No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Slow Web Page Access on a PC Connected to an AR

Slow Web Page Access on a PC Connected to an AR

This section describes a troubleshooting case of slow web page access on a PC connected to an AR.

Networking

Figure 28-7  Networking of slow web page access on a PC connected to an AR

Fault Symptom

An internal PC connects to an AR through a switch and accesses the external network after NAT is performed on the egress interface on the AR (GE0/0/1). However, web page access is slow. According to logs on the AR, a large number of DNS Reply packets have been discarded because the CPU usage exceeded the upper threshold.

AR logs are displayed as follows:

<Huawei> display logbuffer 
2016-2-6 05:06:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1751]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=13741)  
2016-2-6 05:16:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1752]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=10879)  
2016-2-6 05:26:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1753]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=32302)  
2016-2-6 05:36:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1754]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=21678)  
2016-2-6 05:46:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1755]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=790)  
2016-2-6 05:56:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1756]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=29290)  
2016-2-6 06:06:16+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1757]:Some packets are dropped by cpcar on the MPU. (Packet-type=dns-reply, Drop-Count=44849) 

Fault Analysis

  1. Check whether the fault is caused by packet fragmentation. Run the tcp adjust-mss 1400 command on the uplink interface GE0/0/1 to change the maximum segment size (MSS) of TCP packets to 1400. It is found that the effect of improvement is not obvious.

  2. Check whether the CPU usage is normal. Run the display cpu-usage command. The command output shows that the CPU usage is normal.

  3. Check whether the interface bandwidth usage is normal and whether the uplink egress works in full-duplex mode. Run the display interface GigabitEthernet 0/0/1 command. The command output shows that the interface bandwidth usage is normal and the interface works in full-duplex mode.

  4. Check whether the number of NAT sessions exceeds the upper threshold. Run the display nat session number command. The command output shows that the number of NAT sessions does not exceed the upper threshold.
  5. Check whether the rate of sending DNS Reply packets to the CPU exceeds the upper threshold. Run the packet-type dns-reply rate-limit 512 command to change the rate of sending DNS Reply packets to the CPU to 512. The test result shows that the web page access speed becomes normal. The fault has been rectified.

    Summary: The attack defense policy default is automatically generated in the system by default and is applied to all cards on the AR. The rate of sending DNS Reply packets to the CPU in the attack defense policy default is 128, and packets sent at a rate higher than this limit will be discarded. Therefore, internal PCs fail to receive response packets and web page access is slow.

Procedure

  1. Create an attack defense policy.

    <Huawei> system-view 
    [Huawei] cpu-defend policy dns
  2. Configure the rate limit for sending DNS Reply packets to the CPU.
    [Huawei-cpu-defend-policy-dns] packet-type dns-reply rate-limit 512 
    [Huawei-cpu-defend-policy-dns] auto-defend enable 
    [Huawei-cpu-defend-policy-dns] quit
  3. Apply the attack defense policy.
    [Huawei] cpu-defend-policy dns 
    [Huawei] cpu-defend-policy dns global

Conclusions and Suggestions

A large number of packets including attack packets are sent to the CPU on a network. Excess packets sent to the CPU cause a high CPU usage and affect service processing. In this case, you are advised to create an attack defense policy and configure rate limit for a specified type of protocol packets in the policy to minimize the impact on the CPU. By default, the rate limit for protocol packets in the default policy is applied on the AR. Typically, the rate specified in the default policy is small. You can run the packet-type packet-type rate-limit rate-value command to configure the rate limit for a specified type of protocol packets as required.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 454598

Downloads: 4316

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next