Extreme Networks

EtherNation_Use · ‎01-07-2014

Create Date: Jan 29 2013 2:11PM

Hy

I'm having a strange problem where i don't know further.

We have 5 Summit Switches (X460-24p/t & X460-48p/t) in a ring topology (with EAPS). Everything is working fine but now we saw that loading a certain website won't work.

The Setup is like this:

... SW3 <--> SW4 <--> SW5 <--> SW6 <--> Firewall <--> Internet

The website is working on SW5 and SW6 without problems. But SW4 and everything below won't load this certain page. With wireshark I saw, that the SYN Package is travelling to the website. The SYN ACK page is coming back and leaving SW5. But on SW4 i can't see the package arriving. It seems that the SW4 is dropping the package due to a ip restriction.

There are no ACL's configured on the SW4. ip-security source-ip-lockdown isn't configured either. So at the moment I have no idea what the matter is. Does anyone has a idea which would be helpful?

Thanks in advance
TIDigi (from TIDigi)

EtherNation_Use · ‎01-07-2014

Create Date: Apr 4 2013 12:03PM

Thanks for your input

I made ACL's on SW4 and SW5 slight different to the one you wrote. But i saw the same like with wireshark. The packets left SW5 but don't entered SW4.

The solution for the problem was a restart of the SW4. But something strange happend after this action. One VLAN didn't worked anymore on SW4. It was the VLAN for VoIP. So we restarted the switch again and now everything works fine. The second restart was around 9pm and we got restart alerts in EpiCenter every 5 minutes until 6am. I'm not sure what the matter was but at least everything works fine now.

Thanks for your replies and the help
TiDigi (from TIDigi)

EtherNation_Use · ‎01-07-2014

Create Date: Mar 7 2013 2:17PM

As far as I can tell, whatever ingresses the switch will be mirrored. If the traffic is dropped, it is dropped after it is duplicated and sent to the mirroring port.

Can you apply an ACL like this:
Switch# edit policy test.pol
type “I” for insert mode
type the following text…
entry AllowThisHostOnly {
if {
ethernet-destination-address XX:XX:XX:XX:XX:XX;
protocol tcp;
source-port ;
} then {
permit;
count counter1;
}
}
type “esc”, “:”, “wq” OR just “ZZ” to save and quit

Apply that access list to the ingress traffic in the port between SW4 and SW5. (configure access-list test port ingress). Run the traffic and look for the show access-list counter command output. Do you see that counter incrementing?

Another question, when you mirror the traffic, do you mirror on ports or VLANs? Have you tried rebooting SW4 or connecting SW5 to SW3 directly if possible? Can you share the packet capture with us?
(from ethernet)

EtherNation_Use · ‎01-07-2014

Create Date: Mar 6 2013 10:02AM

Hy ethernet

I took captures on SW5 and SW4 by mirroring the uplink ports and using wireshark on the mirrored port. After i saw the SYN ACK on SW5 i only mirrored outgoing traffic and saw the SYN ACK too. So it was sent from SW5 to SW4. On SW4 i didn't saw the SYN ACK arriving. I think that SW4 is dropping the packet instantly on arrival...

The destination MAC of the SYN ACK packet is the computer where i try to open the website - lets call it MAC1. The mac is on SW4 and SW5 in the fdb table. It makes no difference if I use another pc with a different mac.

Long story short: SYN packets visible on SW4, SW5,..
SYN ACK packets visible on SW5 but NOT on SW4
FDB contains MAC1 for the vlan on both switches

TIDigi (from TIDigi)

EtherNation_Use · ‎01-07-2014

Create Date: Mar 3 2013 3:56AM

TIDIgi, where did you take the packet capture? Do you see the SYN ACK reaching SW4 or does it not even reach there? What is the destination MAC address of the SYN ACK packet? is it seen in the output of the show fdb in that VLAN in any of the switches? (from ethernet)

Extreme Networks

IP Blocking problem

IP Blocking problem