Using the S/N/K-Series Router Debug Packet Filter to resolve Ping Issue

FAQ_User — Tue, 31 Dec 2013 23:47:00 GMT

Article ID: 14495

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 6.01.01.0020 and higher
K-Series, all firmware

Discussion
This is an additional use of the router "Debug IP/Packet" feature, furthering what is explained in 14661.

In the case of a user not being able to ping a (S/N/K-Series) switch yet being able to ping through it to end stations on the other side, the debug packet filter command may be used to determine where and why the pings are dropped by the local switch-host.

Given that the non-replying switch-host's IP address is 192.168.3.2, create an access-list that which is then used to apply a filter to the debug ip packet process to look for this specific address only.S3(su)->router
S3(su-router)->configure
S3(su-router-config)->ip access-list extended vlan1326
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp any host 192.168.3.2
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp host 192.168.3.2 any
S3(su-router-cfg-ext-acl-vlan1326)->exit

S3(su-router-config)->debug packet control limit 30
S3(su-router-config)->set logging here enable
S3(su-router-config)->debug packet filter access-list vlan1326

S3(su-router-config)-><165>Feb 25 19:52:06 10.0.30.4 DbgIpPkt[1][1]
[send] Rule hit[2: permit icmp host 192.168.3.2 any] out intf 2090, PKT:
InPort(ge.1.7) LEN(78) DA(00:1F:45:A1:3D:CB) SA(00:11:88:E5:F1:E0)
TAG(8100:452E) ETYPE(0800) SIP(192.168.3.2) DIP(10.0.0.9) VER(4) HLEN(5)
TOTALLEN(56) PROTO(1) TOS(192) TTL(30) ICMP(3:1) , *** FATE: Forwarding,
192.168.90.1, out port ge.1.47, flow allowed
<165>Feb 25 19:53:17 10.0.30.4 HostDoS[1] Attack ( icmpFlood ) detected
on vlan.0.1326 [ InPort(ge.1.7) LEN(106) DA(00:1F:45:A1:3D:CB)
SA(00:11:88:E5:F1:E0) TAG(8100:452E) ETYPE(0800) SIP(10.3.0.2)
DIP(192.168.3.1) VER(4) HLEN(5) TOTALLEN(84) PROTO(1) TOS(0) TTL(63)
ICMP(8:0) ]In this case we can see that the HostDos icmpFlood mechanism is what dropped the packet.
Therefore, disabling HostDoS icmpFlood (or setting its rate to some non-zero value) will resolve the issue.
(Note that with firmware 7.91.01.xxxx and higher, the default hostDoS rate settings for icmpFlood and synFlood are 4294967294 rather than zero.)

After reaching a conclusion, the test configuration may be removed.debug packet stop
S3(su-router-config)->set logging here disable
S3(su-router-config)->no ip access-list extended vlan1326
S3(su-router-config)->exit
S3(su-router)->exit
S3(su)->Also see this HowTo Video which demonstrates use of the "Debug IP/Packet" feature.

topic Using the S/N/K-Series Router Debug Packet Filter to resolve Ping Issue in FAQs

Using the S/N/K-Series Router Debug Packet Filter to resolve Ping Issue