ACL = cyclic reboot

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hi, all!

Have X670 with strange issue.
create new acl:

edit pol stat

This ACL have two rules:

entry acl_rule2 {
      if {
      protocol tcp;
      } then {
      count tcpcounter;
}
}


entry cflow_tcp {
      if  { count tcpcounter > 1 ;
      period 5;
      } Then {
      snmptrap 1000 $tcpcounter 10;
}
}

Was experimented with  clear-flow,  receive traps on linux-server.
Every time with change file  stat.pol  done  check  pol stat -
check rule for syntaxis. Traps received, packet counters is transmitted,
all was OK.

After below manipulation switch go to cyclic reboot: 
in  snmp  trap  done transmit message period to 5, and period increasedещ 10, i.e. we have like this:

entry cflow_tcp {
      if  { count tcpcounter > 1 ;
      period 10;
      } Then {
      snmptrap 1000 $tcpcounter 5;
}
}

and after change policy don't check but at start refresh pol "stat"

After this switch go to cyclic reboot.

Reject all cable from ports, i.e. traffic don;t go to swicth, after this through console del configuration of this acl and all work fine, i.e. switch don't reboot.

Any ideas?

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,670 Points 10k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Paul Thornton

Paul Thornton

  • 1,424 Points 1k badge 2x thumb
Hi

Not massively helpful, but that sounds like TAC case material to me :(

My guess, and I've not tried anything like that in an ACL (yet), is that somewhere the switch is getting DoSed internally by incoming TCP packets triggering the SNMP trap.  You'd expect this not to happen because of the 'period 10' but maybe that isn't being properly interpreted when you edit the policy.

Does it reboot due to watchdog, kernel panic, or is it one of these "Hey, switch rebooted, nothing in the logs except for the usual messages you'd see during reboot" problems?

Paul.
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,484 Points 10k badge 2x thumb
Hi Alexandr,

I agree with Paul, this is something that would be best to investigate via a case with GTAC. It sounds like something odd is happening with the clear-flow entry.

-Brandon
(Edited)
Photo of Alexandr P

Alexandr P, Embassador

  • 12,670 Points 10k badge 2x thumb
Hi, all!

Case is opened, but in parallel I make post hare too.
 
In logs there is no any messages. GTAC now investagate #show debug system-dump    

May be you have any advice for configure logs to investagate this issue?

Thank you!