某局点SecPath F1000-C出链路负载异常
- 0关注
- 0收藏 1133浏览
组网及说明
无
问题描述
现场配置双出口出链路负载以后,测试正常,但是一条链路down了以后,内网PC ping不通114,只要关闭虚服务就正常,于是初步判断是LB影响。
过程分析
现场两个出口,一个pppoe,一个固定IP,正常情况,访问没问题。Down掉拨号口以后,内网ping不通114。
初步怀疑NQA探测异常,于是查看虚服务状态及link状态。
虚服务没有异常。
[FW]display virtual-server
Virtual server: test_pppoe
Description:
Type: LINK-IP
State: Active
VPN instance:
Virtual IPv4 address: 0.0.0.0/0
Virtual IPv6 address: --
Port: 0 (any port)
Primary link group:
Backup link group:
Primary sticky:
Backup sticky:
LB policy: test
LB limit-policy:
Connection limit: --
Rate limit:
Connections: --
Bandwidth: --
Inbound bandwidth: --
Outbound bandwidth: --
Connection synchronization: Disabled
Sticky synchronization: Disabled
Bandwidth busy protection: Disabled
Interface bandwidth statistics: Disabled
Route advertisement: Disabled
查看link-group的状态,原拨号口也已经探测失败切到另一个接口了。
[FW] dis loadbalance link-group
Link group: lg1
Description:
Predictor: Round robin
Proximity: Disabled
NAT: Disabled
SNAT pool:
Failed action: Keep
Active threshold: Disabled
Slow-online: Disabled
Selected link: Disabled
Probe information:
Probe success criteria: All
Probe method:
Total link: 1
Active link: 0
Link list:
Name State VPN instance Router IP/Interface Weight Priority
pppoe Probe-failed Dialer0 100 4
Link group: lg2
Description:
Predictor: Round robin
Proximity: Disabled
NAT: Disabled
SNAT pool:
Failed action: Keep
Active threshold: Disabled
Slow-online: Disabled
Selected link: Disabled
Probe information:
Probe success criteria: All
Probe method:
Total link: 1
Active link: 1
Link list:
Name State VPN instance Router IP/Interface Weight Priority
iplink Active 59.40.185.174 100 4
查看对应会话,没有找到
<FW>display session table ipv4 source-ip 192.x.x.88 destination-ip 114.114.114.114
Slot 1:
Total sessions found: 0
打开debug ip packet查看,IP报文上到FW上了
<FW>debugging*Jul 18 19:10:04:200 2021 FW IPFW/7/IPFW_PACKET: -COntext=1;
Receiving, interface = Vlan-interface100
version = 4, headlen = 20, tos = 0
pktlen = 81, pktid = 48149, offset = 0, ttl = 128, protocol = 17
checksum = 34112, s = 10.x.x.88, d = 114.114.114.114
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Vlan-interface100.
Payload: UDP
source port = 64053, destination port = 53
checksum = 0xde2d, length = 61.
于是debug ip info,可以看到被丢弃了。于是查看LB的debug信息。
*Jul 18 19:12:53:555 2021 FW IPFW/7/IPFW_INFO: -COntext=1;
MBUF was intercepted! Phase Num is 1(pre routing), Service ID is 26(lb), Bitmap is 2000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Vlan-interface100,
s= 10.x.x.88, d= 114.114.114.114, protocol= 17, pktid = 48265. 114.114.114.114, protocol= 17, pktid = 48265.
看lb的debug,显示的是调用失败,于是回归配置
*Jul 18 19:24:49:147 2021 FW LB/7/PACKET: -COntext=1; Input packet matched virtual server test_pppoe: Pro=17, Src=10.x.x.88/59793, Dst=114.114.114.114/53, ID=48556.
*Jul 18 19:24:49:147 2021 FW LB/7/PACKET: -COntext=1; Link group is selected according to policy: Pro=17, Src=10.x.x.88/59793, Dst=114.114.114.114/53, ID=48556.
*Jul 18 19:24:49:147 2021 FW LB/7/ERROR: -COntext=1; Failed to select link according to predictor: Pro=17, Src=10.x.x.88/59793, Dst=114.114.114.114/53, ID=48556.
看现场配置了两个link-group组,且分类调用的是同一个类,那么所以流量上了都会优先匹配到lg1,也就是拨号口的规则,执行拨号口的动作。即使拨号口已经探测失败了,根据链路失败的查询规则,缺省情况下,根据当前动作查找可用链路失败时,不再继续匹配下一条引用规则,于是出现调用失败的问题。
#
loadbalance link-group lg1
transparent enable
#
loadbalance link-group lg2
transparent enable
#
loadbalance class iplink type link-generic match-any
match 1 acl 3009
#
loadbalance class pppoe type link-generic match-any
match 1 acl 3009
#
loadbalance action iplink type link-generic
link-group lg2
#
loadbalance action pppoe type link-generic
link-group lg1
#
loadbalance policy test type link-generic
class pppoe action pppoe
class iplink action iplink
default-class action iplink
#
于是查找修改链路失败时规则为继续匹配下一规则。
(1) 进入系统视图。
system-view
(2) 进入负载均衡动作视图。
loadbalance action action-name
(3) 配置查找链路失败时继续匹配下一条引用规则。
fallback-action continue
缺省情况下,根据当前动作查找可用链路失败时,不再继续匹配下一条引用规则。
解决方法
两种方式
1、
2、
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作