Using the S/N/K-Series Router Debug Packet Filter to resolve Ping Issue

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14495 

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 6.01.01.0020 and higher
K-Series, all firmware 

Discussion
This is an additional use of the router "Debug IP/Packet" feature, furthering what is explained in 14661

In the case of a user not being able to ping a (S/N/K-Series) switch yet being able to ping through it to end stations on the other side, the debug packet filter command may be used to determine where and why the pings are dropped by the local switch-host. 

Given that the non-replying switch-host's IP address is 192.168.3.2, create an access-list that which is then used to apply a filter to the debug ip packet process to look for this specific address only.
S3(su)->router
S3(su-router)->configure
S3(su-router-config)->ip access-list extended vlan1326
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp any host 192.168.3.2
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp host 192.168.3.2 any
S3(su-router-cfg-ext-acl-vlan1326)->exit

S3(su-router-config)->debug packet control limit 30
S3(su-router-config)->set logging here enable
S3(su-router-config)->debug packet filter access-list vlan1326

S3(su-router-config)-><165>Feb 25 19:52:06 10.0.30.4 DbgIpPkt[1][1]
[SEND] Rule hit[2: permit icmp host 192.168.3.2 any] out intf 2090, PKT:
InPort(ge.1.7) LEN(78) DA(00:1F:45:A1:3D:CB) SA(00:11:88:E5:F1:E0)
TAG(8100:452E) ETYPE(0800) SIP(192.168.3.2) DIP(10.0.0.9) VER(4) HLEN(5)
TOTALLEN(56) PROTO(1) TOS(192) TTL(30) ICMP(3:1) , *** FATE: Forwarding,
192.168.90.1, out port ge.1.47, flow allowed
<165>Feb 25 19:53:17 10.0.30.4 HostDoS[1] Attack ( icmpFlood ) detected
on vlan.0.1326 [ InPort(ge.1.7) LEN(106) DA(00:1F:45:A1:3D:CB)
SA(00:11:88:E5:F1:E0) TAG(8100:452E) ETYPE(0800) SIP(10.3.0.2)
DIP(192.168.3.1) VER(4) HLEN(5) TOTALLEN(84) PROTO(1) TOS(0) TTL(63)
ICMP(8:0) ]
In this case we can see that the HostDos icmpFlood mechanism is what dropped the packet.
Therefore, disabling HostDoS icmpFlood (or setting its rate to some non-zero value) will resolve the issue.
(Note that with firmware 7.91.01.xxxx and higher, the default hostDoS rate settings for icmpFlood and synFlood are 4294967294 rather than zero.) 

After reaching a conclusion, the test configuration may be removed.
debug packet stop
S3(su-router-config)->set logging here disable
S3(su-router-config)->no ip access-list extended vlan1326
S3(su-router-config)->exit
S3(su-router)->exit
S3(su)->
Also see this HowTo Video which demonstrates use of the "Debug IP/Packet" feature.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.