This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

time to live exceeded

time to live exceeded

Nikolay_Krasko
New Contributor

‎06-14-2014 11:48 PM

Hi Everyone,

very suddenly our bunch of extreme x670v, x480 become unavailable over management IP address and IP addresses assigned to different vlans.

After an hours of investigation we found that we can access them from the ip addresses of the same subnets assigned over different vlans but all request which are coming from another subnets are dropped.

the problem as we found is in TTL value assigned to the packets which are outcoming from the switch to default gw - it is set to 1. If we do 'ping ttl 10 host' it works fine.

very long time back there was one message in the logs of the 670v: Slot-2: IPv4 multicast entry not added. Hardware L3 Table full. but we don't think that is the case.

we did quite a lot of research overnight in docs and different forums - etc. nothing found.

the configuration is quite simple: we don't use any routing, bgp, ospf, etc.

Please give us clue what can cause that issue and how it can be fixed.

Thanks,
Nikolay

0 Kudos
6 REPLIES 6

Sumit_Tokle
Contributor

‎08-06-2014 10:18 PM

Hi Alexander,

There is no CLI command available at this moment to change the TTL value. However, you can send SNMP OID and set the TTL value as per your requirement.

It is recommended that not to change the default TTL value.

Alexander_Shiko
New Contributor

‎08-06-2014 06:56 PM

Dear Sumit,

I've get into the same issue. Is there any chance to adjust default TTL value from CLI?
Thanks in advance!
0 Kudos

Sumit_Tokle
Contributor

‎06-17-2014 11:14 PM

The switch without password can be access by anyone so to provide the security we would configure the password.

Similar way, without snmp access profile anyone can access or modify the switch configuration through snmp get or set operation. In order to provide the security we can configure above methods.

Hope this would help you.

0 Kudos

Sumit_Tokle
Contributor

‎06-17-2014 11:11 PM

1) Use the built-in text editor “vi” to create the policy: a. Issue the command, “vi snmp_access.pol

b. Now type “i” to allow us to paste the following policy:

entry snmp_access {

if {

source-address /32;

}

then {

permit;

}
entry snmp_deny{

If {

}

then{

deny;

}

}

2) Now let’s apply this policy to deny everyone SNMP access except for the NMS server or other reliable sources.

a. Issue the command, “configure snmp access-profile snmp_access

----------------------------------------------------------------------------------------

To see the active snmp community execute the command:

"show snmpv3 community".

If you are not using any community then it's recommend to delete that community using the command,

configure snmp delete community readwrite private

configure snmp delete community readonly public

----------------------------------------------------------------------------------------

Once you configure the SNMP access-profile you would see the source IP address which is denied by the SNMP Rule which was trying to access the switch using the snmp get or set command in log.


06/16/2014 14:36:01.79 SNMP access from source 10.120.89.75 is denied by rule test. Dropping this Request.
0 Kudos
GTM-P2G8KFN