No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S5700-28TP-PWR-LI-AC---S5700 switch failed to ssh access and snmp monitoring

Publication Date:  2017-09-12 Views:  137 Downloads:  0
Issue Description

Version information:

USG6350 V100R001C30SPC600/S5700 V200R006C00SPC500

Network Overview:

PC1 connect the AR router through the network, AR connection firewall router, firewall connection two switches.()

Topological :


Fault description:

 customer can’t monitor the device status and accessit via ssh.   customer site (WTC635), it has 1 x USG6330 FW +2 x S5700 switch. One of the switch (switch01) can access by ssh and monitorthrough snmp but the other (switch02) doesn’t. Both of the switch has sameconfiguration. But when we try to ping switch02 for a while, it can access byssh and monitor by SNMP. Few minute after, switch02 will become slow respond,then connection lost via ssh and snmp. Also, we access switch02 via the FW. Itdoesn’t has any problem.    Pls see the attach FW, switch01, switch02 configuration and

Handling Process

1. PC Ping 50(packte) S5700-2 vlanif IP address, and traffic statistics in the interconnection between S5700-1 and S5700-2. Found that Internet export only received 48 packte, so S5700-2 also responded to a 48, and the other two packets fails.,

3.Check the firewall mac forwarding table

4. can be seen from the foregoing,S5700-2 vlanif 10 mac address G1/0/1 learned by the firewall on the firewall. In this case, the mac address G1/0/0 and G1/0/1 between mac flapping. As a result, the abnormal service is unavailable when.
 
5. to analyze the cause. It is found that the switch G0/0/28 though denoting to the discarding state, but is can send multicast packets of various protocols. The firewall functions as a Layer 2 port, it forwards the multicast packets, and learns the source mac, S5700-2 vlanif10 mac address on the firewall G1/0/0 and G1/0/1 mac flapping occurs.
 
6. switches LNP is enabled by default, NDP, and NTDP protocol. The LLDP protocol is enabled, the protocol is the switch of Layer 2 protocol. The characteristics are shown as follows:
 LLDP:DMAC 0x0180-C200-000E Type:0x88CC
 LNP protocol. The destination mac 0180-c200-000a protocol type is 0x2004
 NDP, NTDP destination mac is 0180-c200-000a EthType protocol number 0x88a7
 The protocol packets are BPDU MAC-Address, in order to complete the protocol calculation, and does not receive interface blocking. Indicates that the port is in the blocked state, still send these packets.
 
7. some switches on the live network belong to different MAC,Vlanif interface MAC address and the MAC address of the system are not the same, therefore time system MAC learning by the firewall to the MAC address corresponding to the blocked link,Vlanif still learns a correct link. As a result, MAC system switches do not have this problem.

 

Root Cause

The switch interface denoting discarding state, the interface still sends multicast protocol packets. As a result, the firewall is mac flapping between two interfaces, causing the service is unavailable when the fault symptom.

Solution


Switch off the LLDP and LNP functions of the switch, and then resolve the problem when the multicast protocol message is no longer sent

please add below command to two switch:

Global setting:
lnp disable
undo cluster enable
undo ntdp enable
undo ndp enable

Interface setting (connected to firewall):
interface GigabitEthernet0/0/28                   ////////to firewall
description Uplink to NGFW USG6330 G1/0/0
undo ntdp enable
undo ndp enable
undo lldp enable

END