USG5500双机场景直连设备PING虚IP出现规律性延时突然增大问题

发布时间:  2013-12-23 浏览次数:  176 下载次数:  0
问题描述

组网说明两CE12800 做CSS集群,两台USG采用两个千兆口作HRP心跳(只track心跳口)组成双机每台USG采用两个万兆端口采用Eth-trunk与两台CE12800互连,通过划子接口归属于不同zone。
通过CE12800出现ping防火墙虚IP延时突然增大再变正常再增大现象。   
    Reply from 10.203.19.138: bytes=56 Sequence=43 ttl=255 time=131 ms
    Reply from 10.203.19.138: bytes=56 Sequence=44 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=45 ttl=255 time=2 ms
    Reply from 10.203.19.138: bytes=56 Sequence=46 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=47 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=48 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=49 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=50 ttl=255 time=4 ms
    Reply from 10.203.19.138: bytes=56 Sequence=51 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=52 ttl=255 time=68 ms
    Reply from 10.203.19.138: bytes=56 Sequence=53 ttl=255 time=4 ms
    Reply from 10.203.19.138: bytes=56 Sequence=54 ttl=255 time=2 ms
    Reply from 10.203.19.138: bytes=56 Sequence=55 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=56 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=57 ttl=255 time=6 ms
    Reply from 10.203.19.138: bytes=56 Sequence=58 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=59 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=60 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=61 ttl=255 time=101 ms
    Reply from 10.203.19.138: bytes=56 Sequence=62 ttl=255 time=4 ms
    Reply from 10.203.19.138: bytes=56 Sequence=63 ttl=255 time=2 ms
    Reply from 10.203.19.138: bytes=56 Sequence=64 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=65 ttl=255 time=2 ms
    Reply from 10.203.19.138: bytes=56 Sequence=66 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=67 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=68 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=69 ttl=255 time=1 ms
    Reply from 10.203.19.138: bytes=56 Sequence=70 ttl=255 time=97 ms
告警信息
处理过程
1、通过修改防火墙与交换机Eth-trunk LACP协商模式为手动后,延时正常;
2、防火墙两个万兆接口上起eth-trunk,通过LACP与对端协商,在协商过程中,PING防火墙自身,发现防火墙回应PING报文较慢,防火墙的LACP任务占用在25%左右;
3、LACP协议协商运行过程中需要定时刷新接口双工、速率信息,万兆接口的双工速率信息读取响应较慢,当CPU频繁采集这些信息时,会占用较高的CPU使用率,从而导致到自身的PING报文响应有一定延时,但由于协商处理过程本身有任务切换,不会影响到自身业务;
4、反馈防火墙该机制需要优化。
根因
通过验证Ping USG主设备实IP地址也出现异常,而转发业务延时都正常响应。
怀疑设备机制实现问题,通过向研发求证设备工作机制。
建议与总结
后续优化版本:V300R001C00SPCb00。

END