Topology: 8016--MA5200F--L2―Route of J Company--PC，route of J Company uses internal PPPOE dial and connects at MA5200F. Enable NAT and offer network service for attached PC.
Phenomenon Description: Route of attached J Company at MA5200F prompts frequent offline. In every 10 seconds there is a offline record at MA5200.
1. Check users' offline reasons with display aaa offline-record at MA5200F, it is caused by PPP user request. Users are offline because users actively request.
2. Use trace at MA5200F and check users’ online/offline. When users’ authentication succeeds, six seconds later they send terminal request packets and requests link. Users are offline. And it does not reach handshake failure detection, so it is not caused by PPP handshake failure.
3. Check reasons with route. Route check whether the link is normal is based on DNS request but not using PPP ECHO packet. Source port of sending DNS request packet is 53.
4. Capture packet. When the route acts as PPP dial and are online, DNS request does not receive response. Capture packet again and confirm that DNS request is discarded at S8016.
5. Filter related packet policy at S8016 and route dial is normal.
The route estimates whether the link is for use or not, which is based on maintenance packet of PPP link but not check whether DNS request packet has response. It does not comply with protocol standards. Source port of DNS request is 53. When the company monitors the traffic, they mistakenly think that in MAN some people privately set DNS server and outbound S8016 at MAN set filter for packets whose destination port of inbound MAN is 53. And DNS request of the route is discarded (DNS source port of common users cannot be 53). So route perceives PPP link disrupts and redials. The service is abnormal.