Cisco Systems 78-10548-02 User Manual
CHAPTER
7
MPLS VPN Solution Troubleshooting Guide
This chapter describes how to recognize and troubleshoot problems you might encounter when
deploying MPLS VPN Solution services.
General Topics
1. Question: I executed an Add VPN Service to CE followed by a Deploy Service Requests, then I
selected Gener ate A udit Reports. Ho we v er , the All VPN Service Requests Report indicates that the
service request is not in either a Deployed or Functional state. Where do I look?
Answer: If the service request is in the Requested, Invalid, or the Failed Deploy state, refer to the
“Provisioning Problems” section on page 7-3. However, if the service request is stuck in Pending,
refer to the “Auditing Problems” section on page 7-10.
2. Question: What are the service deployment states? What do they mean?
Answer: Table 7-1 describes the VPN service request deployment states.
Table 7-1 Summary of MPLS VPN Service Request Types
Service Request Type Description
Broken While the router is correctly configured, the service is unavailable (due to a
broken cable or Layer 2 problem, fo r example). A service req uest moves to
Broken if the Auditor finds the routing and forwarding tables for this service,
but they do not match the service intent.
Closed A service request moves to Closed if the service request should no longer be
used during the provisioning or auditing process. A service request mo ves to
the Closed state only upon a successful audit of a remove request. MPLS
VPN Solution does not remove a service request from the database to allow
for extended auditing. Only a specific administrator action results i n service
requests being removed.
Deployed A service request moves to Deployed if the configlet commands have been
verified as found in t he router confi guration f ile. Deplo yed indicates t hat the
configuration file has been downloaded to the router, and the intent of the
request has been verified at the configuration level.
78-10548-02
Cisco VPN Solutions Center: MPLS Solution User Guide
7-1
Chapter 7 MPLS VPN Solution Troubleshooting Guide
Table 7-1 Summary of MPLS VPN Service Request Types (continued)
Service Request Type Description
Failed Deploy After provisioning occurred, the ser vice req uest failed t o download the
configlets to the router. A service request moves to Failed Deploy if an err or
was detected during the deployment proce ss by the Cisco IP Manager
(CIPM). If CIPM is not being used to download configlets, and the product
is simply exporting configlets to a directory, there is no way to distinguish
between a service request in the Failed Deploy and Pending states. There are
two causes for Failed Deploy status:
• CIPM reports to VPIM that the download failed (lost connection, bad
password, etc.).
• The object could not establish configuration-level verification of intent.
If the configlets are exported to a directory, th e service request cannot mo v e
into a Failed Deploy state.
Functional A service request moves to Functional whe n the Aud itor finds the VPN
routing and forwarding tables (VRF) for this service and they match with the
service intent. This state requires configuration-level verification.
Invalid Indicates that the service request information is incorrect in some way. A
service request moves to Invalid if the request was either internally
inconsistent or not consistent with the rest of the existing network/router
configurations (for example, no more interfaces were available on the
router). The VPN Provisioning Inventory Manager (VPIM) server cannot
generate configlets to service this request.
Lost A service request moves to Lost when the Auditor can not find a
configuration-level verification of intent in the router configuration files.
The service request was deployed, but now some or all router configuration
information is missing. A service request can move to the Lost state only
when the service request had been Deployed or Functional.
Pending A service request moves to Pending when the VPN Provisioning Inventory
Manager (VPIM) server determines that the request looks consistent and w as
able to generate the required configlets for this request. Pending indicates
that the service request has generated the configlets and the configlets are
successfully downloaded to the routers.
The Auditor regards pending service requ ests as ne w requests and begins the
audit. If the service has been freshly provisioned and not yet audited, it is not
an error (pending audit). However, if an audit is done and the service is still
pending, it is in an error state.
Requested If the service is newly entered and not yet deployed, it is not an error.
However, if a Deploy is done and it remains Requested, the service is in an
error state.
7-2
3. Question: Which of the error states are due to provisioning and which are due to auditing?
Answer: Requested (after provisioning), Invalid, and Failed Deploy are due to error conditions in
provisioning. Pending (after auditing), Lost, and Broken are due to error conditions in auditing.
Cisco VPN Solutions Center: MPLS Solution User Guide
78-10548-02
Chapter 7 MPLS VPN Solution Troubleshooting Guide
Provisioning Problems
The MPLS VPN Solution provisioning system has the following functions:
1. Collect the PE router configuration files (PE-upload)
2. Collect the CE router configuration files (CE-upload)
3. Provisioning
4. Write the changed configuration information to the PE (PE-DownLoad)
5. Write the changed configuration information to the CE (CE-DownLoad)
Functions 1, 2, 4, and 5 are executed by a server called the Download to IPM (DIPM) server. For more
information on the DIPM Server, see “The Download to IPM (DIPM) Server” section on page A-1.
Errors in functions 1 or 2 lead to functions 3, 4, and 5 being skipped. The two servers involved in
provisioning are CVPIM Server and CNGS Server. These are CORBA servers.
The provisioning engine has a model of the router. This router model is modified as necessary to
introduce attributes to support the service request.
1. Question: What is the flow of the provisioning operation?
Answer:
The program that runs all these functions is called VPIMDownLoadClient. VPIM Do wnLoad Client
is a client to the CVPIM server. VPIM DownLoad Client initializes the provisioning by making a
CORBA call to the CVPIM server.
Provisioning Problems
The CVPIM server calls the DIPM server to perform functions 1 and 2. After the product uploads
the fresh configuration files from the router, it provisions the service request and calls the CNGS
server for the changes.
After a successful operation to update the configlet with the necessary changes, the CVPIM server
calls the DIPM server to download the new configlets to the routers (that is, functions 4 and 5).
If functions 1 or 2 fail, the other functions are skipped, and the service request stays in the
Requested state.
If function 3 fails, the service request becomes Invalid.
If function 3 succeeds, but functions 4 or 5 fail, the service request moves to the Failed Deploy
state.
2. Question: Where can I see how the provisioning functions performed in my audit?
Answer: The first place to look at is in the Task Logs:
a. From the VPN Console, choose Tools > Task Logs.
The browser opens and displays the MPLS VPN Solution Task Logs, as shown in Figure 7-1.
78-10548-02
Cisco VPN Solutions Center: MPLS Solution User Guide
7-3
Provisioning Problems
Chapter 7 MPLS VPN Solution Troubleshooting Guide
Figure 7-1 MPLS VPN Solution Task Logs Browser
b.
Choose the task that was run for this deployment .
The task name is the name you assigned. The tasks are listed in reverse chronological order
(with the latest one first).
c. Click the Log link (in the rightmost column).
Summary information appears in the left pane.
7-4
Cisco VPN Solutions Center: MPLS Solution User Guide
78-10548-02
Chapter 7 MPLS VPN Solution Troubleshooting Guide
Figure 7-2 Task Log Summary Information and Action Report
Provisioning Problems
78-10548-02
d. To see the Action Report, click the link under the Actions heading.
The Action Report appears.
3. Question: My service request is stuck in the Requested state. Where should I go to lo ok for errors?
Answer: In the Task Log Summary Ta ble, look at the PE-UpLoad and CE-Up Load information for
that service request. One or both of them should say “Fail.” This makes the rest of them “skipped.”
Thus, the service request remains in the Requested state.
4. Question: I tried the link to the Task Log Summary table, but the table isn’t displayed.
Answer: Check at the top of the frame for a set of links: Stdout/Stderr Errors. Std out/Stderr giv es
you the messages that were displayed to the terminal when the VPIMDownLoadClient program
runs. From this, you can see whether and how th e client application ran. Al l abnormal terminations
would be reported. Similarly, Errors lists the error messages reported by the client.
5. Question: When I try to access the Log Summary Table, I see a “Fatal Error” message displayed.
What happened?
Answer: Click the Stdout/Stderr link and view the output.
First, being a CORBA client, did it connect to the CORBA server?
If it did not, you see a number for “Retrying Co nnecti on” lines, follo wed by these lines (at the v ery
end):
Cisco VPN Solutions Center: MPLS Solution User Guide
7-5
Loading...