无
现网中两台F1080防火墙做堆叠部署,运行中发现过防火墙PING 1474以上的数据包出现丢包问题,但是PING小包却无丢包。
一、设备配置排查
#
interface Reth1
description To H3C交换
ip address 172.15.11.17 255.255.255.252
member interface Ten-GigabitEthernet1/0/25 priority 255
member interface Ten-GigabitEthernet2/0/25 priority 50
#
interface Reth2
description To 华为交换
ip address 172.15.11.22 255.255.255.252
member interface Ten-GigabitEthernet1/0/24 priority 255
member interface Ten-GigabitEthernet2/0/24 priority 50
#
redundancy group zhengtiqiehuan
member interface Reth1
member interface Reth2
node 1
bind slot 1
priority 100
track 1 interface Ten-GigabitEthernet1/0/24
track 2 interface Ten-GigabitEthernet1/0/25
node 2
bind slot 2
priority 50
track 3 interface Ten-GigabitEthernet2/0/24
track 4 interface Ten-GigabitEthernet2/0/25
#
session synchronization enable
配置排查安全域、冗余组、会话均没有发现问题,但是在排查到Reth1接口时,发现入方向存在大量丢包。
Reth1
Current state: UP
Line protocol state: UP
Description: To NHX_YJ_F5_SW_S10510-2
Bandwidth: 10000000 kbps
Maximum transmission unit: 1500
Internet address: 172.15.11.17/30 (primary)
IP packet frame type: Ethernet II, hardware address: 38ad-8ed3-d138
IPv6 packet frame type: Ethernet II, hardware address: 38ad-8ed3-d138
Physical: Reth, baudrate: 10000000 kbps
Last clearing of counters: Never
Last 300 seconds input rate: 2362274 bytes/sec, 18898192 bits/sec, 9156 packets/sec
Last 300 seconds output rate: 4759888 bytes/sec, 38079104 bits/sec, 9962 packets/sec
Input: 19747326138 packets, 7782643517525 bytes, 7569606 drops
Output: 23322478643 packets, 17903881878502 bytes, 0 drops
初步怀疑可能与两端设备的报文分片有关,随机排查交换机、防火墙互联接口状态。
防火墙:
Ten-GigabitEthernet1/0/25
Current state: UP
Line protocol state: UP
Description: Ten-GigabitEthernet1/0/25 Interface
Bandwidth: 10000000 kbps
Maximum transmission unit: 1500
Internet protocol processing: Disabled
交换机:
Vlan-interface51
Current state: UP
Line protocol state: UP
Description: to SHX_FW_H3C_F1080
Bandwidth: 10000000 kbps
Maximum transmission unit: 1500
Internet address: 172.15.11.18/30 (primary)
两端接口MTU等信息完全一致,所以此问题应该不是出在报文分片上。
二、抓包分析
在电脑丢包时进行抓包,发现很多丢包都是因为数据分片无法重组导致的丢包。Fragment reassembly time exceeded表示这个包的发送方之前收到了一些分片,但是由于某些原因迟迟无法组装起来。注:可能看到Time-to-live有些人会想到TTL超时,进而错误分析出路由环路的结论,一定要注意括号里面的内容。
这里想到V7防火墙是多核多线程的转发原理,也就是平时在设备上看到2-15都是属于转发核参与数据转发的。Comware V5\V7早期版本是逐包转发的,也就是数据包
备分片后可能通过不同VCPU处理,进而导致数据过防火墙后无法重组,所以将防火墙改为逐流模式就可以解决此问题。
===============display process cpu slot 1===============
CPU utilization in 5 secs: 7.9%; 1 min: 4.2%; 5 mins: 5.3%
JID 5Sec 1Min 5Min Name
171 0.0% 0.0% 0.0% [kdrvcp0]
172 0.0% 0.0% 0.0% [kdrvcp1] \\控制核
173 0.2% 0.0% 0.0% [kdrvdp2] \\转发核
174 0.0% 0.0% 0.0% [kdrvdp3]
175 0.0% 0.1% 0.3% [kdrvdp4]
176 0.1% 0.0% 0.0% [kdrvdp5]
177 0.0% 0.0% 0.1% [kdrvdp6]
178 0.2% 0.0% 0.1% [kdrvdp7]
179 0.0% 0.0% 0.0% [kdrvdp8]
180 0.2% 0.0% 0.1% [kdrvdp9]
181 0.4% 0.0% 0.2% [kdrvdp10]
182 0.1% 0.0% 0.1% [kdrvdp11]
183 0.0% 0.0% 0.0% [kdrvdp12]
184 0.1% 0.2% 0.0% [kdrvdp13]
185 0.1% 0.0% 0.0% [kdrvdp14]
186 0.0% 0.1% 0.1% [kdrvdp15]
防火墙的逐流模式也称为五元组模式,即匹配报文五元祖后上送同一个VCPU进行处理,从而规避数据分片后报文经过多个VCPU导致重组异常问题。
修改逐流模式的命令命令:
<H3C> system-view
[H3C] forwarding policy per-flow
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作