user command to view the SNMPv3 user information If information is incorrect modify the configurations l Run the snmp agent group command to view information about the SNMPv3 user group l Run the snmp agent usm user command to view information about the SNMPv3 user Step 3 Run the display snmp agent community command to view the community string configured on the ho...

Page 38: ...trap messages is incorrect As a result the trap message cannot be sent Troubleshooting Flowchart Figure 2 8 Troubleshooting flowchart used when the NMS fails to receive trap messages from the host Seek technical support The NMS fails to receive trap messages from the host Are the SNMP configuration correct Configure SNMP correctly No Yes View the system log and rectified the fault based on the tab...

Page 39: ...ights notify view NOTE With Huawei_view the user can access all nodes from the iso subtree Configure a MIB view Huawei system view Huawei snmp agent mib view Huawei_view include iso Configure a user group Huawei snmp agent group v3 huawei_group noauth read view Huawei_view write view Huawei_view notify view Huawei_view Configure a user Huawei snmp agent usm user v3 huawei huawei_group Configure a ...

Page 40: ... 109 turned into DOWN state Step 4 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 2 6 NQA Troubleshooting 2 6 1 A UDP Jitter Test Instance Fails to Be Started Common Causes This fau...

Page 41: ...l support personnel All the following commands except the display commands are used in the NQA test instance view The display commands can be used in any views Procedure Step 1 Run the display nqa agent admin name test name verbose command on the NQA client or the display this command in the NQA test instance view to check whether the test type is Jitter l If the test type is Jitter go to Step 2 l...

Page 42: ... fault persists go to Step 4 Step 4 If the fault persists collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedures l Configuration files log files and alarm files of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 2 6 2 A Drop Record Exists in the UDP Jitter Test Result Common Causes If t...

Page 43: ... command to check whether devices can successfully ping each other If devices can successfully ping each other go to Step 2 If devices cannot successfully ping each other see The Ping Operation Fails l If the route does not exist run the corresponding command to reconfigure the route Step 2 Run the display nqa agent admin name test name verbose command on the NQA client or the display this command...

Page 44: ...ort personnel l Results of the preceding troubleshooting procedures l Configuration files log files and alarm files of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 2 6 3 A Busy Record Exists in the UDP Jitter Test Result Common Causes If the UDP jitter test result has busy records the value of the System busy operation number field in the display nqa results com...

Page 45: ...mand on the NQA client or the display this command in the NQA test instance view to check whether the VPN instance is configured l If the VPN instance is configured go to Step 2 l If the VPN instance is not configured go to Step 3 Step 2 Run the ping vpn instance vpn instance name command on the NQA client to check whether the destination address is reachable l If the destination address is reacha...

Page 46: ...itter tag version is 2 and the receiver is not configured with a UDP server Troubleshooting Flowchart Figure 2 12 Troubleshooting flowchart used when a timeout record exists in the UDP jitter test Is the destination address reachable A timeout record exists in the UDP jitter test result Ensure that the destination address exists and is reachable Is the NQA jitter tag version 2 Seek technical suppo...

Page 47: ...rsion is not 2 go to Step 4 Step 3 Run the display nqa server command on the NQA server to check whether the nqa server udpecho ip address port number command has been configured on the NQA server l If the nqa server udpecho ip address port number command has been configured on the NQA server and is in the Active state go to Step 4 l If the nqa server udpecho ip address port number command is not ...

Page 48: ... frequency is incorrect l The parameter fail percent is incorrect Troubleshooting Flowchart Figure 2 13 Troubleshooting flowchart used when the UDP Jitter test result is failed no result or packet loss The UDP jitter test result is failed or packet loss Is TTL configured Is frequency set Is fail percent set Ensure that the frequency value is large than interval x probe count x jitter packetnum Set...

Page 49: ...nd that of the interval x probe count x jitter packetnum To ensure that the UDP Jitter test instance can be complete normally the value of the frequency must be greater than that of the interval x probe count x jitter packetnum If the value of the frequency is less than that of the interval x probe count x jitter packetnum run the frequency interval command in the NQA test instance view to increas...

Page 50: ... ms root dispersion 0 00 ms peer dispersion 0 00 ms reference time 14 25 55 477 UTC Jun 9 2010 CFBA22F3 7A4B76F6 The clock status field is displayed as unsynchronized indicating that the local system clock is not synchronized with any NTP server or a reference clock Step 2 Check the status of the NTP connection Huawei display ntp service sessions The value of the reference is 0 0 0 0 specifying th...

Page 51: ...nd alarm files of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs The following log information indicates that the clock source with which the local device synchronizes is lost NTP 4 SOURCE_LOST The following log information indicates that the local clock has synchronized with a clock source NTP 4 LEAP_CHANGE NTP 4 STRATUM_CHANGE NTP 4 PEER_SELE 2 8 CWMP Troubleshooting...

Page 52: ...to manage AR Modify the settings Configure a reachable route No No Yes Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Verify the CWMP settings on the AR2200 S Run the display cwmp configuration command...

Page 53: ... Step 2 Check that there is a reachable route between the AR2200 S and ACS Run the ping command on the AR2200 S to ping the ACS NOTE If you have configured the ACS s URL as a domain name use the display dns dynamic host command to obtain the IP address and enter the IP address in the ping command Huawei display dns dynamic host No Domain name IpAddress TTL Alias 1 huawei com 2 1 1 3 3579 l If the ...

Page 54: ...Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration file log file and alarm file of the AR2200 S End Huawei AR2200 S Series Enterprise Routers Troubleshooting 2 System Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 45 ...

Page 55: ...auses of Eth Trunk interface faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs Huawei AR2200 S Series Enterprise Routers Troubleshooting 3 Physical Connection and Interfaces Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 46 ...

Page 56: ...s smaller than the lower threshold l Negotiation between member interfaces of the Eth Trunk interface in static LACP mode fails Troubleshooting Flowchart On the network shown in Figure 3 1 the Eth Trunk interface cannot forward traffic Figure 3 1 Eth Trunk network diagram RouterB Eth2 0 2 Eth Trunk1 RouterA Eth2 0 3 Eth2 0 3 Eth2 0 1 Eth2 0 1 Eth2 0 2 The troubleshooting roadmap is as follows l Ch...

Page 57: ...nfiguration Is fault rectified No No Yes Yes No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that Eth Trunk member interfaces work properly Run the display eth trunk 1 command in any view to ch...

Page 58: ...es If the fault persists go to Step 2 Step 2 Check information about Eth Trunk member interfaces on both ends Check information about member interfaces of the Eth Trunk interface on Router A and Router B RouterA display eth trunk 1 Eth Trunk1 s state information is WorkingMode NORMAL Hash arithmetic According to SA XOR DA Least Active linknumber 1 Max Bandwidth affected linknumber 8 Operate status...

Page 59: ...unk interfaces work in static LACP mode Run the display eth trunk 1 command on Router A and Router B to view the configuration of the Eth Trunk interface RouterA display eth trunk 1 Eth Trunk1 s state information is Local LAG ID 1 WorkingMode STATIC Preempt Delay Disabled Hash arithmetic According to SA XOR DA System Priority 32768 System ID 0018 826f fc7a Least Active linknumber 1 Max Active link...

Page 60: ...Selected 100M 32768 265 305 11111100 1 Ethernet2 0 3 Selected 100M 32768 266 305 11111100 1 Partner ActorPortName SysPri SystemID PortPri PortNo PortKey PortState Ethernet2 0 1 32768 0018 823c c473 32768 2056 305 11111100 Ethernet2 0 2 32768 0018 823c c473 32768 2057 305 11111100 Ethernet2 0 3 32768 0018 823c c473 32768 2058 305 11111100 If LACP negotiation fails after the configurations are corre...

Page 61: ...stination IP addresses RouterA and RouterB communicate at Layer 2 therefore the load balancing mode does not apply to this scenario This fault is caused by the incorrect load balancing mode Procedure Step 1 Run the system view command on RouterA to enter the system view Step 2 Run the interface interface type interface number command to enter the Eth Trunk interface view Step 3 Run the load balanc...

Page 62: ...mber interfaces are in Up state 4 Run the display trunkmembership eth trunk command on RouterA and RouterB to check the number of member interfaces in the Eth Trunk The two ends contain the same number of member interfaces 5 Run the display mac address command on RouterA and RouterB to check their MAC address tables The command outputs show that RouterA learns the MAC address of RouterB but Router...

Page 63: ... member interfaces are in Up state 4 Run the display trunkmembership eth trunk command on RouterA and RouterB to check the number of member interfaces The Eth Trunk interface on RouterA contains two member interfaces but the Eth Trunk interface on RouterB contains only one member interface Eth2 0 1 The numbers of member interfaces on the two devices are different so they cannot communicate with ea...

Page 64: ... member interfaces otherwise the two ends cannot communicate with each other Huawei AR2200 S Series Enterprise Routers Troubleshooting 3 Physical Connection and Interfaces Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 55 ...

Page 65: ...ng procedures alarms and logs 4 3 MSTP Troubleshooting This chapter describes common causes of MPLS faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs 4 4 Transparent Bridging Troubleshooting This chapter describes common causes of transparent bridging faults and provides the corresponding troubleshooting flowcharts troubleshooting procedure...

Page 66: ... l The interfaces connected to the users are shut down manually or the physical interfaces are damaged l The device learns incorrect MAC addresses l Port isolation is configured on the device l Incorrect static Address Resolution Protocol ARP entries are configured on the user terminals l Incorrect mappings between interfaces and MAC addresses are configured on the device NOTE If users in differen...

Page 67: ...minal IP addresses No No Yes Is VLAN configuration correct Modify VLAN configuration Yes Is the fault rectified Is the fault rectified Is the fault rectified No Is port isolation configured Disable port isolation Yes No No No Are static ARP entries on terminals correct Modify static ARP entries Yes Is the fault rectified Is the fault rectified Seek technical support Yes Yes No No Yes Huawei AR2200...

Page 68: ...ion according to the distance between the user terminal and the Router Duplex modes and speeds of the local and remote interfaces are different Run the speed duplex and negotiation auto commands to ensure that the duplex modes and speeds of the interfaces are the same The interface is faulty Connect the devices using other idle interfaces l If the interface is Up go to Step 2 Step 2 Check whether ...

Page 69: ... the port command in the VLAN view l Add a trunk interface to the VLAN NOTE The default type of a router interface is hybrid To change the interface type to trunk run the port link type trunk command in the interface view Run the port trunk allow pass vlan command in the interface view l Add a hybrid interface to the VLAN by using either of the following methods NOTE The default type of a router i...

Page 70: ...oubleshooting procedure l Configuration file log file and alarm file of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 4 2 MAC Address Table Troubleshooting This chapter describes common causes of MAC address table faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs 4 2 1 Correct MAC Address Entries Cannot B...

Page 71: ...the binding relationship between the outbound interface and the VLAN l Check whether a loop occurs on the network l Check whether the configurations on the interface conflict or MAC address learning limit is configured on the interface l Check whether the number of learned MAC addresses exceeds the limit Figure 4 2 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troub...

Page 72: ...e some MAC entries Is fault rectified No No Yes No No Yes No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that the configurations on the interface are correct Run the display mac address c...

Page 73: ...display this interface Ethernet2 0 1 mac address learning disable port hybrid tagged vlan 10 undo negotiation auto return Huawei vlan10 display this vlan 10 mac address learning disable return If the command output contains mac address learning disable MAC address learning is disabled on the interface or VLAN l If MAC address learning is disabled run the undo mac address learning disable command i...

Page 74: ...he maximum supported by the AR2200 S Run the display mac address summary command to check the number of MAC addresses in the MAC address table l If the number of learned MAC addresses has reached the maximum no MAC address entry can be created Run the display mac address command to view MAC address entries If the number of MAC addresses learned on an interface is much more than devices on the netw...

Page 75: ...AC addresses has not reached the maximum supported by the AR2200 S go to Step 6 Step 6 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration file log file and alarm file of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 4 3 MSTP Troubleshooting This chapter describes c...

Page 76: ... Root Switch AR1 CIST MSTI0 Blocked port The troubleshooting roadmap is as follows l Check that the MSTP status is correct l Check whether the device has received TC messages l Check that no physical interface on the device alternates between Up and Down l Check that the MSTP convergence mode is Normal Figure 4 4 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Trouble...

Page 77: ...technical support No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check the status of interfaces on MSTP devices Check the role of each MSTP enabled port in each instance On the network shown in...

Page 78: ...s blocked and in the Discarding state In other instances one port on AR3 is a designated port and the other port is a root port Both of them are in the Forwarding state AR3 display stp brief MSTID Port Role STP State Protection 0 Ethernet2 0 1 DEST FORWARDING NONE 0 Ethernet2 0 2 ROOT FORWARDING NONE 1 Ethernet2 0 1 DEST FORWARDING NONE 1 Ethernet2 0 2 ROOT FORWARDING NONE 2 Ethernet2 0 1 ALTE DIS...

Page 79: ...TP recalculation is performed Run the display stp command in any view to check whether the device has received TC messages AR1 display stp CIST Global Info Mode MSTP CIST Bridge 57344 00e0 fc00 1597 Bridge Times Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root ERPC 0 0018 826f fc7a 20000 CIST RegRoot IRPC 57344 00e0 fc00 1597 0 CIST RootPortId 128 2 BPDU Protection disabled TC or TCN received 0 T...

Page 80: ... stp CIST Global Info Mode MSTP CIST Bridge 57344 00e0 fc00 1597 Bridge Times Hello 2s MaxAge 20s FwDly 15s MaxHop 20 CIST Root ERPC 0 0018 826f fc7a 20000 CIST RegRoot IRPC 57344 00e0 fc00 1597 0 CIST RootPortId 128 2 BPDU Protection disabled TC or TCN received 0 TC count per hello 0 STP Converge Mode Normal Time since last TC 2 days 14h 16m 15s MSTI 1 Global Info MSTI Bridge ID 4096 00e0 fc00 15...

Page 81: ...1 1 1 1 24 User 2 1 1 1 2 24 User 3 1 1 1 3 24 As shown in Figure 4 5 Users 1 2 3 4 and 5 belong to the same network segment but different VLANs Local bridging is configured to allow users in VLAN 11 to communicate with User 3 but to be isolated from users in VLAN 12 That is users that need to communicate with each other are added to the same bridge group whereas users that do not need to communic...

Page 82: ...Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that every bridge group has member interfaces Use Router A as an example Run the display bridge information command on Router A to check whether the bridge group has member inter...

Page 83: ... 1 Status Undo Shutdown Bridging IP Others Routing MAC learning Enable interface total 2 interface s in the bridge GigabitEthernet0 0 0 Up Vlanif11 Up Bridge 2 Status Undo Shutdown Bridging IP Others Routing MAC learning Enable interface total 1 interface s in the bridge Vlanif12 Up l If any member interface is Down troubleshoot the member interfaces in the bridge group For example check whether t...

Page 84: ...f2 As shown in Figure 4 7 Enterprise A and Enterprise C are on different network segments To allow the two enterprises to communicate with each other IP routing has been configured for bridge groups The enterprises however cannot communicate with each other This fault is commonly caused by one of the following l Physical interfaces fail to be added to bridge groups l Member interfaces in bridge gr...

Page 85: ... No Yes Add network side interfaces to the same bridge group No Yes Are there member interfaces in bridge groups Add physical interfaces to bridge groups Is fault rectified Yes Yes No No Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical s...

Page 86: ...rent system time 2011 01 07 15 27 12 08 00 Last 300 seconds input rate 0 bits sec 0 packets sec Last 300 seconds output rate 0 bits sec 0 packets sec Realtime 24 seconds input rate 0 bits sec 0 packets sec Realtime 24 seconds output rate 0 bits sec 0 packets sec Input 11 packets 0 bytes 10 unicast 1 broadcast 0 multicast 0 errors 0 drops 0 unknownprotocol Output 13 packets 0 bytes 11 unicast 2 bro...

Page 87: ...IP Others Routing IP MAC learning Enable interface total 1 interface s in the bridge Ethernet2 0 1 Up l If IP routing is not enabled for the bridge group run the routing ip command in the bridge group view to enable IP routing l If IP routing has been enabled for the bridge group check whether the IP address is correctly configured for the Bridge if interface For details see the chapter The Ping O...

Page 88: ...e bridge group see the chapter Transparent Bridge Configuration in the AR2200 S Configuration Guide LAN Access and MAN Access to add the network side interfaces to the same bridge group Step 6 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration log and alarm files End Relevant Alarms and Logs Relevant...

Page 89: ...g 5 6 PPPoE Troubleshooting 5 7 PPP Troubleshooting 5 8 xDSL Troubleshooting This chapter describes how to locate and troubleshoot common xDSL faults with examples 5 9 3G Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 5 WAN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 80 ...

Page 90: ...nt or received on the serial interface This fault is commonly caused by one of the following l The CPLD logic version of the E1 T1 board is incorrect l Timeslots of the remote interface are incorrectly bound Troubleshooting Flowchart Figure 5 1 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 5 WAN Issue 01 2012 01 06 Huawei Proprietary and Confidential...

Page 91: ...the same Are configurations of serial interfaces on both ends the same Is the physical status of the serial interface Up Is the serial interface sending data Does the serial interface receive error packets Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huaw...

Page 92: ...igurations and physical attributes whether they are encapsulated with PPP and whether they use the default 16 bit CRC Check whether they have been shut down NOTE If interfaces on both ends have different CRC configurations communication between them will fail because of CRC errors l If the two serial interfaces have different configurations reconfigure them l If the two serial interfaces have the ...

Page 93: ...s 1500 Hold timer is 10 sec Derived from E1 4 0 0 Timeslot s Used 1 31 baudrate is 1984000 bps Internet Address is 192 168 22 2 24 Link layer protocol is PPP LCP opened IPCP opened Last physical up time 2011 03 24 13 46 02 Last physical down time 2011 03 24 13 46 02 Current system time 2011 03 24 14 03 31 Last 300 seconds input rate 213795 bytes sec 1710360 bits sec 4276 packets sec Last 300 secon...

Page 94: ...s A ping failure may occur in the following scenarios l Basic FR is configured l A PVC group is configured This fault is commonly caused by one of the following l In the scenario where basic FR is configured 1 No IP address is assigned to the interface 2 The mapping between the PVC and peer IP address is not generated 3 The mapping between the PVC and peer IP address is generated but no route is g...

Page 95: ... fault rectified Configure the mapping No Yes Is fault rectified No Yes Yes Yes Yes Yes Yes No No No Configure reachable routes Is fault rectified No Yes Yes No Is a PVC configured on the DCE side interface Does the number of PVCs on the DTE side interface reach the threshold Are IP addresses assigned to interfaces on both ends Is the mapping between the PVC and peer IP address generated Do both e...

Page 96: ...terface serial command in the system view to check whether there is PVC information Huawei display fr pvc info interface Serial 2 0 0 2 PVC statistics for interface Serial2 0 0 2 DTE physical UP DLCI 300 USAGE UNUSED 00000000 Serial2 0 0 2 create time 2008 01 03 19 05 54 status ACTIVE InARP Enable PVC GROUP NONE in packets 0 in bytes 0 out packets 0 out bytes 0 If no PVC information is displayed n...

Page 97: ...lete unnecessary PVCs If the number of configured PVCs does not exceed the threshold go to step 3 3 Check that IP addresses have been assigned to interfaces on both ends Run the display this command in the FR interface view to check whether an IP address is assigned to the interface Huawei Serial2 0 0 2 display this V200R001C00B110 interface Serial2 0 0 2 link protocol fr ip address 7 7 7 2 255 25...

Page 98: ... interface Serial2 0 0 2 DTE DLCI 300 IP INARP 7 7 7 1 Serial2 0 0 2 create time 2008 01 04 15 19 45 status ACTIVE encapsulation ietf vlink 9 broadcast If no mapping is generated configure the mapping between the PVC and peer address If the mapping has been generated go to step 6 6 Check that both ends have reachable routes to each other Run the display fib command to check the routing table Huawe...

Page 99: ... is 7 7 7 2 the peer IP address is 7 7 7 1 and the information in bold indicates the correct routing entry If the preceding routing entry is not displayed configure this route If the preceding routing entry is displayed go to step 7 7 Collect the following information and contact Huawei technical support personnel Results of the preceding troubleshooting procedure Configuration files log files and...

Page 100: ...p If some priorities in the PVC group are not configured for PVCs in the PVC group reconfigure priorities for PVCs If all the priorities have been configured for PVCs in the PVC group go to step 3 3 Collect the following information and contact Huawei technical support personnel Results of the preceding troubleshooting procedure Configuration files log files and alarm files of the device End Relev...

Page 101: ...eck whether there is a PVC on the DTE 3 Check whether a correct IP address is assigned to the DTE side interface No IP address is assigned to the DTE side interface Procedure Step 1 Assign an IP address to the DTE side interface After step 1 is completed the two Huawei AR2200 S Seriess can ping each other successfully End Summary A DTE learns a PVC from a DCE using the LMI protocol after the link ...

Page 102: ...e interface 2 The mapping between the PVC and peer IP address is not generated 3 The mapping between the PVC and peer IP address is generated but no route is generated l In the scenario where PPPoMFR is configured 1 No IP address is configured in the virtual template interface 2 PPP negotiation fails Troubleshooting Flowchart Figure 5 5 shows the troubleshooting flowchart in the scenario where bas...

Page 103: ...of two MFR interfaces is Up Is a PVC configured on the DCE side interface Does the number of PVCs on the DTE side interface reach the threshold Are IP addresses assigned to interfaces on both ends Is InARP enabled on both ends Is the mapping between the PVC and peer IP address generated Do both ends have reachable routes to each other Troubleshooting Procedure NOTE Saving the results of each troub...

Page 104: ...PVC exists on the DCE side interface Configure the PVC on the DCE side interface If the value of the status field is ACTIVE the PVC functions properly Go to step 2 NOTE If a sub interface is configured on the DTE side interface configure a DLCI for the sub interface 2 Check that the number of PVCs configured on the DTE side interface does not exceed the threshold Run the display fr pvc info comman...

Page 105: ... step 4 4 Check that InARP is enabled on the interface Run the display this command on the interface to check the interface configuration Huawei Serial2 0 0 2 display this V200R001C00B130 interface MFR0 0 0 undo fr inarp ip address 5 5 5 2 255 255 255 0 return If the undo fr inarp command has been run on the interface InARP has been disabled on the interface Run the fr inarp on the interface to en...

Page 106: ...nnelID 5 5 5 1 32 5 5 5 1 HU t 2082 MFR0 0 0 0x0 5 5 5 255 32 127 0 0 1 HU t 1025 InLoop0 0x0 5 5 5 2 32 127 0 0 1 HU t 1025 InLoop0 0x0 50 1 1 255 32 127 0 0 1 HU t 545 InLoop0 0x0 50 1 1 1 32 127 0 0 1 HU t 545 InLoop0 0x0 192 168 0 255 32 127 0 0 1 HU t 501 InLoop0 0x0 192 168 0 23 32 127 0 0 1 HU t 501 InLoop0 0x0 6 6 6 255 32 127 0 0 1 HU t 496 InLoop0 0x0 6 6 6 2 32 127 0 0 1 HU t 496 InLoop...

Page 107: ...22 turns into 2 state invalid 1 active 2 inactive 3 01IFNET 4 LINK_STATE l 9 The line protocol on the interface MFR0 0 0 has entered the UP state 01IFNET 4 LINK_STATE l 11 The line protocol PPP IPCP on the interface Virtual Template3 0 has entered the UP state Relevant Logs None 5 3 2 Troubleshooting Cases Two Devices Fail to Ping Each Other When the Link Protocol Status of Their Connected MFR Int...

Page 108: ...ing each other successfully only when correct routing entries are generated 5 4 DCC Troubleshooting 5 4 1 Failed to Initiate Calls Common Causes This fault is commonly caused by one of the following l A link is not set up l The DCC configurations are incorrect l The network side device does not respond l The AR rejects the call because the interaction packet type is incorrect l The network side de...

Page 109: ...ify the data channel fault Is fault rectified Seek technical support End No Yes Yes Yes Yes Yes Yes Yes Yes No No No No No Yes Yes Yes Yes Yes Yes No No No No No No No No Is the link set up successfully Is DCC properly configured Is a call triggered Does network sidedevice respond Does AR reject the call Does network side device reject the call Is the data channel in Up state Troubleshooting Proce...

Page 110: ...igurations are incorrect re configure the DCC parameters If they are correct run the debugging dialer all debugging isdn cc debugging isdn q931 terminal debugging and terminal monitor commands to check whether DCC triggers a call l If the command outputs do not contain DCC debugging information DCC does not trigger a call Restart the AR2200 S l If the command outputs contain DCC debugging informat...

Page 111: ..._REQ CallID 0x0 UserID 0x0 PortID 0x9 ServiceType 0x8 Channel 0x2 IsCompleted 0x0 Cause 0x00 Oct 14 2007 08 56 10 30 2 08 00 AR2220 CC 7 CC_Debug CC Q931 PRIM_DISCONNECT_REQ CCIndex 0x0 L3Index 0x1 PortID 0x9 CES 0x1 cause 08 02 80 90 Oct 14 2007 08 56 10 40 1 08 00 AR2220 Q931 7 Q931_Debug Serial1 0 0 15 U N DL_I_Data_Req CES 1 cr 01 01 DISCONNECT cause 08 02 80 90 l If the command outputs do not...

Page 112: ...ol current state DOWN the protocol status of the data channel is Down Rectify the fault according to 5 7 1 Protocol Status of a PPP Interface Is Down Step 7 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms ...

Page 113: ... side device Is fault rectified Is fault rectified Seek technical support End No Yes Yes Yes Yes Yes Yes Yes No No No No Yes Yes Yes Yes Yes No No No No No No No Ensure that a link is established between the two ISDN interfaces Rectify the data channel fault Does the AR receive the call Does the network side device send response packets Does the AR refuse the call Does the network side device refu...

Page 114: ...ormation is displayed the AR2200 S has received the call Go to step 3 Huawei Oct 14 2007 10 30 19 160 1 08 00 AR2220 Q931 7 Q931_Debug Serial1 0 0 15 N U DL_I_Data_Ind CES 1 cr 02 00 e7 SETUP send_comp a1 bearer 04 02 88 90 chan_id 18 03 a1 83 9a called_n 70 05 80 30 31 32 33 Step 3 Check whether the AR2200 S rejects the call Various interaction packets are sent during the setup of an ISDN call If...

Page 115: ... L3Index 0x4 PortID 0x9 CES 0x1 cause 08 02 80 90 l If the command outputs do not contain the preceding information the network side device has accepted the call Go to step 5 Step 5 Check that the protocol status of the data channel is Up Run the display isdn active channel command to check the activated data channel Huawei display isdn active channel Serial1 0 0 15 Channel Call Call Calling Calli...

Page 116: ...physical interface cannot go Up l The cable between ISDN interfaces is faulty l The interface configuration is incorrect l Packets are incorrectly sent l The network side device is faulty Troubleshooting Flowchart Figure 5 9 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 5 WAN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Te...

Page 117: ...ns to provide Huawei technical support personnel Procedure Step 1 Check that the physical status of the interface is Up Run the display controller e1 command in the system view to check whether the physical status of the interface is Up The following information uses the display on E1 1 0 0 as an example l If E1 1 0 0 current state Administratively DOWN is displayed E1 1 0 0 has been shut down by ...

Page 118: ...ame is a basic frame which is also called a dual frame or an odd even frame The local and remote interfaces must use the same frame format If the local and remote interfaces use different frame formats run the frame format command in the CE1 interface view to reconfigure the frame format so that the two interfaces use the same frame format Check whether the local and remote interfaces use the same...

Page 119: ...nd received on the local and remote interfaces NOTE After the display controller e1 command is run in the system view if the Alarm State field is displayed as Remote Alarm Indication packets may be incorrectly sent or received on the local and remote interfaces Run the debugging isdn q921 terminal debugging and terminal monitor commands in sequence to check sent packets In the command output U N i...

Page 120: ... q921 terminal debugging and terminal monitor commands in sequence to check sent packets In the command output N U indicates a direction from the network side interface to the user side interface If response packets have been received from the remote end information is displayed following N U l If the following information only U N information is displayed no response packet is sent from the netwo...

Page 121: ...t 12 2007 14 28 57 430 1 08 00 Huawei Q921 7 Q921_Debug Serial1 0 0 15 U N Len 3 00 01 7F U N sapi 00 tei 00 c r 0 SABME p 1 Huawei Oct 12 2007 13 55 20 680 2 08 00 Huawei Q921 7 Q921_Debug Serial1 0 0 15 N U Len 3 02 01 73 N U sapi 00 tei 00 c r 1 UA f 1 Huawei Oct 12 2007 13 55 20 680 3 08 00 Huawei Q921 7 Q921_Debug FUN ISDN_Q921_HandleOnTEIAssign LINE 1054 ISDN Layer 2 link state change MULTIP...

Page 122: ...orrect l The physical interface frequently alternates between Up and Down states l User authentication fails l No IP address is assigned to the PPPoE client l No echo message is received Troubleshooting Flowchart Figure 5 10 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 5 WAN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Te...

Page 123: ... of your actions to provide Huawei technical support personnel Procedure Step 1 Check that the physical interface is working properly Run the display this interface command on the physical interface to check whether the physical interface frequently alternates between Up and Down states l If the physical interface frequently alternates between Up and Down states check the physical connection or re...

Page 124: ... on Huawei B debugging ppp all interface Dialer 10 If the following information is displayed authentication fails Huawei B Jan 21 2008 17 40 56 420 1 08 00 AR1220 B MID_PPP 7 debug2 PPP Packet Dialer10 0 Input CHAP c223 Pkt Len 33 State SendResponse code FAILURE 04 id 2 len 29 Message Illegal User or password Huawei B Jan 21 2008 17 42 37 520 4 08 00 AR1220 B MID_PPP 7 debug2 PPP Packet Dialer10 0...

Page 125: ...le IP addresses Use an IP address pool with available IP addresses instead of the IP address pool configured on the virtual template interface of the PPPoE server If the negotiated IP address of the PPPoE client conflicts with another local IP address the PPP protocol also frequently alternates between Up and Down states l If the PPPoE server fails to assign IP addresses to the PPPoE client check ...

Page 126: ...s the protocol status of the interface to be Down This fault is commonly caused by one of the following l PPP configurations on the two ends of the link are incorrect l The physical status of the interface is Down l PPP packets are discarded l A loop occurs on the link l The link delay is too long Troubleshooting Flowchart The troubleshooting roadmap is as follows l Check that PPP configurations o...

Page 127: ...the link delay Is fault rectified Yes No Yes No Yes No Yes No Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that PPP configurations on the two ends of the link are correct Run the display this ...

Page 128: ...nfigured with the same password for PPP authentication If PAP authentication is adopted do as follows to check the configured user name and password Check the user name and password of the authenticatee in the interface view Huawei Serial2 0 0 display this interface Serial2 0 0 link protocol ppp ppp pap local user huawei password simple huawei undo shutdown return Check the user name and password ...

Page 129: ...Troubleshooting l If the physical status of the interface is Up but the fault persists go to Step 3 Step 3 Check that the interface can sent and receive protocol packets Run the display interface interface type interface number command to check the number of sent packets and received packets to determine whether the interface sends and receives protocol packets Huawei display interface Serial 2 0 ...

Page 130: ...ace type interface number command to check the number of sent and received protocol packets and the status changes of the PPP state machine Jun 2 2010 17 19 41 310 1 Huawei PPP 7 debug2 Slot 1 PPP Event Serial2 0 0 LCP TO Timeout with counter 0 Event state acksent Retransmit 4 Jun 2 2010 17 19 41 310 2 Huawei PPP 7 debug2 Slot 1 PPP Packet Serial2 0 0 Output LCP c021 Pkt Len 18 State acksent code ...

Page 131: ...isplayed it indicates that a loop occurs on the link You need to locate the cause of the loop and eliminate the loop l If no loop occurs but the fault persists go to Step 5 Step 5 Check that the link delay is tolerant Use a tester to test the link delay On a Huawei router the transmission of a PPP packet times out in 3 seconds and the timeout period is configurable The link delay must be smaller t...

Page 132: ...t transmission standards Troubleshooting Flowchart Figure 5 12 shows the troubleshooting flowchart Figure 5 12 Troubleshooting flowchart for the packet forwarding failure on an ADSL interface working in ATM mode Packets fail to be forwarded on an ADSL interface in ATM mode No Yes Seek technical support Is fault rectified End Is the physical status of the ADSL interface Up Is ATM correctly configur...

Page 133: ...ransmission standard of the remote interface If the local and remote interfaces use different transmission standards run the adsl standard command on the local ADSL interface to change its transmission standard to be the same as the transmission standard of the remote interface If Atm1 0 0 current state DOWN is still displayed go to step 3 l If Atm1 0 0 current state UP is displayed ATM1 0 0 is in...

Page 134: ...w to assign the local VE interface an IP address that is on the same network segment as the IP address of the remote interface Run the display this command in the ATM PVC view to check whether IPoEoA mapping is correctly configured on the PVC IPoEoA mapping is correctly configured If IPoEoA mapping is incorrectly configured run the map bridge command in the ATM PVC view to reconfigure it on the PV...

Page 135: ...n the ppp pap local user or ppp chap password command in the dialer interface view to change the PPP user name and password of the local dialer interface to be the same as those of the remote interface Run the display this command in the ATM PVC view to check whether PPPoEoA mapping is correctly configured on the PVC PPPoEoA mapping is correctly configured If PPPoEoA mapping is incorrectly configu...

Page 136: ... caused by one of the following l The cable is not properly connected to the interface or the interface is shut down l The local and remote G SHDSL interfaces are using different transmission standards l The local and remote G SHDSL interfaces are working in different PSD modes Troubleshooting Flowchart Figure 5 13 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troub...

Page 137: ...he local transmission standard to be the same as the remote transmission standard No Yes Is fault rectified Do the local and remote G SHDSL interfaces work in the same PSD mode No Change the local PSD mode to be the same as the remote PSD mode No Yes Is fault rectified Yes Troubleshooting Procedure Procedure Step 1 Check that the physical status of the G SHDSL interface is Up Run the display inter...

Page 138: ...remote G SHDSL interfaces use the same binding mode l The numbers of bound interfaces on both ends are the same l The main interfaces on both ends are the same If the binding modes of the G SHDSL interfaces main interfaces or numbers of bound interfaces on both ends are different perform the following operations 1 Run the following commands on the four G SHDSL interfaces l Run the shutdown command...

Page 139: ...is correctly configured l If IP packets are transmitted over ATM links check the following items Item Expected Result Follow up Operation Run the display this command in the G SHDSL interface view to check whether the IP address of the local G SHDSL interface is on the same network segment as the IP address of the remote interface IP addresses of the local G SHDSL interface and the remote interfac...

Page 140: ... packets are transmitted over ATM links check the following items Item Expected Result Operation Check whether the local VT interface and the remote interface have the same PPP user name and password The local VT interface and the remote interface have the same PPP user name and password If the local VT interface and the remote interface have different PPP user names or passwords run the ppp pap l...

Page 141: ...orrectly configured on the PVC A correct VE interface is specified If an incorrect VE interface is specified run the map bridge command in the ATM PVC view to correctly configure PPPoEoA mapping on the PVC If the fault persists go to step 5 Step 5 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration fi...

Page 142: ...art for 3G calls Figure 5 14 Troubleshooting flowchart for 3G calls 3G calls failed after dialing parameters are correctly set Does 3G modem function properly End Reinstall the 3G modem No No Is fault rectified Yes Seek technical support Is the profile configured on WCDMA network Configure a 3G modem profile Is fault rectified No Yes Yes Yes No Does SIM card work Insert or unlock the SIM card ensu...

Page 143: ...and it needs to be reinstalled l The value Present indicates that the 3G modem is functioning properly Go to step 2 Step 2 Run the display cellular interface number all command If the following information is displayed the 3G network is available Go to step 3 Network Information Current Service Status Service available Current Service Combined Packet Service Attached Packet Session Status Active C...

Page 144: ...until the data card completes initialization If a 3G call still fails go to step 4 NOTE There are two ways to initiate dialing l Triggered by data traffic For example when you attempt to open a web page data traffic is transmitted to the 3G interface The 3G interface then triggers dialing l Automatic dialing If you run the dialer number 99 autodial WCDMA or dialer number 777 autodial CDMA2000 comm...

Page 145: ...l monitor and terminal debugging commands to display debugging information on the terminal After debugging run the undo debugging all command to disable it immediately Command Functions debugging dialer all debugging dialer info Enables a dialup event and displays debugging information debugging ppp lcp all Enables PPP LCP debugging debugging ppp ipcp all Enables PPP IPCP debugging End Relevant Al...

Page 146: ...ate l Jun 5 2011 10 08 58 00 00 Huawei 01IFNET 4 LINK_STAT32a771c PPP_CopyConfigToBChannelE l 2 The line protocol on the interface Cellular0 0 0 has entered the DOWN state l Jun 5 2011 10 08 558 DCC_TaskEntry 0x004c5f358 00 00 Huawei IFNET 6 IF_PVCUP OID 1 3 6 1 6 3 1 1 5 4 Interfa 0x04db8f74 vxTaskEntry 0x0ce 13 turned into DOWN state AdminStatus 1 OperStatus 1 InterfacepuID 1 TaskID 166 Sn 256 N...

Page 147: ...ut This Chapter 6 1 Voice Service Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 6 Voice Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 138 ...

Page 148: ...TS board working properly No Yes End Is fault rectified No Repair or replace the power supply No No Is fault rectified Yes Seek technical support Yes Yes Is external line test successful Repair or replace the external line No Is fault rectified Yes Yes No Is feeder voltage on the port normal Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troublesho...

Page 149: ...t Huawei voice vdiagnose Testing port 0 2 1 Telno 28780000 MGid 0 Terminalid Test item Result Digital Voltage Normal Low Battery Normal High Battery Normal Positive Battery Normal Loop current Normal Feeder voltage Normal Ringing current voltage Normal Ringing current frequency Normal VAG Normal VBG Normal Feeder voltage V 47 780 Ringing current voltage V 0 000 Loop current mA 0 000 l If the Feede...

Page 150: ...s displayed as Normal go to step 4 Step 4 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 6 1 2 No Dial Tone Is Heard After Offhook Common Causes This fault is commonly caused by on...

Page 151: ...ommand to check whether the port status is in service after offhook Huawei voice display voice port state 2 0 1 Fxs Port Port 2 0 1 PTPSrvState Normal PTPAdmState NoLoop NoTest CTPSrvState In service CTPAdmState StartSvc LineState Normal l If the port status is not in service repair or replace the subscriber line l If the port status is in service go to step 2 Step 2 Check whether the interface ca...

Page 152: ...l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 6 1 3 Call Quality Is Low Common Causes This fault is commonly caused by one of the following l Voice data flows are blocked in one direction For example a firewall on the network blocks the port number of Real tim...

Page 153: ...troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether there is any QoS alarm record View historical alarm records on the AR2200 S to check whether there is any QoS alarm record l If there are QoS alarm records rectify network faults according to instructions in the alarms l If there is no QoS a...

Page 154: ...es in the call or unidirectional communication is located rectify this fault l If no fault occurs on the bearer network go to step 5 Step 5 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Log...

Page 155: ...ault rectified Yes No No Yes Is there available DSP channel Ensure that DSP channels are sufficient No Is fault rectified Yes No Rectify network fault and modify SIP AG configuration Modify License configuration Is License configured correct No Yes Is fault rectified No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to cor...

Page 156: ...after ring Clipformat sdmffsk Dctime 100 ms Fsktime 800 ms Vqeagc off Vqesns off Vqeagclevel 22 dbm0 Vqesnslevel 12 dB Dspinputgain 0 dB Dspoutputgain 0 dB Dsptemplate Ansbarbysingletone off Bellansflag off Fskmode BELL202 Fsk taspattern NO TAS Run the display voice sipag auth running command to check the authentication configuration Huawei voice sipag 0 display voice sipag auth running 0 SIP auth...

Page 157: ...2200 S to check whether there is any QoS alarm record l If there are QoS alarm records rectify network faults according to instructions in the alarms l If no QoS alarm is found go to Step 6 Step 6 Check the digital signal processing DSP channel usage Huawei display voice dsp dimm statistic 0 0 Slotid Dsp index 0 0 Total 108 Idle 107 G 711Busy 1 AllBusy 0 Wastage 0 Fault 0 LoopBack 0 Prohibited 0 T...

Page 158: ...tion A call fails to be connected Is the calling number restricted No Yes End Is fault rectified No Cancel the restriction Yes No Is fault rectified No Seek technical support Yes Yes Rectify network fault No Is fault rectified Yes Yes Change the codec mode No Is fault rectified Yes No Yes No Is calling party configuration complete Is network working properly Is media negotiation successful Huawei ...

Page 159: ...s are configured correctly go to step 2 Step 2 Check whether the softswitch restricts some functions of the calling party For example the calling party may not have a right to make toll calls Capture signaling packets on the AR2200 S Check whether the AR2200 S has received the 100 Trying or 180 Ringing message after sending an Invite message l If the AR2200 S has received the 4XX or 5XX message bu...

Page 160: ...the fault on the network l If the network is functioning properly go to step 4 Step 4 Check whether media negotiation is successful Capture packets to check whether media negotiation is successful Check the SDP information in invite and 200 OK messages If the SDP information on the device at the called party side is the same as that on the AR2200 S media negotiation is successful l If media negoti...

Page 161: ...alling number cannot be displayed No Yes End Is fault rectified No Change FSK number display mode No No Is fault rectified Yes Seek technical support Yes Yes Remove interference or repair the line No Yes Is fault rectified No Yes Does telephone support display mode Is CLIP service configuration correct Is there signal interference or line fault Troubleshooting Procedure NOTE Saving the results of ...

Page 162: ...OCM Disable ICM Disable CCBS Disable CCNR Disable CR Disable In the command output Clip indicates the Calling Line Identification Presentation CLIP service clir indicates the Calling Line Identification Restriction CLIR service and Disclir indicates the Identification Restriction Override RIO service Run the following command in the user identifier view to enable the CLIP service Huawei voice dial...

Page 163: ...off Bellansflag off Fskmode BELL202 Fsk taspattern NO TAS Check whether the called party s telephone supports calling number display before or after the ring Alternatively change the time to send the calling number on the AR2200 S and check whether the calling number can be displayed Enter the SIP AG user view and set the time to send the calling number Huawei voice sipaguser 1 clip transmission s...

Page 164: ...negotiation modes on the SIP devices at the calling party and called party sides are different l The fax transmission modes on the SIP devices at the calling party and called party sides are different l There are echoes or other environmental factors causing signal quality deterioration Troubleshooting Flowchart Figure 6 7 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Route...

Page 165: ...cord of your actions to provide Huawei technical support personnel Procedure Step 1 Check that the fax service type is correct Run the display voice online statistic command to check voice service statistics The value in PSTN user keeping increases by 1 every time a user picks up the phone and starts a conversation When the service type changes to fax or modem the value in FAX user keeping or MODE...

Page 166: ...t the fax transmission mode to transparent transmission or T38 transmission Run the fax modem modem transmission mode command to set the modem transmission mode to transparent transmission or delayed transmission l If the data configurations on the softswitch and SIP devices are correct go to step 4 l If any of data configurations are incorrect modify the configurations Step 4 Check whether media ...

Page 167: ...mmonly caused by one of the following l The data configuration on the SIP AG is incorrect l There is no reachable route between the AR2200 S and the softswitch l Signaling packets are discarded on an intermediate device l There are echoes or other environmental factors causing signal quality deterioration Troubleshooting Flowchart Figure 6 8 shows the troubleshooting flowchart Huawei AR2200 S Seri...

Page 168: ...oting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the AR2200 S can ping the softswitch Run the display voice sipag command to check the status of the SIP AG Ensure that it is in Up state Huawei display vo...

Page 169: ...m Phone Context Register URI huawei com Conference Factory URI Primary Proxy State down Secondary Proxy State Subscribe to UA Profile Enable Subscribe to REG STATE Disable Subscribe to MWI Enable SDP negotiation mode Remote Mode of supporting proxy dual homing dualhome Proxy detection mode option Proxy refresh mode immediate l If any of configurations are incorrect modify the configurations l If t...

Page 170: ... 4 Check signaling interaction between the SIP AG and the remote device Capture signaling packets to check whether signaling packets are discarded on an intermediate device l If the intermediate device that discards signaling packets is located rectify the fault on the device l If the intermediate device that discards signaling packets cannot be located go to step 5 Step 5 Collect the following in...

Page 171: ...eshooting This chapter describes common causes of Dynamic Host Configuration Protocol DHCP faults and provides troubleshooting flowcharts troubleshooting procedures alarms and logs 7 3 RIP Troubleshooting 7 4 OSPF Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 7 IP Forwarding and Routing Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologie...

Page 172: ...f the source end does not receive any Response packet from the destination end within the waiting time the ping operation fails l There are improper configurations For example packet fragmentation is not enabled when a large Ping packet is sent but the outbound interface of the packet has a smaller MTU l Routing entries or ARP entries for Ethernet links are incorrect l The hardware is faulty Troub...

Page 173: ...ssion delay too long Is the ping operation correct Correctly perform the ping operation Does the network layer of the device work properly Ensure that the network layer works properly Clear faults on the link and optical module Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No No No No No No No No Do error packets exist on interfaces Seek technical support End Is fault rectified Is fault rectified...

Page 174: ...y is shorter than the actual delay To solve this problem increase the value of t If the ping operation can succeed only after t is increased to a very long value there is a possibility that a fault occurs on the device or link Check the device and link status and clear the fault If the fault persists go to Step 2 NOTE To ping a private network address from a PE you need to run the ping vpn instanc...

Page 175: ...the ping operation on the source end and destination end and run the display icmp statistics command to check ICMP packet transmission The following information is displayed Huawei display icmp statistics Input bad formats 0 bad checksum 0 echo 36 destination unreachable 9 source quench 0 redirects 43 echo reply 18 parameter problem 0 timestamp 0 information request 0 mask requests 0 mask replies ...

Page 176: ...er determining the direction in which the fault occurs go to Step 4 l If the number of ICMP packets still increases it indicates that the board or the device receives other ICMP packets Do as follows to locate the fault NOTE Before performing subsequent operations ensure that l Services on the current network will not be affected l No traffic policies are applied to interfaces 1 Configure an ACL o...

Page 177: ...it indicates that the intermediate device works properly Then you need to check whether or not a fault occurs on the source end or destination end If incoming Ping packets of one of the three devices do not match the ACL it indicates that the upstream device of this device becomes faulty Then go to Step 5 Step 4 Locate the node where the fault occurs Locate the node according to the direction in w...

Page 178: ... where the fault occurs are correct Run the display fib slot number destination address command on the node where the fault occurs on check whether or not there is a route to the destination address If there is no such route see the Huawei AR2200 S Series Troubleshooting IP Routing If there is a route to the destination address and Ping packets are transmitted over an Ethernet link run the display...

Page 179: ...ecksum 0 bad options 0 discard srr 0 TTL exceeded 0 Output forwarding 0 local 268816 dropped 0 no route 0 Fragment input 0 output 0 dropped 0 fragmented 0 couldn t fragment 0 Reassembling sum 0 timeouts 0 If error packet statistics such as the values of the bad protocol bad format bad checksum bad options discard srr TTL exceeded dropped no route and couldn t fragment fields displayed in the comma...

Page 180: ...ooting procedure l Configuration files log files and alarm files of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 7 1 2 Troubleshooting Cases Pinging a Directly Connected Device Fails Because of an Incorrect ARP Entry Fault Symptom As shown in Figure 7 3 Router A and Router B are directly connected Router A replaced another device that was previously connected to...

Page 181: ...eck the ARP table RouterB display arp all IP ADDRESS MAC ADDRESS EXPIRE M TYPE INTERFACE VPN INSTANCE VLAN CEVLAN PVC 1 1 1 2 0025 9e80 248e I GE1 0 0 1 1 1 1 0016 ecb9 0eb2 18 s GE1 0 0 Total 2 Dynamic 0 Static 1 Interface 1 This ARP table shows that the IP address 1 1 1 1 maps the MAC address 0016 ecb9 0eb2 The ARP entry type is S indicating a static ARP entry According to the ARP table on Route...

Page 182: ... in to it to check the configuration configure the mirroring function to analyze packets transmitted between Router A and Router B and then ping Router B from Router A Check whether the destination MAC addresses of the packets are correct 7 2 DHCP Troubleshooting This chapter describes common causes of Dynamic Host Configuration Protocol DHCP faults and provides troubleshooting flowcharts troubles...

Page 183: ...ss on the AR2200 S are on different network segments If the client and server are located on different network segments and no relay agent is deployed all IP addresses in the global address pool and the interface IP address on the relay agent are on different network segments l There are no available addresses in the address pool Troubleshooting Flowchart Figure 7 4 shows the troubleshooting flowc...

Page 184: ... pool or reconfigure an IP address for the interface No Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If you are unable to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether a fault occurs on the link between the client and the DHCP server l If the client and server ar...

Page 185: ...AR2200 S NOTE If the DHCP address allocation mode is not set on the interface of the AR2200 S the client cannot obtain an IP address in DHCP mode Run the display this command in the AR2200 S interface view to check whether the DHCP address allocation mode is set Information Displayed Description Subsequent Operation dhcp select global The AR2200 S allocates IP addresses to DHCP clients from the gl...

Page 186: ...erface IP address to be on the same network segment as all addresses in the global address pool If all addresses in the global address pool and the interface IP address on the relay agent are located on the same network segment perform step 5 Step 5 Check whether the address pool contains available IP addresses Run the display ip pool name ip pool name command to check the availability of IP addre...

Page 187: ...ty l DHCP is disabled on the AR2200 S globally As a result the DHCP function does not take effect l The DHCP relay function is disabled on the AR2200 S As a result the DHCP relay function does not take effect l The DHCP relay agent is not bound to the DHCP server The DHCP server IP address is not configured on the DHCP relay agent The interface on the DHCP relay agent is not bound to a DHCP server...

Page 188: ...t Yes No Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether a fault occurs between the DHCP client and the DHCP server 1 Check whether DHCP snooping is enabled on devices between the client ...

Page 189: ... Check that the DHCP relay function is enabled NOTE l If the DHCP relay function is disabled the DHCP client cannot obtain an address on another network segment l If the address allocation mode global interface and relay are both configured on the AR2200 S the AR2200 S will function as a DHCP server If the DHCP server is unable to allocate IP addresses the AR2200 S will function as a DHCP relay ag...

Page 190: ...e Server IP field is not displayed no DHCP server has been added to the DHCP server group Run the dhcp server command to add DHCP servers to the DHCP server group Step 6 Check that the configurations of other devices along the link between the DHCP client and the DHCP server are correct including DSLAMs LAN switches and other clients Check whether the configurations of other devices along the link...

Page 191: ...ger than 16 l Other protocols have learned the same routes in the routing table l The number of the received routes exceeds the upper limit l The MTU value of the incoming interface is less than 532 l The authentication of sending and receiving interface is not matching Troubleshooting Flowchart If a router receives partial or none routes or the display ip routing table command dose not display ro...

Page 192: ... normal state on the ingress Ensure the same version number on sending and receiving interface Ensure the policy does not filter out received packets Reduce the value of rip metricin Is fault rectified Is fault rectified Is fault rectified Is fault rectified Is fault rectified Is fault rectified End Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If yo...

Page 193: ...heck whether the undo rip input command is configured on the incoming interface The rip input command enables a specified interface to receive RIP packets The undo rip input command disables a specified interface from receiving RIP packets If the undo rip input command is configured on the incoming interface all the RIP packets from the interface cannot be processed Therefore the routing informati...

Page 194: ...enerally greater than that of RIP Routes learned through OSPF or IS IS are preferred by routing management Run the display ip routing table protocol rip verbose command to view routes in the Inactive state Step 10 If the fault persists contact Huawei technical support personnel and provide them with the following information l Results of the preceding troubleshooting procedure l Configuration file...

Page 195: ...e IP address of the interface cannot be added to the advertised routing table for RIP l Although the outgoing interface does not support the multicast or broadcast mode packets must be sent to a multicast or broadcast address l The MTU value of the outgoing interface is less than 52 Troubleshooting Flowchart If a router sends partial or none routes refer to the following troubleshooting flowchart ...

Page 196: ... normal state on the egress Cancel the silent interface command Cancel the undo rip output command Ensure the policy does not filter out routes imported by RIP If packets are sent to local interface ensure the normal state on local interface Interface is enabled multicast and peer command is configured correctly Is fault rectified Is fault rectified Is fault rectified Is fault rectified Is fault r...

Page 197: ... RIP packets If the silent interface command is configured disable suppression on the interface Step 4 Check whether the undo rip output command is configured on the outgoing interface Run the display current configuration command on the outgoing interface to view whether the rip output command is configured The rip output command enables the interface to send RIP packets The undo rip output comma...

Page 198: ... information is not sent to the neighbor Step 8 Check whether there are other problems If the outgoing interface does not support multicast or broadcast mode and a packet needs to be sent to a multicast or broadcast address this fault will occur This potential source of the fault can be removed by configuring the peer command in the RIP mode to make routers send packets with unicast addresses Step...

Page 199: ... that the OSPF neighbor relationship is Down The OSPF neighbor relationship is Down Check logs or alarms to find the value of the NeighborDownImmediate field Neighbor Down Due to Inactivity Neighbor Down Due to Kill Neighbor Neighbor Down Due to 1 Wayhello Received Check the interface and BFD Is fault rectified Check the remote device Is fault rectified Neighbor Down Due to SequenceNum Mismatch Ch...

Page 200: ...erface fault If the value of the NeighborDownPrimeReason field is BFD Session Down it indicates that the BFD session status is Down In this case troubleshoot the BFD fault If the value of the NeighborDownPrimeReason field is OSPF Process Reset it indicates that the reset ospf process command has been run The OSPF process is restarting Wait until OSPF re establishes the OSPF neighbor relationship l...

Page 201: ... 0 Routing Table Intra Area 1 Inter Area 0 ASE 0 Up Interface Cumulate 1 l If the OSPF status of the interface is not Down go to Step 5 Step 5 If the interface is connected to a broadcast network or an NBMA network ensure that the IP addresses of the two devices are on the same network segment l If the IP addresses of the two devices are on different network segments modify the IP addresses of the...

Page 202: ...ror command every 10s for 5 m Huawei display ospf error OSPF Process 1 with Router ID 1 1 1 1 OSPF error statistics General packet errors 0 IP received my own packet 0 Bad packet 0 Bad version 0 Bad checksum 0 Bad area id 0 Drop on unnumbered interface 0 Bad virtual link 0 Bad authentication type 0 Bad authentication key 0 Packet too small 0 Packet size ip length 0 Transmit error 0 Interface down ...

Page 203: ...ical support personnel and provide them with the following information l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the devices End Relevant Alarms and Logs Relevant Alarms OSPF_1 3 6 1 2 1 14 16 2 2 ospfNbrStateChange Relevant Logs OSPF 4 NBR_DOWN_REASON 7 4 2 The OSPF Neighbor Relationship Cannot Reach the Full State Common Causes This f...

Page 204: ...Is the neighbor relationship always in the 2 Way state Check the interface configured Is fault rectified Seek technical support End Yes Yes Yes Yes No No Yes No Yes Yes No See OSPF Neighbor Relationship Is Down to rectify the fault Is fault rectified No No No No Is the neighbor relationship always in the Exstart state Perform the ping operation Is fault rectified Is the neighbor relationship alway...

Page 205: ...e OSPF Process 1 with Router ID 1 1 1 1 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 1 1 1 Broadcast DR 1 1 192 1 1 1 0 0 0 0 If the OSPF status of the interface is Up go to Step 2 If the OSPF status of the interface is Down run the display ospf cumulative command to check whether the number of interfaces with OSPF enabled in the OSPF process exceeds the upper threshold If so ...

Page 206: ...g s 1500 neighbor address command to check the sending and receiving of packets that are too long If the two devices fail to ping each other solve the link problem first The OSPF MTUs of the two devices are different If the ospf mtu enable command is run on the OSPF interfaces check whether the OSPF MTUs on the two interfaces are the same If they are not the same change the MTUs of the interfaces ...

Page 207: ...8 0 5 RouterB ip route static 0 0 0 0 0 0 0 0 192 168 0 1 Router A and Router B advertise default routes to Router C in an unforced manner Normally Router C has a default external route to Router A and another default external route to Router B Router C however has a route to only one of Routers A and B in the following situations l The static route 192 168 0 65 on Router A is deleted and other co...

Page 208: ...ext hop based on the value of the FA field a OSPF is enabled on the interface connecting the ASBR to an external network b The interface connecting the ASBR to an external network is not configured as a silent interface c The network type of the interface connecting the ASBR to an external network is not P2P or P2MP d The address of the interface connecting the ASBR to an external network is withi...

Page 209: ...S is connected Figure 7 11 Network diagram of the router receiving two LSAs with the same LS ID but fails to calculate a route based on one of the LSAs RouterB RouterA BAS 10 1 1 0 Static route destined for 10 1 1 0 10 1 3 1 10 1 2 26 The following uses traffic sent to network segment 10 1 1 0 as an example On Router B a static route to 10 1 1 0 is configured and OSPF is configured to import stati...

Page 210: ...eply from 10 1 2 26 bytes 56 Sequence 2 ttl 254 time 1 ms 0 00 packet loss round trip min avg max 1 1 1 ms RouterA display ip routing table 10 1 2 26 10 1 2 24 30 OSPF 10 101 D 10 1 2 45 GigabitEthernet1 0 0 OSPF 10 101 D 10 1 2 49 GigabitEthernet2 0 0 3 On this network the costs of LSAs are 1 Compare the cost of the route to the ASBR and the cost of the route to the FA For Type 2 ASE LSAs OSPF eq...

Page 211: ...ghbor relationship cannot be established between two devices RouterB RouterA 10 1 1 0 Fault Analysis The possible causes are as follows l The OSPF configurations are improper l Parameters of the two devices are incorrectly set l The OSPF packets are lost Check the configuration of Router A and find that Router A is correctly configured Check the OSPF parameters on the corresponding interfaces and ...

Page 212: ... as the debugging ospf packet and debugging ospf event commands to locate the fault or run the display ospf error command to view the various OSPF error statistics If the OSPF configuration is correct run the debugging ip packet command to check whether packets are successfully forwarded at the IP layer An OSPF Routing Loop Occurs Because Router IDs of Devices Conflict Fault Symptom In the network...

Page 213: ...arned by CE1 a routing loop occurs As a result routes are unreachable and packet loss occurs Procedure Step 1 Run the ospf 4 router id 10 2 2 9 vpn instance www command on PE1 to specify the router ID of the OSPF multi instance as the unique address of PE1 and run the ospf 4 router id 10 2 2 10 vpn instance www command on PE2 to specify the router ID of the OSPF multi instance as the unique addres...

Page 214: ... This Chapter 8 1 Layer 3 Multicast Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 8 Multicast Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 205 ...

Page 215: ...st is configured multicast traffic cannot be transmitted to users The troubleshooting roadmap is as follows l Check that a route destined for the multicast source is available l Check that the VLANs on the inbound and outbound interfaces of the multicast route function properly l Check that the PIM routing entries are created l Check that the multicast forwarding entries are created Huawei AR2200 ...

Page 216: ...ils to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that a route destined for the multicast source is available Run the display ip routing table ip address command to check whether the local routing table contains a route destined for the multicast source NOTE ip address specifies the multicast source address l If not...

Page 217: ...ast 0 Multicast 11177 Broadcast 0 Jumbo 0 Discard 0 Total Error 0 CRC 0 Giants 0 Jabbers 0 Throttles 0 Runts 0 DropEvents 0 Alignments 0 Symbols 0 Ignoreds 0 Frames 0 Output 194443 packets 26925040 bytes Unicast 0 Multicast 183273 Broadcast 11170 Jumbo 0 Discard 0 Total Error 0 Collisions 0 ExcessiveCollisions 0 Late Collisions 0 Deferreds 0 Buffers Purged 0 Input bandwidth utilization threshold 1...

Page 218: ...monly caused by one of the following causes l The interface is physically Down or the link layer protocol status of the interface is Down l PIM is not enabled on the interface l PIM configurations on the interface are incorrect Troubleshooting Flowchart After PIM network configuration is complete the PIM neighbor relationship remains Down Figure 8 2 shows the troubleshooting flowchart Huawei AR220...

Page 219: ...urations on the interface correct Is the link status Up on the interface Is the interface physically Up Refer to the troubleshooting of interface Down Refer to the troubleshooting of interface Down Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault a record of the actions taken will exist to provide to Huawei ...

Page 220: ...s l The IP addresses of directly connected interfaces are on different network segments l PIM silent is configured on the interface l A PIM neighbor filtering policy is configured on the interface and the address of the PIM neighbor is filtered out by the policy l If the interface is configured to deny Hello messages without Generation IDs the interface discards all the Hello messages received fro...

Page 221: ...ssages l PIM SM is not enabled on interfaces l The RPF route to RP is incorrect for example the unicast route contains a loop l Configurations are incorrect for example the configurations of the TTL MTU or multicast boundary are improper Troubleshooting Flowchart After a PIM SM network is configured the RPT cannot forward data Figure 8 3 shows the troubleshooting flowchart Huawei AR2200 S Series E...

Page 222: ...s Yes Is a source policy configured Remove the configurations of the source policy or change the configurations of the ACL No No Yes No Yes Are RP configurations correct No Has the downstream interface received Join messages Is fault rectified No Yes Yes No Is fault rectified Is fault rectified Yes No Is fault rectified Is fault rectified Is fault rectified Re check the receiver s DR Is the interf...

Page 223: ...S G entries If the current device is already an RP it indicates the RPT has been set up but the RP fails to receive the multicast data from the multicast source The fault may be caused by a failure in source s DR registration In such a case go to Step 10 l If the PIM routing table does not contain correct G entries go to Step 2 Step 2 Check that the downstream interface has received Join messages ...

Page 224: ...he dynamic RP is used go to Step 10 l If RP information of a specific group is consistent on all the devices go to Step 5 Step 5 Check that an RPF route to the RP is available Run the display multicast rpf info source address command on the device to check whether there is an RPF route to the RP l If the command output does not contain any RPF route to the RP check the configurations of unicast ro...

Page 225: ...sed filtering rule is configured If the received multicast data is denied by the ACL rule the multicast data is discarded Then you need to run the undo source policy command to delete the configuration of the ACL rule or reconfigure an ACL rule to ensure that demanded multicast data can be normally forwarded l If no source policy is configured go to Step 9 Step 9 Check whether the PIM routing tabl...

Page 226: ...figurations are incorrect For example the configurations of the TTL MTU switchover threshold or multicast boundary are improper Troubleshooting Flowchart After the PIM SM network is configured the SPT fails to forward data Figure 8 4 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 8 Multicast Issue 01 2012 01 06 Huawei Proprietary and Confidential Copy...

Page 227: ...ns of the ACL No No Yes No Yes Is the RPF route to the multicast source available Rectify the fault of unicast routes Has the downstream interface received Join messages Is fault rectified No Yes Yes No Rectify the interface fault Yes Yes Is the outbound interface of the RPF route to the RP a TE tunnel interface Change the outbound interface of the RPF route to the multicast source ensuring that i...

Page 228: ...urrent device is not a source s DR it indicates that the current device has not received any multicast data The fault may be caused by the upstream device Then check whether the PIM routing table on the upstream device contains correct S G entries If the PIM routing table on the upstream device does not contain correct S G entries troubleshoot the upstream device following the preceding steps If t...

Page 229: ...n interface is dense you need to run the pim sm command on the interface If the system prompts that Warning Please enable multicast routing first when you configure PIM SM on the interface run the multicast routing enable command in the system view to enable the multicast function first and run the pim sm command in the interface view to enable PIM SM on the interface l If PIM SM has been enabled ...

Page 230: ...p 7 Check whether a source policy is configured Run the display current configuration configuration pim command to view the current configurations in the PIM view l If the configuration contains source policy acl number it indicates that a source filtering rule is configured If the received multicast data is denied by the ACL rule the multicast data is discarded Then you need to run the undo sourc...

Page 231: ...route to the multicast source is incorrect For example the unicast route contains a loop l Configurations are incorrect For example the configurations of the SA policy import policy TTL switchover threshold or multicast boundary are improper l The SA message fails to pass RPF check Troubleshooting Flowchart After configurations are complete on a multicast network MSDP peers cannot generate correct...

Page 232: ...es Yes Yes Is the current MSDP peer an RP Change the configurations of the RP or MSDP Is fault rectified No No Yes Yes Yes Remove or change the configurations of the import policies Is fault rectified No No Yes Remove or change the configurations of the import source policies Is fault rectified Yes Yes No Yes Are import source policies configured on the current MSDP peer Are export policies config...

Page 233: ...ommand output contact Huawei technical support personnel l If the value of the Number of source or Number of group field in the command output is non zero SA messages have reached the peers Then go to Step 4 Step 4 Check whether export policies are configured on the MSDP peers Run the display current configuration configuration msdp command in the MSDP view on the MSDP peers to view the current co...

Page 234: ...e multicast source to view the routing table l If the S G entry does not have a 2MSDP flag the MSDP peer is not an RP Change the configurations of the RP or MSDP peer on the PIM SM network to ensure that the MSDP peer is an RP l If the MSDP peer is an RP go to Step 8 Step 8 Check whether import source policies are configured on the current MSDP peer The import source acl acl number command is used...

Page 235: ...enabled on the device l IGMP is not enabled on the interface or the configured IGMP version is incorrect l The interface receives an EXCLUDE message in which the group address is within the SSM group address range l The interface is configured with a multicast boundary or a group policy l The limit on the maximum number of IGMP group memberships is configured on the interface Troubleshooting Flowc...

Page 236: ...s fault rectified Yes Increase maximum number of IGMP group memberships in interface or remove limit Increase maximum number of IGMP group memberships on the interface or remove limit Seek technical support No Yes Yes Yes Multicast device cannot generate IGMP entries No No Yes No Maximum of IGMP group memberships is limited globally No Are The Number of Entries And That of interfaces below the upp...

Page 237: ...d to perform the following operations Check whether the interface is in shutdown state Run the display current configuration interface interface type interface number command to check the current configurations of the interface If the command output contains shutdown run the undo shutdown command in the interface view Check whether an IP address is configured for the interface Run the display curr...

Page 238: ... Report or Join messages of the hosts according to the ACL Check the range of the groups permitted by the ACL If the multicast group G is not in this range modify the ACL or delete the ACL configuration to ensure that IGMP can serve members of G l If the range of groups that the hosts can join is not limited on the interface go to Step 6 Step 6 Check whether the maximum number of IGMP group member...

Page 239: ...that the number of entries and number of interfaces are below the upper limit defined in the product license l If the number of entries and number of interfaces exceed the upper limit allowed by the product re plan network deployment l If the fault persists after the preceding troubleshooting procedures are complete go to Step 10 Step 10 Collect the following information and contact Huawei technic...

Page 240: ...ommon causes of traffic shaping faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs 9 5 Congestion Avoidance Troubleshooting This chapter describes common causes of congestion avoidance faults and provides the corresponding troubleshooting flowcharts troubleshooting procedures alarms and logs 9 6 Congestion Management Troubleshooting This cha...

Page 241: ...fect Common Causes This fault is commonly caused by one of the following l The traffic policy fails to be applied l The traffic policy is applied to an incorrect direction l The packets do not match rules of the traffic classifier in the traffic policy l The traffic behavior associated with the traffic classifier in the traffic policy is configured incorrectly Troubleshooting Flowchart Figure 9 1 ...

Page 242: ...ng the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that the traffic policy is applied correctly Run the display traffic policy applied record command to check whether a traffic policy is applied l If the value of Policy total applied time...

Page 243: ... l If packets match the rules in the traffic classifier go to step 4 l If packets do not match the rules in the traffic classifier go to step 3 Step 3 Check whether the information in packets matches the rules in the traffic classifier View the information such as the IP address MAC address DSCP priority VLAN ID and 802 1p priority in packets run the display traffic policy user defined command to ...

Page 244: ...is complete data flows are not redirected to the next hop 10 1 1 2 when enterprise users access the Web service Fault Analysis 1 Capture packets on the inbound interface Eth2 0 0 of RouterA when enterprise users access the Web service The source IP address of the packets resides on the network segment 192 168 1 0 24 indicating that RouterA can receive user packets 2 Run the display ip routing tabl...

Page 245: ...command to check the traffic classifier configuration RouterA display traffic classifier user defined c4 User Defined Classifier Information Classifier c4 Operator OR Rule s if match protocol ip if match acl 2000 if match 8021p 2 In the traffic classifier c4 if match protocol ip and if match acl 2000 are Layer 3 rules and if match 8021p 2 is a Layer 2 rule The AR2200 S does not support the combina...

Page 246: ...ferent queues This fault is commonly caused by one of the following l The type of the priority trusted by the inbound interface is incorrect l Priority mapping in the priority mapping table is incorrect l There are configurations affecting the queues that packets enter on the AR2200 S including The qos car inbound command with remark 8021p or remark dscp configured has been used on the inbound int...

Page 247: ... type of the priority trusted by the inbound interface is correct Run the display this command in the view of the inbound interface to view the configuration of the trust command If the trust command is not used the system does not trust any priority by default Check whether the type of the priority trusted by the inbound interface is correct NOTE If the trust command is not used the AR2200 S send...

Page 248: ... command has been used run the display traffic policy applied record command to check the traffic policy record and the traffic behavior in the traffic policy If the traffic policy is applied successfully run the display traffic behavior user defined command to check whether the traffic behavior defines the re marking action remark 8021p or remark dscp or remark local precedence If the traffic beh...

Page 249: ...f the following l Packets do not carry the priority trusted by the inbound interface l The parameter override is not configured in the trust command on the inbound interface l Priority mapping in the priority mapping table is incorrect l There are configurations affecting priority mapping on the inbound interface including qos car inbound with remark 8021p or remark dscp configured traffic policy ...

Page 250: ...ting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether packets carry the priority trusted by the inbound interface Run the display this command in the view of the inbound interface to check the configuration of...

Page 251: ... over priority mapping If interface based traffic policing defining remark 8021p or remark dscp is configured on the inbound interface the AR2200 S re marks packet priorities Run the display this command in the view of the inbound interface to check whether the qos car inbound command with remark 8021p or remark dscp configured has been used l If yes delete the re marking action or run the undo qo...

Page 252: ... outbound interface contains priority re marking remark local precedence or car with remark 8021p or remark dscp the AR2200 S re marks priorities of packets matching the traffic classifier Run the display this command in the view of the outbound interface to check whether the traffic policy outbound command has been used l If the display traffic policy applied record command has been used run the ...

Page 253: ...ut shows that packets enter incorrect queues NOTE Before running the display qos queue statistics command to view the statistics you must run the qos queue profile command to apply the queue profile to the interface RouterB display qos queue statistics interface ethernet 2 0 0 Queue Passed Packets Bytes Dropped Packets Bytes 0 116 975 0 0 0 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0...

Page 254: ...interface the default 802 1p priority of the interface is used By default the default 802 1p priority of an interface is 0 Therefore all the packets enter queue 0 2 Check the mappings between 802 1p priorities and internal priorities Run the display qos map table dot1p lp command to view the priority mapping table RouterB display qos map table dot1p lp Input Dot1p LP 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 ...

Page 255: ... B received on Router B are the same Fault Analysis 1 Capture packets sent from on RouterA You can see that the DSCP priorities in voice video and data flows from Switch B are 56 2 Check whether priority mappings are correct Run the display qos map table dot1p dscp command to view the mappings between 802 1p priorities and DSCP priorities RouterA display qos map table dot1p dscp Input Dot1p DSCP 0...

Page 256: ...elete the traffic policy tp1 from Eth 0 0 1 After the preceding operations are complete Router B receives voice video and data service flows from RouterA DHCP priorities of these flows are different The fault is rectified End Summary On the AR2200 S if remark is configured in the traffic policy or interface based traffic policing the priority mapping result may be incorrect 9 3 Traffic Policing Tr...

Page 257: ... and the qos car command are used in the same direction and the CIR value for flow based traffic policing is smaller than that for interface based traffic policing Troubleshooting Flowchart If interface based traffic policing fails to take effect see Figure 9 7 If the CAR parameter values for interface based traffic policing are incorrect see Figure 9 8 Figure 9 7 Troubleshooting flowchart for ine...

Page 258: ...olicing set on interface No Yes Yes Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check the packet statistics on the interface configured with interface based traffic policing Run the display qos car ...

Page 259: ...os car command to modify CAR parameters l If CAR parameters are correct go to step 4 Step 4 Check whether the interface is configured with flow based traffic policing NOTE If interface based traffic policing and flow based traffic policing are applied to the same direction on an interface the smaller CIR value takes effect Run the display this command in the view of the inbound interface to check ...

Page 260: ...c at 20 Mbit s Traffic policing fails to take effect Figure 9 9 Networking diagram for ineffective interface based traffic policing User network Enterprise network Eth2 0 0 Eth2 0 0 RouterA RouterB Fault Analysis 1 Check whether traffic policing is configured in the outbound direction on the outbound interface of RouterA Run the display this command in the view of Eth2 0 0 on RouterA to check whet...

Page 261: ...ding troubleshooting flowcharts troubleshooting procedures alarms and logs 9 4 1 Queue based Traffic Shaping Results Are Incorrect This section describes the troubleshooting flowchart and provides a step by step troubleshooting procedure to use when queue based traffic shaping results are incorrect Common Causes This fault is commonly caused by one of the following l Traffic shaping parameters are...

Page 262: ...cheduling modes and weights No No Yes Yes Do PQ queues have excess packets No Yes Is fault rectified Yes No No Yes Ensure that CIR for interface based traffic shaping greater than sum of CIR values for queues Is fault rectified No Yes Is interface based traffic shaping configured Is CIR for Interface based traffic shAping greater than sum of CIR values for queues Do queues use combined scheduling ...

Page 263: ...of CIR values for traffic shaping in queues on the interface Compare the CIR value for interface based traffic shaping with the sum of CIR values of traffic shaping in queues on the interface l If the CIR value for interface based traffic shaping is smaller than the sum of CIR values for traffic shaping in queues on the interface queues on the interface cannot obtain sufficient bandwidth The traff...

Page 264: ...e queue profile view to reconfigure the scheduling mode and weight of each queue reducing the number of packets that enter PQ queues NOTE In combined scheduling mode if the bandwidth is insufficient the CIR value of other queues cannot be reached This is a correct traffic shaping result l If each queue uses PQ WRR DRR or WFQ scheduling mode go to step 6 Step 6 Collect the following information and...

Page 265: ...tistics on GE0 0 1 Send flows of voice video and data services to RouterA and run the display qos queue statistics command to view the queue based traffic statistics on the interface The following command output indicates that flows of voice video and data services enter specified queues RouterA display qos queue statistics interface gigabitethernet 0 0 1 Queue Passed Packets Bytes Dropped Packets...

Page 266: ...he qos gts cir 3000 command to change the CIR value for interface based traffic shaping to 3000 kbit s so that it is greater than the sum of CIR values for traffic shaping in queues After the preceding operations are complete the bandwidth for voice services video services and data services is sufficient End Summary If queue based traffic shaping results are incorrect check whether interface based...

Page 267: ...idance Congestion avoidance fails to take effect Configure a queue profile on outbound interface Is fault rectified End No Do packets enter specified queues See Packets Enter Incorrect Queues Is fault rectified No Yes Yes No No No Is fault rectified Yes No Yes Yes Yes Seek technical support Set WRED parameters Are WRED parameters correct Is congestion avoidance set on outbound interface Huawei AR2...

Page 268: ...face Flow based congestion avoidance Run the display this command in the view of the outbound interface to check whether the traffic policy command is used If the traffic policy command is used run the display traffic policy user defined command to check whether the drop profile command is used If the drop profile command is used flow based congestion avoidance is configured NOTE Flow based conges...

Page 269: ...esponding troubleshooting flowcharts troubleshooting procedures alarms and logs 9 6 1 Congestion Management Fails to Take Effect This section describes the troubleshooting flowchart and provides a step by step troubleshooting procedure to use when congestion management fails to take effect Common Causes This fault is commonly caused by one of the following l Traffic shaping is not configured on th...

Page 270: ...traffic shaping on outbound interface Is fault rectified No Yes No Yes Is traffic shaping set on outbound interface Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that traffic shaping is configured c...

Page 271: ... congestion management is not configured configure it on the outbound interface l If queue based congestion management or flow based congestion management is configured go to step 3 Step 3 Check whether scheduling parameters are set incorrectly l If queue based congestion management is configured on the interface run the display this command in the queue profile view to view the scheduling mode an...

Page 272: ...ides congestion management troubleshooting cases Network Congestion Interrupts Services Fault Symptom As shown in Figure 9 14 the transmission rate of traffic on the LAN is higher than that on the WAN side interface therefore congestion may occur on the uplink interface GE0 0 1 of the Router To prevent jitter and ensure bandwidth of services you must configure the Router to send flows of voice vid...

Page 273: ...the preceding command output interface based traffic shaping is configured on GE0 0 1 GE0 0 1 is bound to the queue profile qq1 and the interface based traffic shaping configuration is correct 2 Check whether traffic shaping parameters and queue scheduling parameters are set correctly in the queue profile Run the display this command in the queue profile view to view the traffic shaping parameters...

Page 274: ...aping for queue 6 and set the CIR value to 3 Mbit s After the preceding operations are complete the bandwidth for voice video and data services is ensured End Summary When configuring the combined scheduling mode limit the bandwidth for queues that use PQ scheduling In combined scheduling mode the AR2200 S first schedules packets in PQ queues After packets in PQ queues are scheduled the AR2200 S s...

Page 275: ...eshooting 10 3 NAC Troubleshooting 10 4 Firewall Troubleshooting 10 5 ACL Troubleshooting 10 6 NAT Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 10 Security Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 266 ...

Page 276: ...entication Dial In User Service RADIUS authentication The troubleshooting roadmap is as follows l Check whether the link between the AR2200 S and the RADIUS server is working l Check whether the number of authenticated users has reached the maximum l Check the RADIUS configuration on the AR2200 S including the domain name domain status RADIUS server template authentication mode and accounting mode...

Page 277: ...lure Seek technical support No Yes Ensure that shared key and user name format on RADIUS server and router are the same Is the fault rectified End Yes No Is RADIUS configuration on router correct Yes No Modify domain authentication mode accounting mode or RADIUS server template Is the fault rectified Yes No Does the number of online users reach maximum Yes This is not a fault No Is the fault recti...

Page 278: ...on the RADIUS server is not reached go to step 3 Step 3 Check that the RADIUS configuration on the AR2200 S is correct Check the RADIUS configuration to ensure that l The authentication domain of the user is in Active state l The authentication scheme bound to the user domain is RADIUS authentication l The correct RADIUS server template is bound to the domain The IP address and port of the authent...

Page 279: ... bound to the domain The following configuration file shows that the RADIUS server template radius is bound to the domain huawei radius server template radius radius server authentication 1 1 1 1 1645 aaa authentication scheme default authentication scheme aaa authentication mode radius authorization scheme default accounting scheme default domain default domain default_admin domain huawei authent...

Page 280: ...figured on the RADIUS server l The shared key configured on the RADIUS server is different from the shared key configured on the AR2200 S l The user account is not configured on the RADIUS server or the user name format configured in the RADIUS server template is different from that on the RADIUS server For example the AR2200 S sends the user name without the domain name but the RADIUS server requ...

Page 281: ... on the AR2200 S are different from those on the HWTACACS server l The number of online users reaches the maximum value Troubleshooting Flowchart The troubleshooting roadmap is as follows l Check whether the link between the AR2200 S and the HWTACACS server is working l Check whether the number of authenticated users has reached the maximum l Check the HWTACACS configuration on the AR2200 S includ...

Page 282: ...tication failure Seek technical support No Yes Ensure that the shared key and user name formats on the HWTACACS server and router are the same Is the fault rectified End Yes No Is HWTACACS configuration on router correct Yes No Modify domain authentication mode authorization mode accounting mode or HWTACACS server template Is the fault rectified Yes No Is link between router and HWTACACS server fa...

Page 283: ... been reached go to step 3 Step 3 Check the HWTACACS configuration on the AR2200 S to ensure that l The authentication domain of the user is in Active state l The authentication scheme bound to the user domain is HWTACACS authentication l The correct HWTACACS server template is bound to the domain The IP address and port of the authentication server authorization server and accounting server are s...

Page 284: ... debugging information is displayed the router configuration is incorrect Check that the HWTACACS server template is applied to the domain The following configuration file shows that the HWTACACS server template hwtacacs is bound to the domain huawei hwtacacs server template hwtacacs hwtacacs server authentication 2 2 2 2 aaa authentication scheme default authentication scheme aaa authentication m...

Page 285: ...sg Session status is not connect now Nov 10 2010 15 49 18 430 7 Huawei TAC 7 Event statistics transmit flag 1 SENDPACKET server flag 0 authentication packet flag 0xff Nov 10 2010 15 49 18 480 2 Huawei TAC 7 Event HandleResp Session status is connect now Nov 10 2010 15 49 18 480 3 Huawei TAC 7 Event Tac send packet error The HWTACACS authentication server did not send any authentication response pa...

Page 286: ...the HWTACACS server requires the user name with the domain name l The password entered by the user is different from the password configured on the HWTACACS server If any of the preceding errors exist modify the configuration on the HWTACACS server After configuration modification check whether the user can pass the authentication If the fault persists go to step 5 Step 5 Check the user type l If ...

Page 287: ...he RADIUS protocol to perform authentication and accounting The RADIUS server fails and the administrator uses local authentication Users are forced offline 10 plus seconds after they log in Figure 10 3 Networking diagram of user access Network RouterA RouterB 129 7 66 66 24 129 7 66 67 24 Domain huawei Destination network Huawei AR2200 S Series Enterprise Routers Troubleshooting 10 Security Issue...

Page 288: ...15 set authentication password simple 123456 history command max size 256 screen length 15 Because the RADIUS server is unavailable real time accounting fails You can run the accounting interim fail command to configure a real time accounting failure policy to determine whether to keep users online or force them offline after the real time accounting fails If the accounting interim fail command is...

Page 289: ...ting scheme After the preceding configurations users can log in without being forced offline The fault is cleared End Summary On the access network using AAA authentication if the remote server is unavailable and local authentication is adopted the accounting scheme must be non accounting Otherwise users are forced offline A User Cannot Pass the HWTACACS Authentication with Valid User Name and Pas...

Page 290: ...ined in the IS IS routing table and is used as the source IP address of HWTACACS packets sent by RouterA The IS IS configuration has been deleted therefore RouterA cannot receive the authentication response packet with the destination address 202 97 30 227 sent from the HWTACACS server This may be the cause for the HWTACACS authentication failure 4 Run the ping a 202 97 30 227 202 102 216 245 comm...

Page 291: ...ode is set to Remote Authentication Dial In User Service RADIUS authentication After the configuration 802 1x users pass the authentication successfully but a Telnet user fails to log in to the AR2200 S Fault Analysis 1 The 802 1x users pass the authentication indicating that the link between the AR2200 S and the RADIUS server works properly 2 Run the display current configuration command on the A...

Page 292: ...name and password of the Telnet user is not configured on the RADIUS server 3 Check the configuration of the RADIUS server The user name and password of the Telnet user is not found on the RADIUS server To rectify the fault add the user name and password of the Telnet user to the RADIUS server or configure the authentication mode of the Telnet user to local authentication Procedure l Add the user ...

Page 293: ...n modes for access users such as 802 1x user Telnet users and Secure Shell SSH users When a Telnet user fails to log in to the AR2200 S the possible cause is that an incorrect authentication scheme is configured in the VTY user interface view and AAA view of the AR2200 S or on the remote authentication server 10 2 ARP Security Troubleshooting 10 2 1 The ARP Entry of an Authorized User Is Malicious...

Page 294: ...s maliciously modified Does the router send ARP requests Seek technical support fixed mac mode Is ARP anti spoofing configured Yes Configure ARP anti spoofing No Is the fault rectified Is MAC address changed Does the router receive ARP replies Are ARP replies discarded by CPCAR End Increase rate limit value Is the fault rectified Yes No Yes No Yes Yes No Yes No Troubleshooting Procedure Huawei AR2...

Page 295: ...nd an ARP request go to step 4 2 If the AR2200 S sends ARP requests but does not receive an ARP reply check that the network connection between the AR2200 S and the user is normal 3 If the AR2200 S receives ARP reply packets from the user run the display cpu defend statistics packet type arp reply command to check statistics about ARP reply packets If the number of dropped ARP reply packets keeps ...

Page 296: ...ess to the MAC address of the attacker As a result the hosts cannot access the network Figure 10 6 shows the troubleshooting flowchart Figure 10 6 Troubleshooting flowchart for gateway address spoofing The gateway address is maliciously changed Are gateway anti collision entries generated No Configure a policy to discard attack packets Is the fault rectified Is the fault rectified Yes No No Yes Se...

Page 297: ...uting Table Public Summary Count 1 Destination Mask Proto Pre Cost Flags NextHop Interface 1 1 1 1 24 Direct 0 0 D 127 0 0 1 Loopback0 If the AR2200 S is not the gateway configure it as the user gateway Step 2 Run the display arp anti attack configuration gateway duplicate command to check that ARP gateway anti collision is enabled If ARP gateway anti collision is not enabled run the arp anti atta...

Page 298: ... 165 2 2 2 1 Relevant Logs None 10 2 3 User Traffic Is Interrupted by a Large Number of Bogus ARP Packets Common Causes This fault is commonly caused by the following l An attacker sends a large number of bogus ARP packets thus increasing the load of the destination network segment These ARP packets are sent to the CPU causing a high CPU usage DoS attacks may also be initiated in this case Trouble...

Page 299: ...the fault you will have a record of your actions to provide Huawei technical support personnel ARP attack packets include ARP request packets and ARP reply packets In the following procedure the ARP attack packets are ARP request packetes If the ARP attack packets on your network are ARP reply packets change the arp request parameter to arp reply Procedure Step 1 Run the display arp command on the...

Page 300: ... considers the source address to be an attack source Add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP requests sent by the attacker Step 6 Run the arp speed limit source ip command in the system view to set the rate limit for ARP packets from the attack source By default ARP packet suppression based on source IP addresses is enabled and the maximum ...

Page 301: ...igure 10 8 shows the troubleshooting flowchart Figure 10 8 Troubleshooting flowchart for IP address scanning IP address scanning attack causes a high CPU usage Yes Is the fault rectified No Yes End No Is ARP Miss suppression configured Configure ARP Miss suppression No Seek technical support Is rate limit for ARP Miss messages too large Reduce the rate limit Yes Is the fault rectified No Yes Troub...

Page 302: ... on the rate limit configured in this command If not the AR2200 S limits the rate of the ARP Miss messages based on the limit set in the command without a source IP address specified l By default ARP Miss suppression is enabled and the maximum rate of ARP Miss messages is limited to 5 pps When the rate of ARP Miss messages triggered by packets from the specified IP address exceeds the limit the AR...

Page 303: ...te device is faulty so the ARP request is discarded on the network The remote device receives the ARP request but discards it The remote device receives a large number of ARP packets The rate of ARP packets exceeds the CAR so the device discards the ARP request sent by the AR2200 S The AR2200 S does not receive the ARP reply sent by the remote device The link between the AR2200 S and the remote de...

Page 304: ...ts correctly Ensure that the remote device responds to ARP requests Yes No No Is the fault rectified Is the fault rectified Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that the link between th...

Page 305: ...RP reply packets are discarded l Run the display cpu defend statistics packet type arp reply command to view statistics about ARP reply packets If the Drop value keeps increasing the rate of ARP reply packets exceeds the CPCAR Run the packet type command to increase the CPCAR for ARP reply packets l Run the display this command in the interface view and system view to check whether a rate limit is...

Page 306: ...ain authentication server and authentication server template l The user name or password entered by the user is incorrect l The number of online users reaches the maximum Troubleshooting Flowchart A user fails to pass the 802 1x authentication Figure 10 10 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 10 Security Issue 01 2012 01 06 Huawei Proprietar...

Page 307: ...users reached This is not a fault Yes End No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check that 802 1x authentication is enabled on the AR2200 S Run the display dot1x command to check whether 80...

Page 308: ... authenticated in the specified domain However if the domain name is not found the authentication fails In this case check the authentication template bound to the specified domain 2 Check the authentication scheme applied to the user domain on the AR2200 S l If RADIUS or HWTACACS authentication is configured for the user domain check whether the user account and the user attributes are created on...

Page 309: ...n Field Description Field Description acl Delivers the ACL content acl num Specifies the ACL number The value ranges from 10000 to 10999 permit Allows users matching the rules to access the network deny Prohibits users matching the rules from accessing the network keyM 1 M N ndicates a keyword in the ACL including src ip source IP address src ipmask mask of source IP address and tcp srcport source...

Page 310: ... support personnel l Results of the preceding troubleshooting procedure l Configuration file log file and alarm file of the AR2200 S End Relevant Alarms and Logs Relevant Alarms l 1 3 6 1 4 1 2011 5 25 40 4 2 1 Relevant Logs None 10 3 2 MAC Address Authentication of a User Fails Common Causes This fault is commonly caused by one of the following l Some parameters are set incorrectly or not set suc...

Page 311: ...d the dial up software The authentication information such as the user name and password is generated according to the MAC addresses of users Similar to 802 1x authentication troubleshooting when troubleshooting MAC address authentication check whether the user name and password on the AR2200 S are same as those on the authentication server and whether the domain name in the user name is correct N...

Page 312: ...oes not contain a domain name the default domain is used as the authentication domain NOTE A MAC address may contain or not contain the delimiter By default a MAC address does not contain the delimiter You can use the mac authen username macaddress format with hyphen command to add delimiters to a MAC address During authentication ensure that the format of the MAC address you entered is the same a...

Page 313: ... or ACL content but the ACL is not created on the AR2200 S or the ACL format is different from that required by the AR2200 S user authorization fails To rectify the fault create the ACL Ensure that the ACL format used by the authentication server is the same as that required by the AR2200 S NOTE The AR2200 S requires the following ACL format in the user attributes acl acl num key1 key value1 keyN ...

Page 314: ...dress of the terminal as the user name and password to the authentication server After MAC address bypass authentication is configured the AR2200 S starts MAC address authentication automatically after a user fails to pass the 802 1x authentication 802 1x authentication and MAC address authentication cannot be enabled on the same interface If 802 1x authentication is enabled on the interface the s...

Page 315: ... Troubleshooting Flowchart Figure 10 12 shows the troubleshooting flowchart for SYN Flood attack defense Figure 10 12 Troubleshooting flowchart for SYN flood attack defense SYN Flood attack defense is invalid Is attack defense enabled Enable SYN Flood attack defense Is the fault rectified Is packet rate threshold too large Reconfigure packet rate threshold Is the fault rectified Seek technical sup...

Page 316: ...rate threshold is 1000 pps l To set or change the packet rate threshold run the firewall defend syn flood command in the system view l If the packet rate threshold is set properly go to step 3 Step 3 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the switches En...

Page 317: ...ple ACLs may exist on the firewall Ensure that the correct ACL is referenced l If the ACL number or direction is incorrect run the undo packet filter acl number default deny permit inbound outbound command in the interzone view to disable packet filtering Then run the packet filter acl number default deny permit inbound outbound command to reconfigure the packet filtering function l If the ACL num...

Page 318: ...ich internal users access the public network go Down l Outbound NAT is not properly configured on the outbound interface connected to the public network l The configuration of an ACL bound to outbound NAT is incorrect Troubleshooting Flowchart Figure 10 14 shows the troubleshooting flowchart Huawei AR2200 S Series Enterprise Routers Troubleshooting 10 Security Issue 01 2012 01 06 Huawei Proprietar...

Page 319: ...s of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether packets are received on the interface Run the display interface interface type interface number command on the AR2200 S to view the value of the Input field l If the value of the Input field i...

Page 320: ...configuration of outbound NAT bound to ACL 2000 Huawei display acl 2000 Advanced ACL2000 1 rule Acl s step is 5 rule 5 permit source 192 168 1 100 0 The rule of ACL 2000 allows TCP packets with the source address of 192 168 1 100 to pass through l If the ACL rule is configured incorrectly reconfigure the ACL rule l If the ACL rule is configured correctly but the fault persists go to step 3 Step 3 ...

Page 321: ...m files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 10 6 2 External Hosts Fail to Access Internal Servers Common Causes This fault is commonly caused by one of the following l Application layer services on the internal NAT server are disabled l The NAT server is configured on an incorrect interface such as an outbound interface The NAT server should be conf...

Page 322: ...ternal FTP server Is fault rectified No Yes Yes No External host fails to access internal FTP server Seek technical support Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recommended If troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether services on the inte...

Page 323: ... interface on the NAT server is correct and the external IP address of the NAT server is correct The IP addresses cannot conflict with the addresses on other network segments Ping the external interface of the NAT server from an external host Ensure that the external host can ping the NAT server successfully l If the external host cannot connect to the NAT server check the connection l If the exte...

Page 324: ...tbound interface l NAT ALG is disabled for the DNS protocol l The DNS mapping entry is configured incorrectly For example the corresponding public address is different from the IP address of an external server l The route between the temporary address pool and the outbound interface is not configured Troubleshooting Flowchart Figure 10 16 shows the troubleshooting flowchart Huawei AR2200 S Series ...

Page 325: ...here a route between temporary address pool and outbound interface Configure a route between temporary address pool and outbound interface Yes Internal host A fails to access external host B Seek technical support No No No No No Is fault rectified Is fault rectified Is fault rectified Is fault rectified No Yes Troubleshooting Procedure NOTE Saving the results of each troubleshooting step is recomm...

Page 326: ...s packets on the internal network cannot be sent out or packets on the external network cannot be sent to the internal network Run the display acl 3180 command to view the ACL bound to outbound NAT AR2200 S display acl 3180 Advanced ACL 3180 1 rule Acl s step is 5 rule 5 permit tcp source 1 1 1 1 0 NOTE The ACL strictly controls permitted address segments protocol types and port numbers according ...

Page 327: ...porary address pools are correct AR2200 S display nat overlap address all Nat Overlap Address Pool To Temp Address Pool Map Information Id Overlap Address Temp Address Pool Length Inside VPN Instance Name 1 1 1 1 1 20 20 20 20 34 Total 1 NOTE The temporary address pool contains available IP addresses on the AR2200 S The IP addresses in the address pool cannot conflict with any interface address VR...

Page 328: ...tes l If there is no correct route reconfigure a route l If the route is correct but the fault persists go to step 5 Step 6 Collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuration files log files and alarm files of the AR2200 S End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None Huawei AR...

Page 329: ...ce Backup Troubleshooting 11 2 BFD Troubleshooting 11 3 VRRP Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 11 Reliability Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 320 ...

Page 330: ...be implemented among the primary and backup interfaces because they cannot all be in Up state simultaneously l In load balancing mode traffic cannot be load balanced among multiple interfaces This fault is commonly caused by one of the following l The physical status of backup interfaces is Down l The link layer status of backup interfaces is Down l In load balancing mode The load balancing thresh...

Page 331: ...s No Yes No Yes No Yes No No Yes No Yes Seek technical support Is the physical status of the backup interface Up Is the link layer status of the backup interface Up Is the active standby mode used for interface backup Are the load balancing threshold and bandwidth configured Are equal cost routes generated Are there multiple flows Troubleshooting Procedure NOTE Saving the results of each troublesh...

Page 332: ...ace l If the load balancing threshold and maximum bandwidth are not configured for the primary interface the active standby mode is used for interface backup Check whether the active standby mode needs to be used for interface backup according to networking requirements If the active standby mode is required for interface backup go to step 6 If the load balancing mode is required for interface bac...

Page 333: ...l cost routes are generated go to step 5 Step 5 Check whether multiple flows are transmitted over the links After equal cost routes are generated the device selects a route to forward packets according to the hash algorithm If only one flow needs to be transmitted it cannot be load balanced among multiple links The device load balances traffic among multiple links only when multiple flows need to ...

Page 334: ... 168 1 1 255 255 255 0 standby interface GigabitEthernet 2 0 0 30 bandwidth 10000 standby threshold 80 20 3 Run the display ip routing table command on RouterB Equal cost routes have been generated Route Flags R relay D download to fib Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost Flags NextHop Interface 2 2 2 0 24 Static 60 0 RD 192 168 1 2 GigabitEthernet1 0 0 Sta...

Page 335: ...ess on the primary and backup interfaces There are routes destined for different destination addresses on the primary and backup interfaces as shown in the following command output Destination Mask Proto Pre Cost NextHop Interface 2 2 2 0 24 Static 60 0 RD 192 168 1 2 GigabitEthernet1 0 0 3 3 3 0 24 Static 60 0 RD 192 168 2 2 GigabitEthernet2 0 0 There are equal cost routes on the primary and back...

Page 336: ...cs about the times the BFD session goes Down exist Adjust the BFD detection time Is fault rectified End Check the link No End Yes No Yes No Yes Seek technical support Seek technical support Yes Is fault rectified No Yes No A BFD session cannot go Up Discriminators on both ends are consistent Delete the setting and set the consistent discriminators on both ends Is fault rectified No Yes End Yes No ...

Page 337: ...ue command to configure the local and remote discriminators Ensure that the local discriminator on the local end is the same as the remote discriminator on the remote end and the remote discriminator on the local end is the same as the local discriminator on the remote end Then go toStep 3 l If they are consistent go to Step 4 Step 3 Run the display bfd session all command to check the State field...

Page 338: ...ble Then go to Step 8 Step 8 Run the display current configuration command to view the min tx interval and min rx interval fields to check that the BFD detection period is longer than the delay on the link l If the BFD detection period is shorter than the delay on the link run the detect multiplier min rx interval and min tx interval commands to adjust the values to make it longer than the delay o...

Page 339: ...nical support No Interface forwarding is interrupted after a BFD session detects a fault and goes Down No Troubleshooting Procedure Context NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Run the display interface interface typ...

Page 340: ...he process interface status command is configured the interface is set to DOWN BFD status down because the BFD session detected a fault and went Down l If the process interface status command is not configured go to Step 4 Step 4 If the fault persists collect the following information and contact Huawei technical support personnel l Results of the preceding troubleshooting procedure l Configuratio...

Page 341: ...ct the fault you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Run the display current configuration configuration bfd session command to check that the commit command is configured l If the commit command is configured the changed BFD session parameters have been committed Then go to Step 3 l If the commit command is not configured the changed B...

Page 342: ...es of the devices End Relevant Alarms and Logs Relevant Alarms None Relevant Logs None 11 2 4 Dynamic BFD Session Fails to Be Created Common Causes This fault is commonly caused by one of the following l BFD is not enabled for the protocol l The route to the peer of the BFD session does not exist in the routing table l The interface is prohibited from creating a BFD session Huawei AR2200 S Series ...

Page 343: ...he protocol Dynamic BFD session sucess to be created Rectify the fault on the link Enable the interface to create a BFD session End Yes No Yes No Yes No Yes No Troubleshooting Procedure Context NOTE Saving the results of each troubleshooting step is recommended If your troubleshooting fails to correct the fault you will have a record of your actions to provide Huawei technical support personnel Hu...

Page 344: ...ber command to enter the view of the existing interface then run the display this command to check that a command is configured to disable an interface to dynamically create a BFD session l If such a command is configured Run the undo ospf bfd blockcommand to enable the interface to dynamically create a BFD session Then run the display bfd session all command to check whether the BFD session is Up...

Page 345: ...transmitted on GE0 0 1 of RouterA and no traffic is transmitted on GE0 0 1 of RouterB Run the display interface counters command on RouterC to view traffic on Eth2 0 0 Eth2 0 1 and Eth2 0 2 A small volume of traffic is transmitted on Eth2 0 1 and no traffic is transmitted on Eth2 0 2 while a large volume of traffic is transmitted on Eth2 0 0 This indicates that traffic has been discarded on Router...

Page 346: ... indicates that traffic loss is caused by the loopback function on Eth2 0 0 A small volume of traffic is transmitted on Eth2 0 2 5 Run the display mac address dynamic command multiple times on RouterC to check MAC addresses The following command output shows that RouterC has learned the same MAC address 0000 5e00 0101 from Eth2 0 0 and Eth2 0 1 RouterC display mac address dynamic MAC address table...

Page 347: ... packet After receiving the VRRP packet the switch learns the MAC address and maps it to the interface connected to the new master device After receiving a VRRP packet that is sent every 1 second RouterC learns the MAC address of RouterA and forwards the VRRP packet to all the interfaces in VLAN 1 Eth2 0 0 of VLAN 1 receives the VRRP packet and loops the VRRP packet back using the loopback functio...

Page 348: ...device is not recommended If the loopback function is enabled incorrect MAC addresses will be learned Huawei AR2200 S Series Enterprise Routers Troubleshooting 11 Reliability Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 339 ...

Page 349: ...leshoot common GRE faults and provides sample troubleshooting scenarios in the following sections 12 2 IPSec Troubleshooting Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 340 ...

Page 350: ...ither end or no tunnel source or destination address is configured on the two interfaces l No reachable route exists between the tunnel source and destination addresses Troubleshooting Flowchart After each device is configured as shown in Figure 12 1 PC1 and PC2 cannot communicate To rectify the fault follow the troubleshooting flowchart shown in Figure 12 2 Figure 12 1 GRE networking diagram Rout...

Page 351: ...tination addresses Is the Network Protocol status of two tunnel interfaces Up Is the Network Protocol status of two tunnel interfaces Up Can the Local End ping the remote tunnel interface Can the Local end ping the remote tunnel interface Seek technical support Seek technical support End Are Tunnel encapsulation modes on both ends the same Are there reachable routes between both ends Configure the...

Page 352: ... destination addresses are incorrect reconfigure the addresses in the tunnel interface view If the tunnel source and destination addresses are correct go to step 3 3 Check that reachable routes exist between the tunnel source and destination addresses If the interface configurations on both ends are correct but the tunnel status is still Down check whether reachable routes exist between interfaces...

Page 353: ...h other check whether their IP addresses are on the same network segment If IP addresses of the two interfaces are on different network segments configure static routes or a dynamic routing protocol to ensure that reachable routes exist between the two devices If IP addresses of the two interfaces are on the same network segment or reachable routes exist between the two devices go to step 3 3 Coll...

Page 354: ...play interface tunnel 0 0 1 Tunnel0 0 1 current state UP Line protocol current state UP Last line protocol up time 2011 03 08 16 58 30 Description HUAWEI AR Series Tunnel0 0 1 Interface Route Port The Maximum Transmit Unit is 1500 Internet Address is 11 1 1 1 24 Encapsulation is TUNNEL loopback not set Tunnel source 1 1 1 1 LoopBack1 destination 2 2 2 2 Tunnel protocol transport GRE IP key 2 keepa...

Page 355: ...GRE tunnel between two tunnel interfaces ensure that their network protocol status is Up their GRE key configurations are consistent and routes reachable to IP addresses of the two tunnel interfaces on both ends exist Two PCs Fail to Ping Each Other Although Tunnel Interfaces on Both Ends Can Ping Each Other Fault Symptom In Figure 12 4 configurations of tunnel interfaces on both ends are correct ...

Page 356: ... PC1 at 10 1 0 0 16 exists Step 3 Check that RouterA is specified as the default gateway of PC1 Step 4 Check that RouterB is specified as the default gateway of PC2 End Summary To correctly forward GRE encapsulated packets between two devices ensure that interfaces on both ends of a GRE tunnel can ping each other successfully and reachable routes to IP addresses of the two interfaces on both ends ...

Page 357: ...ec proposals at both ends the same Modify configurations so that IPSec proposals are the same Yes Yes No Do IPSec policies at both ends match Modify configurations so that IPSec policies match Yes No Do ACLs at both ends mirror each other Yes No Modify configurations so that the ACLs mirror each other End Seek technical support Is fault rectified Is fault rectified Is fault rectified Is fault rect...

Page 358: ...ing configuration according to Huawei AR2200 S Series Enterprise Routers Configuration Guide IP Routing l Run the display arp command on both devices to check whether the interface in the ARP entry matching the peer IP address is the specified interface If not run the reset arp command to delete the ARP entry from the ARP mapping table If data flows protected by the IPSec tunnel are forwarded by a...

Page 359: ...e remote device and the outbound parameters on the local device must be the same as the inbound parameters on the remote device If these parameters do not match modify the configuration according to Huawei AR2200 S Series Enterprise Routers Configuration Guide IPSec If the settings of IPSec policies match go to step 5 Step 5 Check whether the ACLs referenced by IPSec policies at both ends of the I...

Page 360: ...he settings of IPSec policies at both ends of the IPSec tunnel do not match For example the IPSec negotiation modes are different or the Perfect Forward Secrecy PFS settings are different l The ACLs referenced by IPSec policies at both ends do not mirror each other l The settings of IKE proposals at both ends of the IPSec tunnel are different l The settings of IKE peers at both ends of the IPSec t...

Page 361: ...sent from specified interface Modify configurations so that data flows are sent from specified interface No Do data flows match the ACL Modify the ACL configuration Yes Yes No End Seek technical support Is fault rectified Is fault rectified Is fault rectified No Yes No Yes Yes No Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary and Confidentia...

Page 362: ...are the same Yes Yes No Do IPSec policies at both ends match Modify configurations so that IPSec policies match Yes No Do ACLs at both ends mirror each other Yes No Modify configurations so that the ACLs mirror each other End Seek technical support Is fault rectified Is fault rectified Is fault rectified Is fault rectified No Yes Yes Yes Yes No No No Huawei AR2200 S Series Enterprise Routers Troub...

Page 363: ...lt you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the IPSec SA and IKE SA are established successfully Run the display ike sa command to check the SAs established by a peer in certain phases according to the Peer Flag and Phase fields The command output shows that the peer at 30 0 0 1 establishes the IKE SA in phase 1 and the IPS...

Page 364: ...ep 3 Step 3 Check whether data flows match the ACL Analyze the source and destination IP addresses and port numbers of data flows to check whether the data flows match the ACL referenced by the IPSec policy l If the data flows do not match the ACL they cannot enter the IPSec tunnel Instead the data flows are forwarded directly To modify the matching rule see Huawei AR2200 S Series Enterprise Route...

Page 365: ... of the IPSec tunnel match go to step 6 Step 6 Check whether the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other Run the display acl command on the Router If the following information is displayed the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other Display the ACL configuration on RouterA RouterA display acl 3101 Advanced AC...

Page 366: ...be the same as the local name of the peer end If not run the remote name command to change the name of the remote peer NOTE The name of the remote peer is used in the following scenarios l IKEv1 and the aggressive mode are used and the name is used for authentication l IKEv2 is used and the remote IKE peer ID type is name If the configurations of IKE peers are correct go to step 9 Step 9 Check whe...

Page 367: ...le the PFS configurations are different l The ACLs referenced by IPSec policies at both ends do not mirror each other l The settings of IKE proposals at both ends of the IPSec tunnel are different l The settings of IKE peers at both ends of the IPSec tunnel are different For example IKE negotiation modes are different IKE versions are incorrect IP addresses of IKE peers do not match or names of IK...

Page 368: ...nterface Modify configuration so that data flows are sent from specified interface No Do data flows match the ACL Modify the ACL configuration Yes Yes No End Seek technical support Is fault rectified Is fault rectified Is fault rectified No Yes No Yes Yes No See IPSec SAs Fail to Be Established Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary ...

Page 369: ...ch Modify configurations so that IPSec policies match Yes No Do ACLs at both ends mirror each other Yes No Modify configurations so that the ACLs mirror each other End Seek technical support Is fault rectified Is fault rectified Is fault rectified Is fault rectified No Yes Yes Yes Yes No No No Does remote device initiate negotiation Modify configurations so that remote device initiates negotiation...

Page 370: ... will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the IPSec SA and IKE SA are established successfully Run the display ike sa command to check the SAs established by a peer in certain phases according to the Peer Flag and Phase fields The command output shows that the peer at 30 0 0 1 establishes the IKE SA in phase 1 and the IPSec SA ...

Page 371: ...ep 3 Step 3 Check whether data flows match the ACL Analyze the source and destination IP addresses and port numbers of data flows to check whether the data flows match the ACL referenced by the IPSec policy l If the data flows do not match the ACL they cannot enter the IPSec tunnel Instead the data flows are forwarded directly To modify the matching rule see Huawei AR2200 S Series Enterprise Route...

Page 372: ...her NOTE If an IPSec policy template is used you can choose to configure ACLs If the ACLs are configured ensure that the ACLs at both ends mirror each other You are advised not to configure ACLs if an IPSec policy template is used If ACLs are configured run the display acl command on both Routers If the following information is displayed the ACLs referenced by IPSec policies at both ends of the IP...

Page 373: ... IP address of the remote end If IP addresses of IKE peers do not match run the local address command to change the local IP address of the IKE peer Remote name The remote name of the local end must be the same as the local name of the peer end If not run the remote name command to change the name of the remote peer NOTE The name of the remote peer is used in the following scenarios l IKEv1 and th...

Page 374: ...or example the IPSec negotiation modes are different or the Perfect Forward Secrecy PFS settings are different l The ACLs referenced by IPSec policies at both ends do not mirror each other l The settings of IKE proposals at both ends of the IPSec tunnel are different l The settings of IKE peers at both ends of the IPSec tunnel are incorrect For example the aggressive mode is not used IKE versions ...

Page 375: ...fied interface Modify configurations so that data flows are sent from specified interface No Do data flows match the ACL Modify the ACL configuration Yes Yes No End Seek technical support Is fault rectified Is fault rectified Is fault rectified No Yes No Yes Yes No Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Hua...

Page 376: ...he protocol is ESP Yes Yes No Do IPSec policies at both ends match Modify configurations so that IPSec policies match Yes No Do ACLs at both ends mirror each other Yes No Modify configurations so that the ACLs mirror each other End Seek technical support Is fault rectified Is fault rectified Is fault rectified Is fault rectified No Yes Yes Yes Yes No No No Huawei AR2200 S Series Enterprise Routers...

Page 377: ...will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the IPSec SA and IKE SA are established successfully Run the display ike sa command to check the SAs established by a peer in certain phases according to the Peer Flag and Phase fields The command output shows that the peer at 30 0 0 0 establishes the IKE SA in phase 1 and the IPSec SA i...

Page 378: ...table If data flows protected by the IPSec tunnel are forwarded by a specified interface go to step 3 Step 3 Check whether data flows match the ACL Analyze the source and destination IP addresses and port numbers of data flows to check whether the data flows match the ACL referenced by the IPSec policy l If the data flows do not match the ACL they cannot enter the IPSec tunnel Instead the data flo...

Page 379: ...ce The two ends must use the same DH group otherwise IKE negotiation fails Run the display ipsec policy command to view the Perfect Forward Secrecy field If the DH groups at both ends are different run the pfs dh group1 dh group2 command to change the DH groups to be the same If the settings of IPSec policies at both ends of the IPSec tunnel match go to step 6 Step 6 Check whether the ACLs referen...

Page 380: ...local IP address of the local end must be the same as the peer IP address of the remote end If IP addresses of IKE peers do not match run the local address command to change the local IP address of the IKE peer Remote name The remote name of the local end must be the same as the local name of the peer end If not run the remote name command to change the name of the remote peer NAT traversal NAT tr...

Page 381: ...tch the ACL referenced by the IPSec policy l The settings of IPSec proposals at both ends of the IPSec tunnel are different l The settings of IPSec policies at both ends of the IPSec tunnel do not match For example the IPSec negotiation modes are different or the Perfect Forward Secrecy PFS settings are different l The ACLs referenced by IPSec policies at both ends do not mirror each other l The s...

Page 382: ... configurations so that data flows are sent from specified interface No Does IP header encapsulated on GRE tunnel match ACL Modify the ACL configuration Yes Yes No End Seek technical support Is fault rectified Is fault rectified Is fault rectified No Yes No Yes Yes No Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright ...

Page 383: ...e the same Yes Yes No Do IPSec policies at both ends match Modify configurations so that IPSec policies match Yes No Do ACLs at both ends mirror each other Yes No Modify configurations so that the ACLs mirror each other End Seek technical support Is fault rectified Is fault rectified Is fault rectified Is fault rectified No Yes Yes Yes Yes No No No Huawei AR2200 S Series Enterprise Routers Trouble...

Page 384: ... you will have a record of your actions to provide Huawei technical support personnel Procedure Step 1 Check whether the IPSec SA and IKE SA are established successfully Run the display ike sa command to check the SAs established by a peer in certain phases according to the Peer Flag and Phase fields The command output shows that the peer at 30 0 0 1 establishes the IKE SA in phase 1 and the IPSec...

Page 385: ...ep 3 Step 3 Check whether data flows match the ACL Analyze the source and destination IP addresses and port numbers of data flows to check whether the data flows match the ACL referenced by the IPSec policy l If the data flows do not match the ACL they cannot enter the IPSec tunnel Instead the data flows are forwarded directly To modify the matching rule see Huawei AR2200 S Series Enterprise Route...

Page 386: ... DH groups to be the same If the settings of IPSec policies at both ends of the IPSec tunnel match go to step 6 Step 6 Check whether the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other NOTE If an IPSec policy template is used you can choose to configure ACLs If the ACLs are configured ensure that the ACLs at both ends mirror each other You are advised not to co...

Page 387: ...ame as the peer IP address of the remote end If IP addresses of IKE peers do not match run the local address command to change the local IP address of the IKE peer or run the remote address command to change the peer IP address of the IKE peer remote name The remote name of the local end must be the same as the local name of the peer end If not run the remote name command to change the name of the...

Page 388: ... tunnel can protect the traffic between PC A and PC B Figure 12 18 Only one end of the manually configured IPSec tunnel can encrypt and decrypt data packets because the ACL is configured incorrectly RouterB RouterA Internet PC A PC B GE1 0 0 GE1 0 0 10 1 1 1 24 10 1 2 1 24 12 12 12 1 24 18 18 18 1 24 Fault Analysis 1 Run the display ipsec statistics ah esp command on Router A and Router B to check...

Page 389: ...to enter the view of ACL 3101 Step 3 Run the undo rule 5 and rule 5 permit ip source 10 1 1 0 0 0 0 255 destination 10 1 2 0 0 0 0 255 commands to ensure that the ACLs referenced by IPSec policies on Router A and Router B mirror each other Step 4 Run the return command to return to the user view and then run the save command to save the configuration Step 5 After the preceding operations are compl...

Page 390: ...traffic based triggering mode Router A display ipsec policy name zpolicy005 IPsec Policy Group zpolicy005 Using interface GE1 0 0 SequenceNumber 10000 Security data flow 3300 IKE peer name zytpeer Perfect forward secrecy None Proposal name h IPsec SA local duration time based 9000 seconds IPsec SA local duration traffic based 3600 kilobytes SA trigger mode Traffic based The IPSec policy applied to...

Page 391: ...e generated End Summary After IPSec policies are configured at both ends at least one end initiates IKE negotiation If an IPSec policy template is used the remote end must initiate negotiation The SA triggering mode can be automatic or traffic based triggering Huawei AR2200 S Series Enterprise Routers Troubleshooting 12 VPN Issue 01 2012 01 06 Huawei Proprietary and Confidential Copyright Huawei T...