missing packages in one vlan

  • 24 October 2018
  • 16 replies
  • 103 views

There is a VLAN connecting firewall 1 through a stack of firewall 2, that is, 2 ports are involved and that's all. And in it there is a loss of packets. Interestingly, the problem disappears after the reboot of the stack, but partly if the percentage of losses was initially about 25 percent, after the reboot of 8-10 percent. I can immediately say that I changed the slot, I changed the VLAN. But the problem remains, and it arises suddenly. Does anyone have any ideas? Firmware 22.5.1.7. A stack of 5 slots, 4 of which are x440G2-24t-10g4 and x620-16x switches. VLAN on 4 and first stack. Please help !!!

16 replies

Userlevel 4
Hello Alexey,

Have you checked following outputs:

debug hal show congestion show ports congestion no-refresh

Best Regards,
Nikolay
Hello Alexey,

Have you checked following outputs:

debug hal show congestion show ports congestion no-refresh

Best Regards,
Nikolay

Nikolay drop packet 0 on this ports in this vlan.
Hello Alexey,

Have you checked following outputs:

debug hal show congestion show ports congestion no-refresh

Best Regards,
Nikolay

and packet not drop to firewall 1, but if i ping firewall 2 , loss = 20 %
Hello Alexey,

Have you checked following outputs:

debug hal show congestion show ports congestion no-refresh

Best Regards,
Nikolay

may be i have bag in fiarewalls?
Hello Alexey,

Have you checked following outputs:

debug hal show congestion show ports congestion no-refresh

Best Regards,
Nikolay

what do you think? Help me please.
Userlevel 4
Perhaps start with a simple test (if you're able to do this). Bring up only the master member of the stack and connect the two firewalls locally within the same switch. Does the problem occur? If not, bring the stack fully online but keep the firewalls as-is. Any change? This could be something as simple as a bad cable or mismatched duplex setting. Also, how long are you running your ping test?
Perhaps start with a simple test (if you're able to do this). Bring up only the master member of the stack and connect the two firewalls locally within the same switch. Does the problem occur? If not, bring the stack fully online but keep the firewalls as-is. Any change? This could be something as simple as a bad cable or mismatched duplex setting. Also, how long are you running your ping test? this is config.
X440G2-24t-10G4.1 # show config

#

# Module devmgr configuration.

#

configure snmp sysContact "support@extremenetworks.com, +1 888 257 3000"

configure sys-recovery-level switch reset



#

# Module vlan configuration.

#

configure vlan default delete ports all

configure vr VR-Default delete ports 1-28

configure vr VR-Default add ports 1-28

configure vlan default delete ports 4,6

create vlan "Bosch"

configure vlan Bosch tag 15

create vlan "GuestWiFi1111"

configure vlan GuestWiFi1111 tag 1111

create vlan "networkdevicevlan"

configure vlan networkdevicevlan tag 50

create vlan "printersvlan"

configure vlan printersvlan tag 10

create vlan "proverka"

configure vlan proverka tag 1515

create vlan "securevlan"

configure vlan securevlan tag 70

create vlan "serversvlan"

configure vlan serversvlan tag 30

create vlan "transtele2"

configure vlan transtele2 tag 1000

create vlan "usersvlan"

configure vlan usersvlan tag 100

create vlan "videovlan"

configure vlan videovlan tag 60

create vlan "voipvlan"

configure vlan voipvlan tag 20

configure ports 6 display-string VPNtransteWachguard

configure ports 24 display-string MagportToServerSW

configure ports 27 auto off speed 10000 duplex full

configure ports 28 auto off speed 10000 duplex full

configure vlan Default add ports 1-3,5,7-28 untagged

configure vlan GuestWiFi1111 add ports 24 tagged

configure vlan networkdevicevlan add ports 23-24 tagged

configure vlan printersvlan add ports 23-24 tagged

configure vlan printersvlan add ports 4 untagged

configure vlan securevlan add ports 23-24 tagged

configure vlan serversvlan add ports 23-24 tagged

configure vlan transtele2 add ports 24 tagged

configure vlan transtele2 add ports 6 untagged

configure vlan usersvlan add ports 24 tagged

configure vlan videovlan add ports 23-24 tagged

configure vlan voipvlan add ports 23-24 tagged

configure vlan Default ipaddress 10.1.5.31 255.255.248.0

enable ipforwarding vlan Default

configure vlan Mgmt ipaddress 10.1.5.131 255.255.0.0

configure vlan Bosch ipaddress 10.5.5.1 255.255.0.0

enable ipforwarding vlan Bosch

configure vlan printersvlan ipaddress 10.1.10.4 255.255.254.0

configure vlan usersvlan ipaddress 10.10.100.4 255.255.254.0

configure vlan videovlan ipaddress 10.1.60.4 255.255.254.0

configure vlan serversvlan ipaddress 10.1.30.4 255.255.254.0

configure vlan securevlan ipaddress 10.1.70.4 255.255.254.0

configure vlan voipvlan ipaddress 10.1.20.4 255.255.254.0

configure vlan networkdevicevlan ipaddress 10.1.50.4 255.255.254.0

configure vlan proverka ipaddress 192.168.0.1 255.255.255.0

configure ports 6 monitor vlan transtele2

configure ports 24 monitor vlan transtele2



#

# Module mcmgr configuration.

#



#

# Module fdb configuration.

#



#

# Module rtmgr configuration.

#

configure iproute add 10.10.100.0 255.255.254.0 10.1.5.254

configure iproute add 10.1.10.0 255.255.254.0 10.1.5.254

configure iproute add default 10.1.5.10



#

# Module policy configuration.

#





#

# Module aaa configuration.

#

create account admin root encrypted "$5$yLNFfM$c9aIF1zLRdEz2S9ZNzWHs0mzdlVtC4.bfGtozxOX8D8"



#

# Module acl configuration.

#









#

# Module bfd configuration.

#



#

# Module cfgmgr configuration.

#



#

# Module dosprotect configuration.

#



#

# Module dot1ag configuration.

#



#

# Module eaps configuration.

#



#

# Module edp configuration.

#



#

# Module elrp configuration.

#

enable elrp-client



#

# Module ems configuration.

#



#

# Module epm configuration.

#



#

# Module erps configuration.

#



#

# Module esrp configuration.

#



#

# Module ethoam configuration.

#



#

# Module etmon configuration.

#



#

# Module exsshd configuration.

#

enable ssh2



#

# Module hal configuration.

#



#

# Module idMgr configuration.

#



#

# Module ipSecurity configuration.

#



#

# Module ipfix configuration.

#



#

# Module lldp configuration.

#



#

# Module mrp configuration.

#



#

# Module msdp configuration.

#



#

# Module netLogin configuration.

#



#

# Module netTools configuration.

#



#

# Module nodealias configuration.

#



#

# Module ntp configuration.

#



#

# Module poe configuration.

#



#

# Module rip configuration.

#



#

# Module r.png configuration.

#



#

# Module snmpMaster configuration.

#

configure snmpv3 engine-id 03:00:04:96:9b:5c:86

configure snmpv3 add community "private" name "private" user "v1v2c_rw"

enable snmp access

enable snmp access snmp-v1v2c

enable snmp access snmpv3



#

# Module stp configuration.

#

disable stpd s0



#

# Module techSupport configuration.

#



#

# Module telnetd configuration.

#



#

# Module tftpd configuration.

#



#

# Module thttpd configuration.

#



#

# Module twamp configuration.

#



#

# Module vmt configuration.

#



#

# Module vsm configuration.

#
ok friends, so my exreme do not working in VLAN when his connected to firewall1 and firewall2. packets do not disappear, but the pings disappear the number of bytes that one port processed and the number of bytes that the other port processed is not even close. Erik, I did everything you said and even more, I returned the switch to the factory settings and registered only 1 of this VLAN for connection. I used different extreme switches such as 440-24p, 440-g2-10ge 24t, 440-g2-10ge 48t. Versions of the firmware used different from the latest to the firmware six months ago. But imagine, I tried to implement it through the 8-port D-Link 1018-ge and I did it. Maybe there is some nuance. I note that in VLAN 1 pings do not disappear and the entire network including printersvlan, guestwifi and others work. Please help solve the problem
Userlevel 7
It would help a lot if you provide more precise information.... e.g.
- network diagram
- port number of the connnections
- IPs
- VLAN name/number
- ping what / from which source to which destination

What I'd see right now is a wall of text without any information in it.

I'm not an XOS expert but if you really used a factory switch with only one VLAN (default !?) the first thing that comes to mint if you see such a high packet loss is speed/duplex missmatch.

So connect the 2 FWs again and check the speed/duplex on the port. Not only the configuration but the status after you connect the 2 FWs to see the speed/duplex value that was negotatiated.
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!
Userlevel 4
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!
Alexey - Perhaps we're all misunderstanding your scenario. You're pinging from the workstation on the left (on V1) to both firewalls and showing packet loss when you do so? If that's the case, I only see one firewall with an interface in the same vlan. Can you explain what your overall goal is, along with what firewalls you're using and how you're routing between VLAN's? What does this look like when it's done and working in your opinion?
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!

Friends, between two firewalls tunnel, trusted network 1 and network 2, both networks are in the default Vlan with the same masks just different subnets. Firewall 2 moved to another building. Buildings are connected by a stack whose slots are located in different buildings. Between 10Gbit / s slots. The idea was to connect the tunnel not with a wire, wasting nerves, strength and money to run a cable, and use a simple VLAN with untagged ports for this. I listened to your advice, took a backup extreme and did so you told me I used only one switch, without adding my entire network there. This is described in the diagram, the result was the same. Connecting via RDP is terribly buggy. If I do the same thing through D-link for $ 20. Everything is working.
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!
I can say that it worked through stack before.
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!
what do you think about that situation?
really used a factory switch with only 2 VLANS. FIRST VLAN DEFAULT AND SECOND VLAN TRANSTELEKOM TAG 1000. which port does not matter, I tried through any ports. I pinged from Default VLAN from different computer. Network diagram below.



Please help!!!
may be problem firewall ?
Userlevel 7
do a "sh port no" and provide a screenshot and tell us on which ports you've connected which device.

Reply