Huawei V200R001C01, AR2200-S Troubleshooting Manual

Download

Huawei AR2200-S Series Enterprise Routers

V200R001C01

Troubleshooting

Issue 01

Date 2012-01-06

HUAWEI TECHNOLOGIES CO., LTD.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang Shenzhen 518129 People's Republic of China

Website: http://www.huawei.com

Email: support@huawei.com

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

DANGER

WARNING

CAUTION

TIP

NOTE

Huawei AR2200-S Series Enterprise Routers Troubleshooting About This Document

About This Document

Intended Audience

This document describes the procedure for troubleshooting various services supported by the AR2200-S in terms of common causes, flowchart, troubleshooting procedure, alarms and logs, and case studies.

This document is intended for:

l System maintenance engineers

l Commissioning engineers

l Network monitoring engineers

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol

Description

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting About This Document

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }

[ x | y | ... ]

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History

Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

Changes in Issue 01 (2010-01-06)

Initial commercial release.

Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

iii

Huawei AR2200-S Series Enterprise Routers Troubleshooting Contents

About This Document.....................................................................................................................ii

1 Hardware.........................................................................................................................................1

1.1 Board Registration Troubleshooting..................................................................................................................2

1.1.1 A Board Fails to Be Registered.................................................................................................................2

2 System..............................................................................................................................................5

2.1 CPU Troubleshooting.........................................................................................................................................6

2.1.1 CPU Usage Is High....................................................................................................................................6

2.2 Telnet Troubleshooting.....................................................................................................................................10

2.2.1 The User Fails to Log in to the Server Through Telnet...........................................................................10

2.3 SSH Troubleshooting.......................................................................................................................................13

2.3.1 The User Fails to Log in to the Server Through SSH.............................................................................13

2.4 Mirroring Troubleshooting...............................................................................................................................17

2.4.1 Monitoring Device Does Not Receive Any Mirrored Packet After Port Mirroring Is Configured.........17

2.4.2 Monitoring Device Does Not Receive Any Mirrored Packets After Traffic Mirroring Is Configured

..........................................................................................................................................................................20

2.4.3 Troubleshooting Cases............................................................................................................................23

2.5 SNMP Troubleshooting....................................................................................................................................26

2.5.1 An SNMP Connection Cannot Be Established........................................................................................26

2.5.2 The NMS Fails to Receive Trap Messages from the Host......................................................................29

2.6 NQA Troubleshooting......................................................................................................................................31

2.6.1 A UDP Jitter Test Instance Fails to Be Started.......................................................................................31

2.6.2 A Drop Record Exists in the UDP Jitter Test Result...............................................................................33

2.6.3 A Busy Record Exists in the UDP Jitter Test Result...............................................................................35

2.6.4 A Timeout Record Exists in the UDP Jitter Test Result.........................................................................37

2.6.5 The UDP Jitter Test Result Is "Failed", "No Result" or "Packet Loss"...................................................39

2.7 NTP Troubleshooting.......................................................................................................................................41

2.7.1 The Clock Is Not Synchronized...............................................................................................................41

2.8 CWMP Troubleshooting...................................................................................................................................42

2.8.1 Failed to Manage AR2200-S Using CWMP...........................................................................................42

3 Physical Connection and Interfaces.........................................................................................46

3.1 Eth-Trunk Interface Troubleshooting...............................................................................................................47

3.1.1 Eth-Trunk Interface Cannot Forward Traffic..........................................................................................47

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting Contents

3.1.2 Troubleshooting Cases............................................................................................................................51

4 LAN................................................................................................................................................56

4.1 VLAN Troubleshooting....................................................................................................................................57

4.1.1 Users in a VLAN Cannot Communicate with Each Other......................................................................57

4.2 MAC Address Table Troubleshooting.............................................................................................................61

4.2.1 Correct MAC Address Entries Cannot Be Generated.............................................................................61

4.3 MSTP Troubleshooting....................................................................................................................................66

4.3.1 MSTP Topology Change Leads to Service Interruption.........................................................................66

4.4 Transparent Bridging Troubleshooting............................................................................................................72

4.4.1 Layer 2 Traffic Forwarding in a Bridge Group Fails..............................................................................72

4.4.2 Traffic Forwarding in IP Routing of Bridge Groups Fails......................................................................75

5 WAN...............................................................................................................................................80

5.1 E1/T1 Troubleshooting.....................................................................................................................................81

5.1.1 E1/T1 Interface in Up State Fails to Correctly Send and Receive Data..................................................81

5.2 FR Troubleshooting..........................................................................................................................................85

5.2.1 Local Device Fails to Ping the Remote Device When the Link Protocol Status of Their Connected FR

Interfaces Is Up.................................................................................................................................................85

5.2.2 Troubleshooting Cases............................................................................................................................92

5.3 MFR Troubleshooting......................................................................................................................................92

5.3.1 Local Device Fails to Ping the Remote Device When the Link Protocol Status of Their Connected MFR

Interfaces Is Up.................................................................................................................................................93

5.3.2 Troubleshooting Cases............................................................................................................................98

5.4 DCC Troubleshooting.......................................................................................................................................99

5.4.1 Failed to Initiate Calls..............................................................................................................................99

5.4.2 Failed to Receive Calls..........................................................................................................................103

5.5 ISDN Troubleshooting...................................................................................................................................107

5.5.1 Link Failed to Be Established on ISDN Interfaces................................................................................107

5.6 PPPoE Troubleshooting..................................................................................................................................113

5.6.1 PPPoE Dialup Fails...............................................................................................................................113

5.7 PPP Troubleshooting......................................................................................................................................117

5.7.1 Protocol Status of a PPP Interface Is Down..........................................................................................117

5.8 xDSL Troubleshooting...................................................................................................................................122

5.8.1 Packets Fail to Be Forwarded on an ADSL Interface Working in ATM Mode....................................123

5.8.2 Packets Fail to Be Forwarded on a G.SHDSL Interface Working in ATM Mode................................127

5.9 3G Troubleshooting........................................................................................................................................132

5.9.1 3G Calls Failed After Dialing Parameters Were Correctly Set.............................................................132

6 Voice.............................................................................................................................................138

6.1 Voice Service Troubleshooting......................................................................................................................139

6.1.1 No Feed Is Detected on a Telephone.....................................................................................................139

6.1.2 No Dial Tone Is Heard After Offhook...................................................................................................141

6.1.3 Call Quality Is Low...............................................................................................................................143

6.1.4 Busy Tone Is Heard After Offhook.......................................................................................................145

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting Contents

6.1.5 A Call Fails to Be Connected................................................................................................................149

6.1.6 Calling Number Is Not Displayed on the Called Party's Telephone.....................................................152

6.1.7 Fax Service Fails...................................................................................................................................155

6.1.8 A SIP AG Cannot Work Properly.........................................................................................................158

7 IP Forwarding and Routing.....................................................................................................162

7.1 A Ping Operation Fails...................................................................................................................................163

7.1.1 The Ping Operation Fails.......................................................................................................................163

7.1.2 Troubleshooting Cases..........................................................................................................................171

7.2 DHCP Troubleshooting..................................................................................................................................173

7.2.1 A Client Cannot Obtain an IP Address (the AR2200-S Functions as the DHCP Server).....................173

7.2.2 A Client Cannot Obtain an IP Address (the AR2200-S Functions as the DHCP Relay Agent)...........178

7.3 RIP Troubleshooting.......................................................................................................................................181

7.3.1 Device Does not Receive Partial or All the Routes...............................................................................182

7.3.2 Device Does not Send Some or All Routes...........................................................................................185

7.4 OSPF Troubleshooting...................................................................................................................................189

7.4.1 The OSPF Neighbor Relationship Is Down..........................................................................................189

7.4.2 The OSPF Neighbor Relationship Cannot Reach the Full State...........................................................194

7.4.3 Trouble Cases........................................................................................................................................198

8 Multicast......................................................................................................................................205

8.1 Layer 3 Multicast Troubleshooting................................................................................................................206

8.1.1 Multicast Traffic Is Interrupted.............................................................................................................206

8.1.2 The PIM Neighbor Relationship Remains Down..................................................................................209

8.1.3 The RPT on a PIM-SM Network Fails to Forward Data.......................................................................212

8.1.4 The SPT on a PIM-SM Network Fails to Forward Data.......................................................................216

8.1.5 MSDP Peers Cannot Generate Correct (S, G) Entries...........................................................................221

8.1.6 The Multicast Device Cannot Generate IGMP Entries or MLD Entries...............................................226

9 QoS...............................................................................................................................................231

9.1 Traffic Policy Troubleshooting......................................................................................................................232

9.1.1 Traffic Policy Fails to Take Effect........................................................................................................232

9.1.2 Troubleshooting Cases..........................................................................................................................235

9.2 Priority Mapping Troubleshooting.................................................................................................................237

9.2.1 Packets Enter Incorrect Queues.............................................................................................................237

9.2.2 Priority Mapping Results Are Incorrect................................................................................................240

9.2.3 Troubleshooting Cases..........................................................................................................................244

9.3 Traffic Policing Troubleshooting...................................................................................................................247

9.3.1 Traffic Policing Based on Traffic Classifiers Fails to Take Effect.......................................................247

9.3.2 Interface-based Traffic Policing Results Are Incorrect.........................................................................248

9.3.3 Troubleshooting Cases..........................................................................................................................251

9.4 Traffic Shaping Troubleshooting....................................................................................................................252

9.4.1 Queue-based Traffic Shaping Results Are Incorrect.............................................................................252

9.4.2 Troubleshooting Cases..........................................................................................................................255

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting Contents

9.5 Congestion Avoidance Troubleshooting........................................................................................................257

9.5.1 Congestion Avoidance Fails to Take Effect..........................................................................................257

9.6 Congestion Management Troubleshooting.....................................................................................................260

9.6.1 Congestion Management Fails to Take Effect......................................................................................260

9.6.2 Troubleshooting Cases..........................................................................................................................263

10 Security......................................................................................................................................266

10.1 AAA Troubleshooting..................................................................................................................................267

10.1.1 RADIUS Authentication Fails.............................................................................................................267

10.1.2 HWTACACS Authentication Fails.....................................................................................................272

10.1.3 Troubleshooting Cases........................................................................................................................278

10.2 ARP Security Troubleshooting.....................................................................................................................284

10.2.1 The ARP Entry of an Authorized User Is Maliciously Modified........................................................284

10.2.2 The Gateway Address Is Maliciously Changed..................................................................................287

10.2.3 User Traffic Is Interrupted by a Large Number of Bogus ARP Packets.............................................289

10.2.4 IP Address Scanning Occurs...............................................................................................................291

10.2.5 ARP Learning Fails.............................................................................................................................294

10.3 NAC Troubleshooting..................................................................................................................................297

10.3.1 802.1x Authentication of a User Fails.................................................................................................297

10.3.2 MAC Address Authentication of a User Fails.....................................................................................301

10.3.3 MAC Address Bypass Authentication of a User Fails........................................................................305

10.4 Firewall Troubleshooting.............................................................................................................................305

10.4.1 SYN Flood Attacks Are Detected on a Network.................................................................................305

10.5 ACL Troubleshooting...................................................................................................................................307

10.5.1 Packet Filtering Firewall Fails Because of Invalid ACL Configuration.............................................307

10.6 NAT Troubleshooting...................................................................................................................................309

10.6.1 Internal Users Fail to Access the Public Network...............................................................................309

10.6.2 External Hosts Fail to Access Internal Servers...................................................................................312

10.6.3 Internal Host with a Conflicting IP Address Fails to Access an External Server................................315

11 Reliability..................................................................................................................................320

11.1 Interface Backup Troubleshooting...............................................................................................................321

11.1.1 Interface Backup Fails to Take Effect.................................................................................................321

11.1.2 Troubleshooting Cases........................................................................................................................324

11.2 BFD Troubleshooting...................................................................................................................................326

11.2.1 BFD Session Cannot Go Up................................................................................................................326

11.2.2 Interface Forwarding Is Interrupted After a BFD Session Detects a Fault and Goes Down...............329

11.2.3 Changed BFD Session Parameters Do Not Take Effect......................................................................331

11.2.4 Dynamic BFD Session Fails to Be Created.........................................................................................333

11.3 VRRP Troubleshooting................................................................................................................................335

11.3.1 Troubleshooting Cases........................................................................................................................335

12 VPN............................................................................................................................................340

12.1 GRE Troubleshooting...................................................................................................................................341

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

vii

Huawei AR2200-S Series Enterprise Routers Troubleshooting Contents

12.1.1 Failed to Ping the IP Address of the Remote Tunnel Interface...........................................................341

12.1.2 Troubleshooting Cases........................................................................................................................344

12.2 IPSec Troubleshooting.................................................................................................................................347

12.2.1 SAs Fail to Be Established Manually..................................................................................................347

12.2.2 SAs Fail to Be Established by Using IKE Negotiation.......................................................................351

12.2.3 IPSec Fails to Be Configured by Using an IPSec Policy Template....................................................358

12.2.4 NAT Traversal in IPSec Fails..............................................................................................................365

12.2.5 GRE over IPSec Fails..........................................................................................................................372

12.2.6 Troubleshooting Cases........................................................................................................................379

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

viii

Huawei AR2200-S Series Enterprise Routers Troubleshooting 1 Hardware

1 Hardware

About This Chapter

1.1 Board Registration Troubleshooting

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 1 Hardware

1.1 Board Registration Troubleshooting

1.1.1 A Board Fails to Be Registered

Common Causes

This fault is commonly caused by one of the following:

l The board is starting.

l The board was reset.

Troubleshooting Flowchart

The troubleshooting roadmap is as follows:

l Check whether the board is starting.

l Check whether the board is in an unregistered state after the board has finished startup.

l Check whether the board was reset. If the board was reset, locate the cause.

Figure 1-1 shows the troubleshooting flowchart.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

A board

fails to be

registered

Was board

reset?

Locate fault

according to

instructions

Is fault

rectified?

Seek

technical

support

End

Yes

Is board

starting?

Wait for the board

to complete

startup

Yes

Huawei AR2200-S Series Enterprise Routers Troubleshooting 1 Hardware

Figure 1-1 A board fails to be registered

Troubleshooting Procedure

Procedure

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

NOTE

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide to Huawei technical support personnel.

Step 1 Check whether the board is starting.

A board takes several minutes to complete registration after power-on. This period is called the startup time. The startup times for specific boards are follows:

l The startup time of the SRU is less than 3 minutes. If the device restarts after the system

software is upgraded, the startup time is less than 5 minutes.

l The startup time of an LPU is less than 5 minutes. If the LPU needs to synchronize an update

from the SRU, the startup time is less than 10 minutes.

Huawei AR2200-S Series Enterprise Routers Troubleshooting 1 Hardware

l If the board is still within its startup time, wait until it starts.

l If the board has exceeded its startup time, run the display device command to check the

board status. If the Register field of the board is displayed as Unregistered, go to step 2.

Step 2 Check whether the board was reset.

l Run the display reset-reason [ slot slot-id ] command. If no information about board

resetting is displayed, the board has never been registered. Connect the board to a terminal with a serial cable and check whether the system software has been loaded to the board correctly. For details, see Board Software Loading Troubleshooting.

l If information about board resetting is displayed, rectify the fault according to the

instructions in the command output.

If the fault persists, go to step 3.

Step 3 Collect the following information and contact Huawei technical support personnel.

l Results of the preceding troubleshooting procedure

l Configuration file, log file, and alarm file of the AR2200-S

----End

Relevant Alarms and Logs

Relevant Alarms

None.

Relevant Logs

None.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

2 System

About This Chapter

2.1 CPU Troubleshooting

2.2 Telnet Troubleshooting

2.3 SSH Troubleshooting

This chapter describes common causes of the fault that the user fails to log in to the server through SSH, and provides the corresponding troubleshooting flowcharts and examples.

2.4 Mirroring Troubleshooting

This chapter describes common causes of mirroring faults, and provides the corresponding troubleshooting flowcharts, troubleshooting procedures, alarms, and logs.

2.5 SNMP Troubleshooting

2.6 NQA Troubleshooting

2.7 NTP Troubleshooting

2.8 CWMP Troubleshooting

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

2.1 CPU Troubleshooting

2.1.1 CPU Usage Is High

Common Causes

CPU usage is the percentage of the time during which the CPU executes codes to the total time period. CPU usage is an important index to evaluate device performance.

To view CPU usage, run the display cpu-usage command. If you see that CPU usage exceeds 70%, CPU usage is high. A high CPU usage will cause service faults, for example, BGP route flapping, frequent VRRP active/standby switchovers, and even failed device login.

High system CPU usage occurs when CPU usage of some tasks remains high. This fault is commonly caused by one of the following:

l A large number of packets are sent to the CPU when loops or DoS packet attacks occur.

l STP flapping frequently occurs and a large number of TC packets are received, causing the

device to frequently delete MAC address entries and ARP entries.

l The device generates a large number of logs, consuming a lot of CPU resources.

Troubleshooting Flowchart

Figure 2-1 shows the troubleshooting flowchart.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

CPU usage is high

Seek technical

support

Is fault

rectified?

Is fault

rectified?

Is fault

rectified?

Analyze packet

features to filter out

attack packets

Suppress TC-BPDUs

Eliminate the loop

Collect log files and

contact the Huawei

technical support

personnel

End

Yes

Are a large

number of logs

generated?

Does a loop occur on the

network?

Are a

large number of

TC packets

received?

Are a

large number of

packets sent to the

CPU?

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Figure 2-1 CPU usage is high

Troubleshooting Procedure

Procedure

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Step 1 Check the names of tasks with a high CPU usage.

NOTE

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

The following procedures can be performed in any sequence.

The command output in the following procedures varies based on the device model. The following procedures describe how to view related information.

Run the display cpu-usage command to check the CPU usage of each task .

Record the names of tasks with CPU usage exceeding 70%.

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

NOTE

CPU usage of 70% does not necessarily affect services. Services may not be affected when some tasks consume 70% of CPU resources, but may be affected when some tasks consume 30% of CPU resources. This outcome depends on the actual situation.

Step 2 Check whether a large number of packets are sent to the CPU.

Run the display cpu-defend statistics command to check statistics about the packets sent to the CPU and focus on the Drop field.

<Huawei> display cpu-defend statistics all

----------------------------------------------------------------------- Packet Type Pass Packets Drop Packets

----------------------------------------------------------------------- 8021X 0 0 arp-miss 1 0 arp-reply 5 0 arp-request 1450113 25597 bfd 0 0 bgp 0 0 dhcp-client 114693 136586 dhcp-server 0 0 dns 0 0 fib-hit 0 0 ftp 717 0 fw-dns 0 0 fw-ftp 0 0 fw-http 0 0 fw-rtsp 0 0 fw-sip 0 0 gvrp 0 0 http 798 0 hw-tacacs 0 0 icmp 10 0 igmp 0 0 ipsec 0 0 isis 0 0 lacp 0 0 lldp 33959 0 ntp 0 0 ospf 1569 0 pim 0 0 pppoe 0 0 radius 0 0 rip 0 0 snmp 0 0 ssh 0 0 stp 0 0 tcp 7671 0 telnet 71149 0 ttl-expired 656 0 udp-helper 0 0 unknown-multicast 6 0 unknown-packet 94189 0 vrrp 0 0

-----------------------------------------------------------------------

l If the value of the Drop field of a certain type of packets is great and CPU usage is high,

packet attacks occur. Go to step 6.

l If the value of the Drop field is within the specified range, go to step 3.

Step 3 Check whether a large number of TC packets are received.

If STP is enabled on a device, the device deletes MAC address entries and ARP entries when receiving TC-BPDUs. If an attacker sends pseudo TC-BPDUs to attack the device, the device will receive a large number of TC-BPDUs within a short period and frequently deletes MAC address entries and ARP entries. As a result, the device CPU usage becomes high.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Run the display stp command to check statistics about the received TC packets and TCN packets.

<Huawei> display stp interface Eth2/0/1

----[CIST][Port2(Ethernet2/0/1)][FORWARDING]---- Port Protocol :Enabled Port Role :Designated Port Port Priority :128 Port Cost(Dot1T ) :Config=auto / Active=199999 Designated Bridge/Port :4096.00e0-fc01-0005 / 128.2 Port Edged :Config=default / Active=disabled Point-to-point :Config=auto / Active=true Transit Limit :147 packets/hello-time Protection Type :None Port STP Mode :MSTP Port Protocol Type :Config=auto / Active=dot1s PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20 TC or TCN send :1 TC or TCN received :0 BPDU Sent :124008 TCN: 0, Config: 0, RST: 0, MST: 124008 BPDU Received :0 TCN: 0, Config: 0, RST: 0, MST: 0

l If a large number of TC packets and TCN packets are received, run the stp tc-protection

command in the system view to suppress TC-BPDUs. After this command is used, only three TC packets are processed within a Hello interval by default. Run the stp tc-protection threshold command to set the maximum number of TC packets that can be processed. To change the hello interval, run the stp timer hello command.

[Huawei] stp tc-protection [Huawei] stp tc-protection threshold 5 [Huawei] stp timer hello 200

l If a small number of TC packets are received, go to step 4.

Step 4 Check whether loops occur on the network.

When multiple interfaces of a device belong to the same VLAN, if a loop occurs between two interfaces, packets are forwarded only between these interfaces in the VLAN. Consequently, CPU usage of the device becomes high.

Run the display current-configuration command to check whether the device is enabled to generate an alarm when MAC address flapping is detected.

# loop-detect eth-loop alarm-only #

l If this function is not configured, run the loop-detect eth-loop alarm-only command to

configure this function. If a loop occurs on the network, an alarm is generated when two interfaces of the device learn the same MAC address entry. For example:

Feb 22 2011 18:42:50 Huawei L2IFPPI/4/MAC_FLAPPING_ALARM:OID

1.3.6.1.4.1.2011.5.25.42.2.1.7.12The mac-address has flap value . (L2IfPort=0,entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1, MacAdd=0000-c0a8-0101,vlanid=100, FormerIfDescName=Ethernet1/0/0,CurrentIfDescName=Ethernet1/0/1,DeviceName=HUAWE I)

Check the interface connection and networking information based on the alarm:

– If no ring network is required, shut down one of the two interfaces based on the networking

diagram.

– If the ring network is required, disable loop detection and enable loop prevention

protocols, such as STP.

l If the loop-detect eth-loop alarm-only command is used on the device but no alarm is

generated, go to step 5.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Step 5 Check whether a large number of logs are generated on the device.

The device generates diagnostic information or logs continuously in some cases, for example, attacks occur on the device, an error occurs during device operation, or an interface frequently alternates between Up and Down states. If the storage device is frequently read or written, CPU usage becomes high.

Run the display logbuffer command to check whether a large number of logs are generated. If a certain log is repeatedly generated, go to step 6.

Step 6 Collect the following information and contact Huawei technical support personnel:

l Results of the preceding troubleshooting procedure

l Configuration files, log files, and alarm files of the device

----End

Relevant Alarms and Logs

Relevant Alarms

None

Relevant Logs

None

2.2 Telnet Troubleshooting

2.2.1 The User Fails to Log in to the Server Through Telnet

Common Causes

This fault is commonly caused by one of the following:

l The route is unreachable, and the user cannot set up a TCP connection with the server.

l The number of users logging in to the server reaches the upper threshold.

l An ACL is configured in the VTY user interface view.

l The access protocol specified in the VTY user interface view is incorrect. For example,

when the access protocol is configured to SSH through the protocol inbound ssh command, the user cannot log in to the server through Telnet.

Troubleshooting Flowchart

Figure 2-2 shows the troubleshooting flowchart.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

The user fails to log

in to the server through

Telnet

Can the client

successfully ping the

server?

Locate and

rectify the fault

End

Is the fault

rectified?

Yes

Increase the

maximum number of users allowed to log in

Is the fault

rectified?

Is the user access

type set to

all or telnet?

Is the fault

rectified?

Set the user

access type to all

or telnet

Does the IP address

of the user exist in the

ACL?

Is the fault

rectified?

Yes

Permit the IP

address of the

user in the ACL

Is the authentication

mode configured?

Is the fault

rectified?

Configure the

authentication

mode

Seek technical

support

Yes

Are all the current

VTY channels in use?

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Figure 2-2 Troubleshooting flowchart for the fault that the client fails to log in to the server through Telnet

Troubleshooting Procedure

NOTE

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Procedure

Step 1 Check whether the Telnet client can ping through the server.

Run the ping command to check the network connectivity. If the ping fails, the Telnet connection cannot be established between the user and server.

If the ping fails, see The Ping Operation Fails to locate the problem so that the Telnet client can ping through the server.

Step 2 Check whether the number of users logging in to the server reaches the upper threshold.

Log in to the server through a console interface and then run the display users command to check whether all the current VTY channels are in use. By default, a maximum of 5 users can log in to the server through VTY channels. Run the display user-interface maximum-vty command to view the allowed maximum number of login users.

<Huawei> display user-interface maximum-vty Maximum of VTY user:5 <Huawei> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag + 0 CON 0 00:00:00 no Username : Unspecified

34 VTY 0 00:13:39 TEL 10.138.78.107 no Username : Unspecified

If the number of users logging in to the server reaches the upper threshold, you can run the userinterface maximum-vty vty-number command to increase the maximum number of users

allowed to log in to the server through VTY channels to 15.

<Huawei> system-view [Huawei] user-interface maximum-vty 15

Step 3 Check that an ACL is configured in the VTY user interface view.

[Huawei] user-interface vty 0 4 [Huawei-ui-vty0-4] display this user-interface vty 0 4 acl 2000 inbound authentication-mode aaa user privilege level 3 idle-timeout 0 0

If an ACL is configured but the IP address of the client to be permitted is not specified in the ACL, the user cannot log in to the server through Telnet. To enable a user with a specific IP address to log in to the server through Telnet, permit the IP address of the user in the ACL.

Step 4 Check that the access protocol configured in the VTY user interface view is correct.

[Huawei] user-interface vty 0 4 [Huawei-ui-vty0-4] display this user-interface vty 0 4 authentication-mode aaa user privilege level 3 idle-timeout 0 0 protocol inbound ssh

Run the protocol inbound { all | ssh | telnet } command to configure the user access protocol. By default, the user access protocol is Telnet.

l If the user access protocol is SSH, the user cannot log in to the server through Telnet.

l If the user access protocol is "all", the user can log in to the server through Telnet or SSH.

Step 5 Check that the authentication mode is configured in the user interface view.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

l If you run the authentication-mode password command to configure the authentication

mode for the user logging in to the server through the VTY channel to password, run the set authentication password command to set the authentication password.

l If you run the authentication-mode aaa command to configure the authentication mode to

aaa, you should run the local-user command to add a local user.

l If you run the authentication-mode none command to configure the authentication mode

to none, the authentication mode does not affect your login.

Step 6 If the fault persists, collect the following information and contact Huawei technical support

personnel:

l Results of the preceding troubleshooting procedures

l Configuration files, log files, and alarm files of the devices

----End

Relevant Alarms and Logs

Relevant Alarms

None.

Relevant Logs

None.

2.3 SSH Troubleshooting

This chapter describes common causes of the fault that the user fails to log in to the server through SSH, and provides the corresponding troubleshooting flowcharts and examples.

2.3.1 The User Fails to Log in to the Server Through SSH

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that the user fails to log in to the server through SSH.

Common Causes

This fault is commonly caused by one of the following:

l The route is unreachable and the user cannot set up a TCP connection with the server.

l SSH services are not enabled.

l SSH is not configured in the user interface VTY view.

l The RSA public key is not configured on the SSH server and the client.

l The user service type, authentication type, and user authentication service type are not

configured.

l The number of users logging in to the server reaches the upper threshold.

l An ACL is configured in the user interface VTY view.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

l SSH versions of the server and the client are inconsistent.

l The initial authentication function is not enabled on the SSH client.

Troubleshooting Flowchart

None.

Troubleshooting Procedure

NOTE

Procedure

Step 1 Check whether the SSH client and SSH server can communicate with each other.

On the SSH client and SSH server, run the ping command to check the network connectivity. If the ping fails, the SSH connection cannot be established between the user and the server.

Check whether packet loss occurs on the network and the user access is stable.

Step 2 Check whether the SSH service on the SSH server is started.

Log in to the SSH server by means of Telnet and run the display ssh server status command to view the configuration of the SSH server. The SFTP service is used as an example.

<Huawei> display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable

The command output shows that the SFTP server is not enabled. The user can log in to the server through SSH only after SSH services are enabled in the system. Run the following command to enable the SSH server.

<Huawei> system-view [Huawei] sftp server enable

Step 3 On the SSH server, check that the access protocol configured in the VTY user interface view is

correct.

[Huawei] user-interface vty 0 4 [Huawei-ui-vty0-4] display this user-interface vty 0 4 authentication-mode aaa user privilege level 3 idle-timeout 0 0 protocol inbound ssh

Run the protocol inbound { all | ssh | telnet } command to configure the user access protocol. By default, the user access protocol is Telnet. If the user access protocol is set to Telnet, the user cannot log in to the server through SSH. If the user access protocol is set to SSH or "all", the user can log in to the server through SSH.

Step 4 Check whether an RSA public key is configured on the SSH server.

When serving as an SSH server, a device must be configured with a local key pair.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

On the SSH server, run the display rsa local-key-pair public command to check whether the key pair is configured on the current server. if the key pair is not configured, run the rsa local- key-pair create command to create it.

[Huawei] rsa local-key-pair create The key name will be: Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys...

...........................++++++++

.++++++++

...............+++++++++

......+++++++++

Step 5 (Optional) Check whether an SSH user is configured on the SSH server.

An SSH user should be configured on the SSH server. Run the display ssh user-information command to view the configuration of the SSH user. If no SSH user is configured, run the local- user user-name password { simple | cipher } password and local-user service-type ssh commands in the AAA view to create an SSH user.

NOTE

If the SFTP service is enabled, run the local-user user-name ftp-directory directory command in the AAA view to configure the SFTP directory for the SSH user.

l Create an SSH user.

[Huawei] aaa [Huawei] local-user abc password simple abc-pass [Huawei] local-user abc service-type ssh [Huawei] local-user abc ftp-directory cfcard:/ssh

l The default authentication mode of the SSH user is password. To change the authentication

mode, run the ssh user authentication-type command.

Step 6 Check whether the number of SSH login users has reached the maximum.

For the STelnet and Telnet services, both STelnet users and Telnet users log in to the server through VTY channels. The number of available VTY channels ranges from 5 to 15. When the number of users attempt to log in to the server through VTY channels is greater than 15, the new connection cannot be established between the user and the server.

Log in to the SSH server through a console interface and run the display users command to check whether all the current VTY channels are used. By default, a maximum of 5 users can log in to the server through VTY channels.

<Huawei> display user-interface maximum-vty Maximum of VTY user:5 <Huawei> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 03:31:35 TEL 10.1.1.1 pass no Username : Unspecified 35 VTY 1 03:51:58 TEL 10.1.1.2 pass no Username : Unspecified 36 VTY 2 00:10:14 TEL 10.1.1.3 pass no Username : Unspecified 37 VTY 3 02:31:58 TEL 10.1.1.4 pass no Username : Unspecified + 39 VTY 5 00:00:00 TEL 10.1.1.5 pass no Username : Unspecified

If the number of users logging in to the server reaches the upper threshold, you can run the userinterface maximum-vty vty-number command to increase the maximum number of users

allowed to log in to the server through VTY channels to 15.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

<Huawei> system-view [Huawei] user-interface maximum-vty 15

Step 7 Check that an ACL is configured in the VTY user interface view on the SSH server.

Run the user-interface command on the SSH server to enter the SSH user interface view. Then, run the display this command to check whether an ACL is configured in the VTY user interface view. If an ACL is configured, record the ACL number.

Run the display acl command on the SSH server to check whether the SSH client address is denied in an ACL. If an ACL is configured but the client address to be denied is not specified in the ACL, the user will fail to log in to the server by means of STelnet or SFTP. To enable a user with a specific IP address to log in to the server through STelnet, permit the user IP address in the ACL.

Step 8 Check the SSH versions on the SSH client and SSH server.

On the SSH server, run the display ssh server status command to check the SSH version.

<Huawei> display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP server :Disable

If the client logging in to the server adopts SSHv1, the version compatible capability needs to be enabled on the server.

<Huawei> system-view [Huawei] ssh server compatible-ssh1x enable

Step 9 Check whether first-time authentication is enabled on the SSH client.

Run the display this command in the system view on the SSH client to check whether first-time authentication is enabled.

After first-time authentication is enabled, the validity of the RSA public key of the SSH server does not need to be checked when an SFTP user logs in to the SSH server for the first time. This is because the RSA public key of the SSH server is not kept on the SFTP client.

If first-time authentication is not enabled, an SFTP user fails to log in to the SSH server. This is because checking the validity of the RSA public fails.

<Huawei> system-view [Huawei] ssh client first-time enable

Step 10 Collect the following information and contact Huawei technical support personnel:

l Results of the preceding troubleshooting procedures

l Configuration files, log files, and alarm files of the devices

----End

Relevant Alarms and Logs

Relevant Alarms

None.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Relevant Logs

None.

2.4 Mirroring Troubleshooting

This chapter describes common causes of mirroring faults, and provides the corresponding troubleshooting flowcharts, troubleshooting procedures, alarms, and logs.

2.4.1 Monitoring Device Does Not Receive Any Mirrored Packet After Port Mirroring Is Configured

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the failure to mirror packets to the monitoring device by port mirroring.

Common Causes

This fault is commonly caused by one of the following:

l The mirrored port does not receive any packets.

l The mirrored port or observing port is configured incorrectly, for example, the interface

index is incorrect.

Troubleshooting Flowchart

After port mirroring is configured on the AR2200-S, the monitoring device does not receive any mirrored packets.

Figure 2-3 shows the troubleshooting flowchart.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Rectify fault on the

link between the

router and monitored

network

Is the fault

rectified?

Specify correct

observing port index

Is the fault

rectified?

End

Seek technical

support

Yes

Is the fault

rectified?

Yes

Monitoring

device does not

receive mirrored

packets

Does mirrored

port receive

packets?

Is mirrored port configuration

correct?

Does

observing port

send packets?

Is the

observing port

Up?

Yes

Rectify the link fault

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Figure 2-3 Troubleshooting flowchart for the port mirroring fault

Troubleshooting Procedure

Procedure

NOTE

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

Step 1 Check whether the mirrored port receives packets.

Run the display interface command multiple times to view information about the mirrored port. The Input field in the command output specifies the number of received packets. The Output field in the command output specifies the number of sent packets.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

l If the number of sent and received packets is 0 or remains unchanged, check the status of

the interface connected to the monitored network.

– If the interface status is Down, bring the interface Up.

– If the interface status is Up, no traffic is sent to the switch from the monitored network.

No action is necessary.

l If the number of packets received by the mirrored port is not 0 and keeps increasing, go to

step 2.

Step 2 Check that the mirrored port is configured correctly.

When configuring the mirrored port, ensure that the observing port index specified in the command is the same as the index of the configured observing port. Run the display port- mirroring command to check the mapping between the observing port and mirrored port and the direction of packets to which port mirroring is applied.

l If the mirrored port configuration is incorrect, run the port-mirroring to observe-port

command in the view of the mirrored port to specify the observing port index correctly.

l If the mirrored port configuration is correct, go to step 3.

Step 3 Check whether the observing port sends packets to the monitoring device.

Run the display interface command multiple times to view information about the observing port. The Output field in the command output specifies the number of packets sent by the observing port.

l If the number of sent packets is 0 or remains unchanged, check the status of the observing

port.

– If the observing port is Down, bring it to Up.

– If the observing port is Up, go to step 4.

l If the number of packets sent by the observing port is not 0 and keeps increasing, go to step

Step 4 Collect the following information and contact Huawei technical support personnel:

l Results of the preceding troubleshooting procedure

l Configuration file, log file, and alarm file of the AR2200-S

----End

Relevant Alarms and Logs

Relevant Alarms

None.

Relevant Logs

None.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

2.4.2 Monitoring Device Does Not Receive Any Mirrored Packets After Traffic Mirroring Is Configured

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the failure to monitor packets to the monitoring device by traffic mirroring.

Common Causes

This fault is commonly caused by one of the following:

l The link between the mirrored port and the monitored network is Down.

l No traffic policy is applied or no packets match the traffic policy.

l The observing port index specified in the traffic behavior is different from the index of the

configured observing port.

Troubleshooting Flowchart

After traffic mirroring is configured on the AR2200-S, the monitoring device does not receive any mirrored packets.

Figure 2-4 shows the troubleshooting flowchart.

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Monitoring

device does

not receive

mirrored

packets

Rectify fault on the

link between the

switch and

monitored network

Is the fault

rectified?

Configure traffic

policy and apply it

correctly

Is the fault

rectified?

Rectify link fault

Is the fault

rectified?

Specify correct

observing port index

in the traffic

behavior view

Is the fault

rectified?

Yes

Seek technical

support

End

Yes

Is observing port index correct?

Is the observing

port Up?

Does

mirrored port

receive

packets?

Does observing port send packets?

Yes

Is traffic policy

applied correctly?

Huawei AR2200-S Series Enterprise Routers Troubleshooting 2 System

Figure 2-4 Troubleshooting flowchart for the traffic mirroring fault

Troubleshooting Procedure

Procedure

Issue 01 (2012-01-06) Huawei Proprietary and Confidential

Step 1 Check whether the mirrored port receives packets.

NOTE

Run the display interface command to view information about the mirrored port. The Input field in the command output specifies the number of received packets.

+ 361 hidden pages

Huawei V200R001C01, AR2200-S Troubleshooting Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About This Document

Contents

1 Hardware

1.1 Board Registration Troubleshooting

1.1.1 A Board Fails to Be Registered

2 System

2.1 CPU Troubleshooting

2.1.1 CPU Usage Is High

2.2 Telnet Troubleshooting

2.2.1 The User Fails to Log in to the Server Through Telnet

2.3 SSH Troubleshooting

2.3.1 The User Fails to Log in to the Server Through SSH

2.4 Mirroring Troubleshooting

2.4.1 Monitoring Device Does Not Receive Any Mirrored Packet After Port Mirroring Is Configured

2.4.2 Monitoring Device Does Not Receive Any Mirrored Packets After Traffic Mirroring Is Configured