This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Too many ACL's & packet rate is too high issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Too many ACL's & packet rate is too high issue
Too many ACL's & packet rate is too high issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-24-2017 09:53 AM
Hi, When i configure the switch to download Xos image to upgrade its verson im getting too many "Too many ACL's & packet rate is too high" messages in the switch logs.
02/24/2017 11:34:27.76 Slot-1: Denied packet on ingress interface vlanIf=1000010 slot=1 port=49, too many ACL's & packet rate is too high.
This messages refer to the trunk where i dont have any access-list applied. Ive run the "sh access-list port 1:49" and got this:
#Dynamic Entries ((*)- Rule is non-permanent )
RuleNo Name Application Zone Sub-Zone
(*)1 idmgmt_ks_tcp_dst IdentityManager SYSTEM 0
(*)2 idmgmt_ks_udp_dst IdentityManager SYSTEM 0
(*)3 idmgmt_ks_tcp_src IdentityManager SYSTEM 0
(*)4 idmgmt_ks_udp_src IdentityManager SYSTEM 0
apart form not having any acl applied to the port 49 i dont have neither the identity management configured on port 49.
Can someone guide me to where should i look for the cause of that log message?
Thanks
02/24/2017 11:34:27.76
This messages refer to the trunk where i dont have any access-list applied. Ive run the "sh access-list port 1:49" and got this:
#Dynamic Entries ((*)- Rule is non-permanent )
RuleNo Name Application Zone Sub-Zone
(*)1 idmgmt_ks_tcp_dst IdentityManager SYSTEM 0
(*)2 idmgmt_ks_udp_dst IdentityManager SYSTEM 0
(*)3 idmgmt_ks_tcp_src IdentityManager SYSTEM 0
(*)4 idmgmt_ks_udp_src IdentityManager SYSTEM 0
apart form not having any acl applied to the port 49 i dont have neither the identity management configured on port 49.
Can someone guide me to where should i look for the cause of that log message?
Thanks
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-28-2017 02:21 AM
Thanks for your kind words and appreciation for my correct assumption. Yes you are right it seems these log messages are related to the past activity. If you see the error logs can find default filter events kern.warning is displayed there:
02/24/2017 11:34:27.76
This could be because in the past for log debug-mode this was added to track the event log that time. If so then please check them for their existence if at all they are still enabled or so.
Use the below command to check for the same:
# show log configuration filter
Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I Kern Warning --W-----
I All ********
Just like above if t his seems to be present then later you can delete this specific log filter events pointing to kern component if any:
Use the below command to do so:
# enable log debug-mode
WARNING: Debug mode should only be enabled when advised by technical support,
or when advanced diagnosis is required. Performance degradation is possible.
Debug mode now enabled.
# configure log filter "DefaultFilter" delete events "kern.warning"
Then execute the below to check if these log events are all deleted or so:
# sh log configuration filter
Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I All ********
Finally please do not forget to disable the log debug-mode before getting out of the switch cli:
# disable log debug-mode
Do let us know after following these steps if you still see the reported error log messages?
02/24/2017 11:34:27.76
This could be because in the past for log debug-mode this was added to track the event log that time. If so then please check them for their existence if at all they are still enabled or so.
Use the below command to check for the same:
# show log configuration filter
Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I Kern Warning --W-----
I All ********
Just like above if t his seems to be present then later you can delete this specific log filter events pointing to kern component if any:
Use the below command to do so:
# enable log debug-mode
WARNING: Debug mode should only be enabled when advised by technical support,
or when advanced diagnosis is required. Performance degradation is possible.
Debug mode now enabled.
# configure log filter "DefaultFilter" delete events "kern.warning"
Then execute the below to check if these log events are all deleted or so:
# sh log configuration filter
Log Filter Name: DefaultFilter
I/ Severity
E Component SubComponent Condition CEWNISVD
- ----------- ------------ ----------------------- --------
I All ********
Finally please do not forget to disable the log debug-mode before getting out of the switch cli:
# disable log debug-mode
Do let us know after following these steps if you still see the reported error log messages?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2017 10:26 AM
Your assumption is correct and i have to give you credit for that, what i dont understand is the meaning of those messages.
At the moment i dont have any policy configured and if i upload a new image to the switch those messages wil appear again during the upload proccess. what do they mean? If they relate to someting i had previously configured they are kind of missleading.
At the moment i dont have any policy configured and if i upload a new image to the switch those messages wil appear again during the upload proccess. what do they mean? If they relate to someting i had previously configured they are kind of missleading.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2017 07:33 AM
This means my assumption was correct. This shows in the recent past you had already applied ACL on this specific port and later removed them seems. So what i wanted to say earlier as below:
For example assume you prepared one policy file and executed them. Say this policy file contains more than 1 entries as below:
entry one {
if match all {
ethernet-destination-address 33:33:00:00:00:00 mask ff:ff:00:00:00:00
} then {
count ip-in;
}
}
configure access-list ip-traffic any
then say you updated the ip-traffic.pol to include one more entry
entry two {
if match all {
ethernet-destination-address 01:80:c2:00:00:00;
} then {
count st-in;
}
}
Then you must have refreshed the policy as:
refresh policy ip-traffic
Then at last when you try to unconfigure the access-list:
unconfigure access-list ip-traffic
Then while executing the show log it takes a long time and later there are chances the log files to be filled with messages such as:
02/24/2017 11:34:27.76 Slot-1: Denied packet on ingress interface vlanIf=1000010 slot=1 port=49, too many ACL's & packet rate is too high.
So in a nut shell if i put them here again in one statement then:
These log messages could be resulted if the "refresh policy" command is invoked by adding few more entries in the policy file, then after unconfiguring that specific ACL, EXOS switch will start logging messages like "Denied packet on ingess interface vlanIf=1000223 slot=1 port=1, too many ACL's & packet rate is too high".
Hope this time it is much clear to you after showing you above by an example the possible cause of these log message generation.
For example assume you prepared one policy file and executed them. Say this policy file contains more than 1 entries as below:
entry one {
if match all {
ethernet-destination-address 33:33:00:00:00:00 mask ff:ff:00:00:00:00
} then {
count ip-in;
}
}
configure access-list ip-traffic any
then say you updated the ip-traffic.pol to include one more entry
entry two {
if match all {
ethernet-destination-address 01:80:c2:00:00:00;
} then {
count st-in;
}
}
Then you must have refreshed the policy as:
refresh policy ip-traffic
Then at last when you try to unconfigure the access-list:
unconfigure access-list ip-traffic
Then while executing the show log it takes a long time and later there are chances the log files to be filled with messages such as:
02/24/2017 11:34:27.76
So in a nut shell if i put them here again in one statement then:
These log messages could be resulted if the "refresh policy" command is invoked by adding few more entries in the policy file, then after unconfiguring that specific ACL, EXOS switch will start logging messages like "Denied packet on ingess interface vlanIf=1000223 slot=1 port=1, too many ACL's & packet rate is too high".
Hope this time it is much clear to you after showing you above by an example the possible cause of these log message generation.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-27-2017 07:09 AM
Hi and thank you for your reply, to be honest im not sure if i understood your explanation and i am still bit confused.
It is true that in recent past i had a policy applied on inteface 49, but not anymore, according to the log packets are being denied on ingress interface, and this is where i get confused, since at the moment i dont have any policy or ACL applied on the interface 49, what is what is denying the ingress traffic?
Should i do a refresh policy upon removing a policy from an interface so that those log messages dont appear anymore?
It is true that in recent past i had a policy applied on inteface 49, but not anymore, according to the log packets are being denied on ingress interface, and this is where i get confused, since at the moment i dont have any policy or ACL applied on the interface 49, what is what is denying the ingress traffic?
Should i do a refresh policy upon removing a policy from an interface so that those log messages dont appear anymore?
