No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Incorrect ACL Configurations Caused Some Users Fail to Go Online

Publication Date:  2013-10-26 Views:  44 Downloads:  0
Issue Description

Some PPP users connecting to an ME60 that implemented NAT failed to dial up to go online, and the error code "691" was returned. The BAS recorded that Add nat user data fail(Syn User To CPU Fail).

About 9000 users subordinated to the NAT domain of the BAS. Some users could go online after dozens of dialup.

Version: V600R005C00SPC600. This issue is not related to version.

The cause of the failure was Add nat user data fail(Syn User To CPU Fail).
Handling Process

This issue might be caused by:

1. RADIUS server

2. NAT license

3. NAT board performance

4. Configurations

To address the issue, Huawei performed the following operations and observed the following information:

1. Run the dis aaa online-fail-record brief command on the BAS to obtain the failure cause. A large number of records Add nat user data fail was found. Checked the RADIUS server. No records showing that users were rejected or users failed to go online were found. Therefore, the issue was not caused by the RADIUS server.

2. Checked the NAT entries and licenses of involved boards. The NAT entries were correct and licenses were efficient.

3. Checked the NAT board performance. As the total number of NAT users on ME60 was only 9000, the NAT board was light-loaded and provided stable performance. Therefore, this issue was not caused due to poor NAT board performance.

4. Checked the NAT configurations and found that some private network addresses were not configured in the ACLs.

acl number 3000
 rule 5 permit ip source 10.64.0.0 0.0.15.255
 rule 10 permit ip source 10.64.16.0 0.0.7.255
#
acl number 3001
 rule 5 permit ip source 10.64.16.0 0.0.15.255
 rule 10 permit ip source 10.64.40.0 0.0.7.255

Some IP addresses in rule 5 of acl 3001 conflicted with acl 3000. This, however, did not affect user online actions. The network segment 10.64.32.0 0.0.7.255 was not configured between rule 5 and rule 10. If users obtained addresses on this network segment, NAT could not be implemented and users failed to go online.
After the NAT configurations were modified as follows, the problem was resolved.

acl number 3000
 rule 5 permit ip source 10.64.0.0 0.0.7.255
 rule 10 permit ip source 10.64.8.0 0.0.7.255
 rule 15 permit ip source 10.64.16.0 0.0.7.255
#
acl number 3001
 rule 5 permit ip source 10.64.24.0 0.0.7.255
 rule 10 permit ip source 10.64.32.0 0.0.7.255
 rule 15 permit ip source 10.64.40.0 0.0.7.255

For details about NAT configurations, see the attachment.
Root Cause
ACL configurations were incorrect.
Solution
None
Suggestions
Configure consecutive network segments in an ACL.

END