传输路径中有防火墙导致BFD会话无法正常建立

发布时间:  2014-11-11 浏览次数:  112 下载次数:  0
问题描述
S7700A和S7700B通过VlanIf接口实现三层互通,链路中间存在传输网络(二层设备),用户配置BFD来实现设备间链路故障的快速检测。
配置BFD之后,BFD会话状态为Down。
告警信息
BFD会话状态为Down
<S7700A>display bfd session discriminator 1111
--------------------------------------------------------------------------------
Local Remote     PeerIpAddr      State     Type        InterfaceName           
--------------------------------------------------------------------------------
1111  1112       172.16.25.2     Down      S_IP_IF     Vlanif1111              
--------------------------------------------------------------------------------
<S7700A>
处理过程
1、检查BFD配置无异常。
S7700A:
#
bfd nj bind peer-ip 172.16.25.2 interface Vlanif1111
discriminator local 1111
discriminator remote 1112
commit
#
S7700B:
#
bfd bj bind peer-ip 172.16.25.1 interface Vlanif1111
discriminator local 1112
discriminator remote 1111
commit
#
2、从A ping B正常无丢包,排除链路故障原因。

3、检查BFD会话统计信息,发现仅有发送BFD报文计数,没有接收BFD报文的计数。
<S7700A>disp bfd statistics session discriminator 1111
--------------------------------------------------------------------------------
Session MIndex : 257       (One Hop) State : Down      Name : nj            
--------------------------------------------------------------------------------
  Session Type                        : Static                                 
  Bind Type                           : IP                                     
  Local/Remote Discriminator          : 1111/1112                              
  Received Packets                    : 0                                      
  Send Packets                        : 876                                    
  Received Bad Packets                : 0    
                                  
  Send Bad Packets                    : 0                                      
  Down Count                          : 0                                      
  ShortBreak Count                    : 0                                      
  Send Lsp Ping Count                 : 0                                      
  Dynamic Session Delete Count        : 0                                      
  Create Time                         : 2014-11-07 11:35:37-08:00              
  Last Down Time                      : -                                      
  Down Status Lasting Time            : 000D:00H:41M:41S                       
  Last Up Time                        : -                                      
  Last Up Lasting Time                : ---D:--H:--M:--S                       
  Total Time From Create              : 000D:00H:41M:41S                       
--------------------------------------------------------------------------------

<S7700A>
 
4、与客户核实网络情况,在远端S7700B交换机前部署了透明防火墙。判断应是防火墙阻拦了BFD协议报文。

5、在防火墙上增加相应安全策略之后,BFD会话正常建立。
     防火墙安全策略应允许双向的BFD报文通过(此例配置的是单跳BFD,报文采用UDP协议,目的端口是3784)。
解决方案
传输路径中有防火墙时,应在防火墙上开放BFD协议报文双向访问策略,否则BFD会话无法正常建立。

END