AR2240-S下挂PC上网打开网页慢。

发布时间:  2016-02-06 浏览次数:  1126 下载次数:  0
问题描述

产品类型:AR2240-S

软件版本:V200R005C20SPC200

组网拓扑:AR2240-S公网静态IP出口,内网通过交换机接入AR路由器,内网网关在AR路由器上,通过出接口NAT转换访问公网

故障现象:内网主机访问网页非常慢

处理过程

1,在上行端口配置tcp adjust 1400,稍微有改善,但不明显

2,查看CPU使用率正常

3,查看接口带宽使用率也不高,接口模式正常

4,查看NAT会话资源没有达到使用上限

5,通过诊断信息发现存在大量dns-reply消息因cpcar丢包:

2016-2-6 05:06:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1751]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=13741)
2016-2-6 05:16:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1752]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=10879)
2016-2-6 05:26:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1753]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=32302)
2016-2-6 05:36:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1754]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=21678)
2016-2-6 05:46:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1755]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=790)
2016-2-6 05:56:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1756]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=29290)
2016-2-6 06:06:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1757]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=44849)

 

===============display cpu-defend statistics ===============
==================================================================
-----------------------------------------------------------------------
Packet Type               Pass Packets        Drop Packets
-----------------------------------------------------------------------
8021X                                0                   0
arp-miss                          6334                3973
arp-reply                          759                   0
arp-request                      68827                   0
dns-reply                      6530146             8981926
dns-request                     126452                   0

根因
由于默认开启cpu防护,对于dns-reply上送CPU消息速率默认上限限制为128,速率超过该值的数据包会被丢弃,导致请求网页时无法收到响应
解决方案


调大CPU防护中dns-replay的rate-limit值后解决问题

命令:

cpu-defend policy dns
packet-type dns-reply rate-limit 512 
auto-defend enable
quit

cpu-defend-policy  dns

END