No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IP Address Scanning Occurs

IP Address Scanning Occurs

Common Causes

This fault is commonly caused by the following:

  • An attacker sends a large number of destination unreachable packets to the AR, and the packets trigger a large number of ARP Miss messages. In addition, the AR sends ARP requests to trigger ARP learning, causing a high CPU usage.

Troubleshooting Flowchart

An attacker sends a large number of destination unreachable packets to the AR. The packets are sent to the CPU and trigger a large number of ARP Miss messages. In addition, the AR sends ARP requests to trigger ARP learning, causing a high CPU usage.

Figure 22-11 shows the troubleshooting flowchart.

Figure 22-11 Troubleshooting flowchart for IP address scanning

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

Procedure

  1. Run the display cpu-usage command on the AR to check the CPU usage of the board.

    In the command output, ARP indicates the ARP packet processing task.

  2. Run the display arp command to view the learned ARP entries.

    If the MAC address in an ARP entry is in Incomplete state, the AR fails to learn the ARP entry.

    <Huawei> display arp 
    IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                              VLAN/CEVLAN                           
    --------------------------------------------------------------------- 
    10.10.10.12    0018-82d2-0e08            I -         Vlanif10          
    10.10.10.13    Incomplete      0         D-0         Vlanif20   
                                              3004/-                                
    10.10.10.14    Incomplete      0         D-0         Eth2/0/0    
                                              3004/-                                
    20.20.20.33    000c-76bd-43d6            I -         Eth2/0/00         
    20.20.20.55    0013-7227-842f  17        D-0         Eth2/0/0         
    ...                                          3003/-                               
    

    Generally, the possible causes are: the AR fails to send ARP requests, the ARP requests are discarded during transmission, or no ARP reply is received. If the CPU usage of the ARP task is high, the AR fails to send ARP requests and generates ARP Miss messages. Go to step 3.

  3. Capture packets on the user-side interface and check the source addresses of IP packets.
  4. Run the display arp anti-attack configuration arpmiss-speed-limit command to view the configuration of ARP Miss suppression.

    • If a source IP address is specified in the ARP Miss suppression command, the AR checks whether the specified IP address is the source address of the received IP packets. If so, the AR limits the rate of ARP Miss messages based on the rate limit configured in this command. If not, the AR limits the rate of the ARP Miss messages based on the limit set in the command without a source IP address specified.
    • By default, ARP Miss suppression is enabled, and the maximum rate of ARP Miss messages is limited to 5 pps. When the rate of ARP Miss messages triggered by packets from the specified IP address exceeds the limit, the AR discards the packets sent from the IP address. You can change the rate limit for ARP Miss messages by running the arp-miss speed-limit source-ip command in the system view.

  5. Run the display arp anti-attack configuration arpmiss-rate-limit command on the AR to view the configuration of ARP Miss suppression.

    • If a large number of ARP Miss packets are triggered on an interface, in a VLAN, or on the entire device within a certain period, the AR is busy broadcasting ARP request packets and its performance deteriorates. After ARP Miss suppression is configured, the AR counts ARP Miss packets generated within a specified period and discards excess ARP Miss packets.
    • By default, the maximum rate of ARP Miss packets is 100 packets per second. To change the rate limit of ARP Miss packets, run the arp-miss anti-attack rate-limit command in the system view, VLAN view, or interface view.

  6. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000079719

Views: 490211

Downloads: 4514

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next