组网及说明
某用户使用我司T5000系列产品做为网络出口设备,提供安全策略防护和NAT地址转换基本功能。
告警信息
不涉及
问题描述
在使用过程中偶尔上网慢,ping外网丢包的情况。通过ping和路径跟踪测试,经过定位,初步判断为出口安全设备问题。在故障时收集了设备诊断信息和相应的logfile和diagfile信息。
过程分析
根据反馈的情况,首先通过内网口和外网口抓包,先确认是否为本设备丢包。经过抓包确认经过设备时会有少量丢包,可以确认为设备丢包导致。安全设备丢包一般两种可能,一种为接口有错包导致丢包,检查接口错包情况。发现接口的input和output错包都为0,非错包问题
Bridge-Aggregation3
Current state: UP
Line protocol state: UP
IP packet frame type: Ethernet II, hardware address: b044-1474-6847
Description: S6800_TO_M9K-downlink
Bandwidth: 10000000 kbps
10Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
PVID: 2
Port link-type: Access
Tagged VLANs: None
Untagged VLANs: 2
Last clearing of counters: Never
Last 300 second input: 1569 packets/sec 1025963 bytes/sec 0%
Last 300 second output: 1602 packets/sec 179524 bytes/sec 0%
Input (total): 156597256 packets, 50122688398 bytes
156578555 unicasts, 63 broadcasts, 18638 multicasts, 0 pauses
Input (normal): 156597256 packets, 50122688398 bytes
156578555 unicasts, 63 broadcasts, 18638 multicasts, 0 pauses
Input: 0 input errors, 0 runts, 0 giants, - throttles
0 CRC, 0 frame, 0 overruns, 0 aborts
0 ignored, - parity errors
Output (total): 189970979 packets, 52781619828 bytes
189952339 unicasts, 18 broadcasts, 18622 multicasts, 0 pauses
Output (normal): 189970979 packets, 52781619828 bytes
189952339 unicasts, 18 broadcasts, 18622 multicasts, 0 pauses
Output: 0 output errors, 0 underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
0 lost carrier, 0 no carrier
进一步检查设备cpu和内存使用率,都在正常范围。
===============display cpu===============
Slot 1 CPU 0 CPU usage:
14% in last 5 seconds
10% in last 1 minute
11% in last 5 minutes
===============display memory===============
Memory statistics are measured in KB:
Slot 1:
Total Used Free Shared Buffers Cached FreeRatio
Mem: 16412820 7667052 8745768 0 8028 781196 56.1%
-/+ Buffers/Cache: 6877828 9534992
Swap: 0 0 0
通过display process 可以看到kdrvdp3已经达到了2.0,基本可以确认为CPU单核CPU偶发繁忙导致丢包。
484 484 0.0 0.0 D 115 - 00:39:04 [kdrvdp0]
485 485 0.0 0.0 D 115 - 01:18:21 [kdrvdp1]
486 486 0.0 0.0 D 115 - 01:19:15 [kdrvdp2]
487 487 2.0 0.0 D 115 - 01:11:06 [kdrvdp3]
488 488 0.2 0.0 R 115 - 00:43:05 [kdrvdp4]
489 489 0.1 0.0 R 115 - 00:44:14 [kdrvdp5]
490 490 0.1 0.0 R 115 - 00:42:13 [kdrvdp6]
491 491 0.2 0.0 R 115 - 00:42:28 [kdrvdp7]
492 492 0.2 0.0 R 115 - 00:44:38 [kdrvdp8]
解决方法
逐流转发改为逐包转发可以避免CPU单核高问题,同时关闭DPI功能,减轻设备负载。
命令为forwarding policy per-packet。修改后测试业务,注意修改为逐包模式可能引起乱序,需要根据现场业务实际情况修改。一般情况下仍然推荐使用逐流转发。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作