This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ACL = cyclic reboot

ACL = cyclic reboot

Alexandr_P
Valued Contributor

ā€Ž11-19-2015 01:58 PM

Hi, all!

Have X670 with strange issue.
create new acl:

edit pol stat

This ACL have two rules:

entry acl_rule2 {
if {
protocol tcp;
} then {
count tcpcounter;
}
}


entry cflow_tcp {
if { count tcpcounter > 1 ;
period 5;
} Then {
snmptrap 1000 $tcpcounter 10;
}
}

Was experimented with clear-flow, receive traps on linux-server.
Every time with change file stat.pol done check pol stat -
check rule for syntaxis. Traps received, packet counters is transmitted,
all was OK.

After below manipulation switch go to cyclic reboot:
in snmp trap done transmit message period to 5, and period increasedŠµŃ‰ 10, i.e. we have like this:

entry cflow_tcp {
if { count tcpcounter > 1 ;
period 10;
} Then {
snmptrap 1000 $tcpcounter 5;
}
}

and after change policy don't check but at start refresh pol "stat"

After this switch go to cyclic reboot.

Reject all cable from ports, i.e. traffic don;t go to swicth, after this through console del configuration of this acl and all work fine, i.e. switch don't reboot.

Any ideas?

Thank you!
0 Kudos
3 REPLIES 3

Alexandr_P
Valued Contributor

ā€Ž11-23-2015 05:48 AM

Hi, all!

Case is opened, but in parallel I make post hare too.

In logs there is no any messages. GTAC now investagate #show debug system-dump

May be you have any advice for configure logs to investagate this issue?

Thank you!
0 Kudos

BrandonC
Extreme Employee

ā€Ž11-23-2015 03:32 AM

Hi Alexandr,

I agree with Paul, this is something that would be best to investigate via a case with GTAC. It sounds like something odd is happening with the clear-flow entry.

-Brandon
0 Kudos

Paul_Thornton
New Contributor III

ā€Ž11-21-2015 08:48 AM

Hi

Not massively helpful, but that sounds like TAC case material to me šŸ˜ž

My guess, and I've not tried anything like that in an ACL (yet), is that somewhere the switch is getting DoSed internally by incoming TCP packets triggering the SNMP trap. You'd expect this not to happen because of the 'period 10' but maybe that isn't being properly interpreted when you edit the policy.

Does it reboot due to watchdog, kernel panic, or is it one of these "Hey, switch rebooted, nothing in the logs except for the usual messages you'd see during reboot" problems?

Paul.

0 Kudos
GTM-P2G8KFN