No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

MPLS LDP Peer Relationship Cannot Be Established Due to Limitations in CPU Attack Defense Policies

Publication Date:  2013-09-10 Views:  19 Downloads:  0
Issue Description

Networking:
NE5000E-1------------------------NE5000E-2 
   |                                |
    -------------------------------- 
                  | 
                 EXXX

Fault symptom:
The NE5000E-2 repeatedly displays a large number of alarms. The alarms indicate that the hello timer and hold timer expire for the MPLS LDP peer relationship between the NE5000E-2 and EXXX, the LDP peer relationship is in noExtend state but not in Operational state.


Aug 22 2012 00:43:02 NE5000E %%01LDP/4/SSNHOLDTMREXP(l)[165176]:Sessions were deleted because the session hold timer expired and the notification of the expiry was sent to the peer 1.2.1.62.
Handling Process

1. LDP Hello packets with the TTL of 1 cannot be sent to the peer device because the number of hops along a route exceeds the maximum value. Run the dis ip routing-table 1.2.1.62 command to check the route. The command output shows that the route is abnormal. The NE5000E-2 learns loopback 1.2.1.62 from the NE5000E-1. Check the interface configuration. The IS-IS cost is set to 10000 on the peer device, causing traffic bypass. After the cost value is changed, the route becomes normal, but the LDP peer relationship is still abnormal.
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto  Pre  Cost       Flags NextHop         Interface
 1.2.1.62/32  ISIS   15   1000         D   10.10.10.2           Pos3/4/1/2

2. Run the dis cur interface Pos3/4/1/2 command to check the MPLS configuration on the interface. If the configuration is correct, check the configuration on the peer device. The configuration is correct.
NE5000E>dis cur int Pos3/4/1/2
#
interface Pos3/4/1/2
 link-protocol ppp

 ip address 10.10.10.1 255.255.255.252
 isis enable 2004
 isis circuit-level level-2
 isis cost 1000
 mpls
 mpls ldp
 ip netstream inbound
 ip urpf loose
#
3. Check the status of TCP port 646. The port is in Syn_Sent state.
NE5000E>dis tcp status remote-ip 1.2.1.62
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
c9720f68  125/515  1.1.1.2:646        1.2.1.62:3368     0     Syn_Sent

4. Check the status of MPLS LDP sessions. The status of MPLS LDP sessions is noExtend on the NE5000E and OpenSent on the EXXX.
NE5000E>dis mpls ldp session 1.1.1.2

5. TCP connections fail to be established, which may be caused by the restriction on the TCP port. A large number of CPU attack defense policies are configured on the NE5000E (egress device on the network), among which packets from or destined for TCP/UDP port 646 (used by MPLS) are discarded. Check the configured policies and find that loopback of the EXXX is not in the ACL list.
NE5000E>dis cur configuration cpu-defend-policy
#
cpu-defend policy 4
 whitelist acl 3200
 blacklist acl 3230
 user-defined-flow 1 acl 3201 ---------------Packets from or destined for port 646 are discarded.
 user-defined-flow 2 acl 3202
 user-defined-flow 3 acl 3203
 user-defined-flow 4 acl 3204
 user-defined-flow 5 acl 3205
 user-defined-flow 6 acl 3206
 user-defined-flow 7 acl 3207
 user-defined-flow 8 acl 3208
 user-defined-flow 9 acl 3209
 user-defined-flow 10 acl 3210
 application-apperceive disable
 process-sequence whitelist user-defined-flow blacklist  ---------------The whitelist, user-defined flow, and blacklist (rejecting any other packets) match the packets to be sent to the CPU in sequence.
NE5000E>dis acl 3201
Advanced ACL 3201, 8 rules
LDP
Acl's step is 5
 rule 5 permit udp source  1.1.1.0 0.0.255.255 destination-port eq 646
 rule 10 permit udp source  1.1.1.0 0.0.255.255 source-port eq 646
 rule 15 permit tcp source  1.1.1.0 0.0.255.255 destination-port eq 646
 rule 20 permit tcp source  1.1.1.0 0.0.255.255 source-port eq 646
#
NE5000E-slot-clc3/4]dis th
#
slot clc3/4
 cpu-defend-policy 4
#
Root Cause
The TCP port used by MPLS LDP is restricted in CPU attack defense policies, which causes a failure in establishing MPLS LDP sessions.
Solution
1. Remove the restriction on the EXXX.
acl 3201
 rule 25 permit tcp source 1.2.1.62 0 destination-port eq 646
 rule 30 permit udp source 1.2.1.62 0 destination-port eq 646
 rule 35 permit udp source 1.2.1.62 0 source-port eq 646
 rule 40 permit tcp source 1.2.1.62 0 source-port eq 646

2. Verify that the TCP connection is in Established state and the MPLS LDP sessions are in Operational state. The fault is rectified.
NE5000E>dis tcp status remote-ip 1.2.1.62
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
c9720f68  125/515  1.1.1.2:646        1.2.1.62:3368     0     *Established
Suggestions

Check the following items:

1. Check whether the route is correct. LDP Hello packets with the TTL of 1 cannot be sent to the peer device because the number of hops along a route exceeds the maximum value.
2. Check whether the MPLS configuration is correct.
3. Check whether the TCP or UDP connection is normal.

END