某客户SR6608-X 路由器L2TP业务中断问题

关键词:
问题现象

某客户SR6608-X 路由器L2TP业务中断问题

 

     组网:

     问题描述:

20140126日,江苏某政府客户客户反馈SR66-X路由器外网接口突然无法PING通,外网L2TP VPN业务全部中断,但是可正常通过外网接口IP地址TELNET到此设备上。办事处第一时间将此问题反馈到我司总部,并提供了TELNET登录方式, 我司研发及时对问题进行了定位分析。

     过程分析:

我司研发通过TELNET登录到SR6608-X路由器以后,收集了下面的信息:

<SR6608-x>ping 180.120.184.49                                                  

  PING 180.120.184.49: 56  data bytes, press CTRL_C to break                   

*Dec 26 11:48:08:355 2014 SR6608-x ADDR/7/debug_icmp:                          

ICMP Send: echo(Type=8, Code=0), Dst = 180.120.184.49                          

 

*Dec 26 11:48:08:355 2014 SR6608-x DPIPFWD/7/debug_case: -Chassis=1-Slot=4;    

Sending, interface = GigabitEthernet1/4/2/1, version = 4, headlen = 20, tos = 0,

 

pktlen = 84, pktid = 54257, offset = 0, ttl = 1, protocol = 1,                 

checksum = 29484, s = 58.221.12.46, d = 180.120.184.49                         

prompt: Sending the packet from local                                       

 

*Dec 26 11:48:08:356 2014 SR6608-x ADDR/7/debug_icmp: -Chassis=1-Slot=4;       

ICMP Receive: ttl-exceeded(Type=11, Code=0), Src = 58.221.12.41, Dst = 58.221.12

.46; Original IP header: Pro = 1, Src = 58.221.12.46, Dst = 180.120.184.49, Firs

t 8 bytes = 08005030 01580000                                                  

                                                                                

                       Request time out                                                            

*Dec 26 11:48:10:555 2014 SR6608-x ADDR/7/debug_icmp:                          

ICMP Send: echo(Type=8, Code=0), Dst = 180.120.184.49                          

                                                                                

*Dec 26 11:48:10:555 2014 SR6608-x DPIPFWD/7/debug_case: -Chassis=1-Slot=4;    

Sending, interface = GigabitEthernet1/4/2/1, version = 4, headlen = 20, tos = 0,

                                                                               

pktlen = 84, pktid = 54264, offset = 0, ttl = 1, protocol = 1,                 

checksum = 0, s = 58.221.12.46, d = 180.120.184.49                             

prompt: Sending the packet from local                                          

                                                                                

*Dec 26 11:48:10:556 2014 SR6608-x ADDR/7/debug_icmp: -Chassis=1-Slot=4;       

ICMP Receive: ttl-exceeded(Type=11, Code=0), Src = 58.221.12.41, Dst = 58.221.12

.46; Original IP header: Pro = 1, Src = 58.221.12.46, Dst = 180.120.184.49, Firs

t 8 bytes = 08004797 01580001                                                  

                                                                                

*Dec 26 11:48:11:413 2014 SR6608-x ADDR/7/debug_icmp: -Chassis=1-Slot=4;       

ICMP Receive: echo(Type=8, Code=0), Src = 180.120.184.49, Dst = 58.221.12.46   

                                                                                

*Dec 26 11:48:11:414 2014 SR6608-x ADDR/7/debug_icmp: -Chassis=1-Slot=4;       

ICMP Send: echo-reply(Type=0, Code=0), Src = 58.221.12.46, Dst = 180.120.184.49

                                                                                

*Dec 26 11:48:11:414 2014 SR6608-x DPIPFWD/7/debug_case: -Chassis=1-Slot=4;    

Sending, interface = GigabitEthernet1/4/2/1, version = 4, headlen = 20, tos = 0,

                                                                               

pktlen = 60, pktid = 3439, offset = 0, ttl = 1, protocol = 1,                  

checksum = 47489, s = 58.221.12.46, d = 180.120.184.49                         

prompt: Sending the packet from local                                          

                                                                                

*Dec 26 11:48:11:422 2014 SR6608-x ADDR/7/debug_icmp: -Chassis=1-Slot=4;       

ICMP Receive: ttl-exceeded(Type=11, Code=0), Src = 58.221.12.41, Dst = 58.221.12

.46; Original IP header: Pro = 1, Src = 58.221.12.46, Dst = 180.120.184.49, Firs

t 8 bytes = 00005366 000101F5                                                  

                                                                                

Request time out                                                   

从上面的信息分析,从SR6608-X路由器发出的ICMP报文,由于ttl-exceeded 导致Request time out。 之所以ttl-exceeded,是因为从SR6608-X路由器发出的ICMP报文的TTL=1(正常值应该为255),经过一跳以后,TTL=0,返回ttl-exceeded 导致PING报文超时。

随后,研发在实验室通过SNMP MIB Browser工具复现了该问题:

从上面从操作可以看到,使用MIB Browser工具,在对应MIB节点ipDefaultTTL 1.3.6.1.2.4.2),具体读取或者set的时候,需要加上实例ipdefaultTTL.01.3.6.1.2.4.2.0。通过set动作赋值“Value to Set”为25,之后通过get动作可看到TTL值已经改为25。实验说明可以通过1.3.6.1.2.1.4.2来修改TTL,本次故障被修改为1

研发通过排查代码也已经确认,这个值在SR6608-X路由器系统启动以后只能由网管通过SNMP修改。这个值被修改为1之后,SR6608-X路由器本机发送的报文的TTL值就是1了,此报文只能转发到直连设备,无法到达远端。而且,只影响到本机的报文,转发的报文不受影响。因此,客户故障现象只有PING报文和L2TP VPN的业务不通,转发业务正常。

这个MIB是公有的,只要有权限就可以修改,除非设备不按照标准实现。目前最好的解决办法是严格管理设备的SNMP权限,禁止使用弱口令。

     解决方法:

1、修改SNMP配置:主要是删除public/private等弱口令;增加ACL控制网管设备源IP地址限制等;
  2
、修改缺省TTL值:因为该节点目前无法通过命令行进行配置,暂时只能通过MIB工具恢复其参数,紧急情况下重启也可立即恢复。

案例信息

案例类型:经验案例
案例号:KMS - 25516
创建时间:2014年12月29日
更新时间:2015年1月6日
发布时间:2015/1/6 5:18:49
文章密级:游客可见
有效期:长期有效
发布者:傅昆 [f04176]
点击次数:564
评论平均得分:0
关键词:
产品线:中低端路由器
产品系列:
产品版本:
故障类型:

常用操作
收藏