No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CPU Usage Is High Due to Loops Caused by Lack of Black Hole Route on the E8000E-X16 Firewall Attached to an NE5000E

Publication Date:  2013-09-30 Views:  25 Downloads:  0
Issue Description

An E8000E-X16 firewall was attached to an NE5000E at the MAN egress. The firewall was used to perform NAT for services on the BRAS connected to the NE5000E.

CID:/icase/servlet/download?dlType=HtmlAreaImage&imageId=20454

 

A user ran the <RT01-NE5KE>dis cpu command and found that the CPU usage of the NE5000E reached 99%.

TaskName        CPU  Runtime(CPU Tick High/Tick Low)  Task Explanation  

ROUT                  99%         0/ 6667f5d       ROUTRoute task
Handling Process

For an upstream service, a BRAS transmitted the service to a city-level NE5000E along the default route, the NE5000E transmitted the service to the E8000E-X16 firewall according to the routing policy, and the E8000E-X16 firewall transmitted the service back to the NE5000E along the default route after performing NAT. Then, the city-level NE5000E transmitted the service to a province-level NE5000E, and the province-level NE5000E transmitted it out of the MAN.

For a downstream service, a province-level NE5000E transmitted the service to a city-level NE5000E, the city-level NE5000E transmitted the service to the E8000E-X16 firewall long a static route, the E8000E-X16 firewall found the corresponding SESSION entry and transmitted the service back to the city-level NE5000E along the static route, and the city-level NE5000E transmitted the service to the BRAS.

The error occurred during the process when the service was transmitted from the E8000E-X16 firewall back to the city-level NE5000E. When the city-level private network encountered an attack of unknown traffic from an external network, the traffic was transmitted from the province-level NE5000E to the city-level NE5000E. The city-level NE5000E transmitted the traffic to the E8000E-X16 firewall along the static route. However, the E8000E-X16 firewall could not find the corresponding SESSION entry, so transmitted the traffic back to the NE5000E along the default route. A loop was formed.
Root Cause
The error occurred during the process when the service was transmitted from the E8000E-X16 firewall back to the city-level NE5000E. When the city-level private network encountered an attack of unknown traffic from an external network, the traffic was transmitted from the province-level NE5000E to the city-level NE5000E. The city-level NE5000E transmitted the traffic to the E8000E-X16 firewall along the static route. However, the E8000E-X16 firewall could not find the corresponding SESSION entry, so transmitted the traffic back to the NE5000E along the default route. A loop was formed.
Solution

A black hole route was added on the E8000E-X16 firewall attached to the city-level NE5000E. That is, at least the following three static routes must be configured on the firewall:

 ip route-static 0.0.0.0 0 x.x.x.x  (Configures a default route.)

 ip route-static x.x.x.x x.x.x.x x.x.x.x (Configures a static route to the private network.)

 ip route-static x.x.x.x x.x.x.x NULL0    (Configures a black hole route for the NAT address pool.)

After traffic destined for the private network segment was transmitted to the E8000E-X16 firewall, the firewall matched the black hole route if it did not find the corresponding SESSION entry. In this manner, no loop would be formed.
Suggestions
If an E8000E-X16 firewall is attached to an NE5000E for NAT, a black hole route needs to be configured for the NAT address pool on the firewall to prevent loops.

END