Вы находитесь на странице: 1из 37

HUAWEI NetEngine5000E Core Router

V800R002C01
Troubleshooting - Security
Issue 01
Date 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.


Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.






Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
About This Document
Intended Audience
This document describes the troubleshooting workflow and methods for HUAWEI
NetEngine5000E. This document describes the troubleshooting of HUAWEI
NetEngine5000E with various services, including information collection methods, common
processing flows, common troubleshooting methods, and troubleshooting cases.
This document is intended for:
l System maintenance engineers
l Commissioning engineers
l Network monitoring engineers
Related Versions (Optional)
The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine5000E
Core Router
V800R002C01

Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Alerts you to a high risk hazard that could, if not avoided,
result in serious injury or death.
Alerts you to a medium or low risk hazard that could, if
not avoided, result in moderate or minor injury.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security About This Document
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ii
Symbol Description
Alerts you to a potentially hazardous situation that could,
if not avoided, result in equipment damage, data loss,
performance deterioration, or unanticipated results.
Provides a tip that may help you solve a problem or save
time.
Provides additional information to emphasize or
supplement important points in the main text.

Command Conventions (Optional)
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }
*
Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]
*
Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.

Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)
The initial commercial release.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security About This Document
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iii
Contents
About This Document.....................................................................................................................ii
1 AAA and User Management Troubleshooting........................................................................1
1.1 Users Cannot Get Online....................................................................................................................................2
1.1.1 Common Causes........................................................................................................................................2
1.1.2 Troubleshooting Procedure........................................................................................................................2
1.1.3 Relevant Alarms and Logs........................................................................................................................5
1.2 User Fails to Authenticate through HWTACACS Server..................................................................................5
1.2.1 Common Causes........................................................................................................................................5
1.2.2 Troubleshooting Flowchart........................................................................................................................5
1.2.3 Troubleshooting Procedure........................................................................................................................6
1.2.4 Relevant Alarms and Logs........................................................................................................................8
1.3 User Fails to do Authorization through HWTACACS Server...........................................................................9
1.3.1 Common Causes........................................................................................................................................9
1.3.2 Troubleshooting Flowchart........................................................................................................................9
1.3.3 Troubleshooting Procedure......................................................................................................................10
1.3.4 Relevant Alarms and Logs......................................................................................................................12
1.4 User Fails to do Accounting through HWTACACS Server.............................................................................13
1.4.1 Common Causes......................................................................................................................................13
1.4.2 Troubleshooting Flowchart......................................................................................................................13
1.4.3 Troubleshooting Procedure......................................................................................................................14
1.4.4 Relevant Alarms and Logs......................................................................................................................16
1.5 User Fails to Authenticate through RADIUS Server........................................................................................17
1.5.1 Common Causes......................................................................................................................................17
1.5.2 Troubleshooting Flowchart......................................................................................................................17
1.5.3 Troubleshooting Procedure......................................................................................................................19
1.5.4 Relevant Alarms and Logs......................................................................................................................20
1.6 User Fails to do Accounting through RADIUS Server....................................................................................21
1.6.1 Common Causes......................................................................................................................................21
1.6.2 Troubleshooting Flowchart......................................................................................................................21
1.6.3 Troubleshooting Procedure......................................................................................................................23
1.6.4 Relevant Alarms and Logs......................................................................................................................24
2 Local Attack Defense Troubleshooting...................................................................................25
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security Contents
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iv
2.1 Management Plane Protection Malfunctions....................................................................................................26
2.1.1 Common Causes......................................................................................................................................26
2.1.2 Troubleshooting Procedure......................................................................................................................26
3 URPF Troubleshooting...............................................................................................................28
3.1 URPF Check Fails............................................................................................................................................29
3.1.1 Common Causes......................................................................................................................................29
3.1.2 Troubleshooting Flowchart......................................................................................................................29
3.1.3 Troubleshooting Procedure......................................................................................................................30
3.1.4 Relevant Alarms and Logs......................................................................................................................30
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security Contents
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
v
1 AAA and User Management
Troubleshooting
About This Chapter
This chapter describes common causes of AAA faults, and provides the corresponding
troubleshooting flowchart, troubleshooting procedure, alarms, and logs.
1.1 Users Cannot Get Online
This section describes the causes of users' failures to get online, and provides detailed
troubleshooting procedures.
1.2 User Fails to Authenticate through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through HWTACACS server.
1.3 User Fails to do Authorization through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do authorization through HWTACACS server.
1.4 User Fails to do Accounting through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through HWTACACS server.
1.5 User Fails to Authenticate through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through RADIUS server.
1.6 User Fails to do Accounting through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through RADIUS server.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1
1.1 Users Cannot Get Online
This section describes the causes of users' failures to get online, and provides detailed
troubleshooting procedures.
1.1.1 Common Causes
If users cannot get online, run the display aaa online-fail-record command in any view to see
the information displayed in the User online fail reason field.
To rectify the fault, see the trouble shooting procedure in 1.1.2 Troubleshooting Procedure.
Error Prompt
Server return fail
Username or password wrong
Max users (Pending Requests) Reached
Server no response
User access type not match service type
Domain was blocked
Protocol authorize fail
User was blocked

1.1.2 Troubleshooting Procedure
Collect log messages and contact Huawei technical personnel.
Error Prompt
Common Causes Troubleshooting
Procedure
Server return fail
The RADIUS or
HWTACACS server
returns an authentication
failure message.
For details, see RADIUS or
HWTACACS server
troubleshooting.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
2
Error Prompt
Common Causes Troubleshooting
Procedure
Username or password
wrong
The user name or password
is incorrect.
1. Contact the device
administrator to confirm
whether the user name is
valid and password is
correct.
2. If the user name is invalid or
the password is incorrect,
contact the device
administrator to add a valid
user name or tell you the
correct password.
3. If the user name is valid and
the password is correct,
contact Huawei technical
personnel.
Max users (Pending
Requests) Reached
The RADIUS server is
connected to a maximum
number of users.
For details, see RADIUS or
HWTACACS server
troubleshooting.
Server no response
The RADIUS or
HWTACACS server
returns an error message or
does not respond.
For details, see RADIUS or
HWTACACS server
troubleshooting.
User access type not match
service type
The user access type differs
from the configured
service type.
1. Run the display local-use
command to see whether the
user's service type is the
same as the access type of
the user. For example, the
access type of the users that
log in to a device by means
of Telnet must be Telnet.
2. If the access type is different
from the service type,
contact the device
administrator to change the
service type of the user.
3. If the access type is the same
as the service type, contact
Huawei technical
personnel.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3
Error Prompt
Common Causes Troubleshooting
Procedure
Domain was blocked
The domain is blocked. 1. Run the display domain
command to see whether the
domain to which the user
belongs is in the Block state.
2. If the domain is in the Block
state, contact the device
administrator to change the
state to Active.
3. If the domain is not in the
Block state, contact Huawei
technical personnel.
Protocol authorize fail
Protocol authorization
fails.
For details, see RADIUS or
HWTACACS server
troubleshooting.
User was blocked
The user is blocked. 1. Run the display local-use
command to see whether the
user is in the Block state.
2. If the user is in the Block
state, contact the device
administrator to change the
state to Active.
3. If the user is not in the Block
state, contact Huawei
technical personnel.
Domain not exist
The domain does not exist. 1. If the user name contains @,
the part before @ is a user
name and the part after @ is
a domain name. If the user
name does not contain @,
the entire string is a user
name. The domain is the
default one, with the
domain name of default.
2. Run the display domain
command to see whether the
domain to which the user
belongs exists.
3. If the domain does not exist,
contact the device
administrator to add a new
domain.
4. If the domain exists, contact
Huawei technical
personnel.

HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4
1.1.3 Relevant Alarms and Logs
Relevant Alarms
None
Relevant Logs
None
1.2 User Fails to Authenticate through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through HWTACACS server.
1.2.1 Common Causes
The user fails to authenticate through HWTACACS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l HWTACACS services are not enabled.
l HWTACACS is not configured as authentication-mode under AAA authentication scheme.
l IP address and port configured for HWTACACS authentication server in the NAS is not
correct.
l Shared key mismatch between HWTACACS server and NAS.
1.2.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5
Figure 1-1 Troubleshooting flowchart for the fault that the user fails to authenticate through
HWTACACS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is HWTACACS
client enabled?
User fails to
Authenticate through
HWTACACS Server
Is IP
address and
port configured for
HWTACACS server
in the NAS?
Configure IP address
and interface for
HWTACACS server
in the NAS
Configure the
authentication-mode
under AAA
authentication
scheme
Enable the
HWTACACS client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
End
Is
HWTACACS
configured as
authentication-mode under
AAA authentication
scheme?

1.2.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the ping command to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client is enabled.
Run the display hwtacacs current-status command to view the current status of HWTACACS
client.
<HUAWEI> display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client is enabled, go to Step 3.
The command output shows that the HWTACACS client is not enabled. User can authenticate
through HWTACACS server only after HWTACACS client is enabled in the system. Run the
hwtacacs enable command to enable the HWTACACS client.
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[~HUAWEI] commit
Step 3 Check HWTACACS is configured as authentication-mode under AAA authentication scheme.
Run the display authentication-scheme command to view the configuration of the AAA
authentication-scheme.
[~HUAWEI] display authentication-scheme
---------------------------------------------------------------------------
Vr-id Authentication-scheme-name Authentication-method
---------------------------------------------------------------------------
0 default local
0 auth hwtacacs
---------------------------------------------------------------------------
If authentication-mode under AAA authentication scheme is not configured then go to Step 4,
else go to Step 5.
Step 4 Configure the authentication-mode under AAA authentication scheme.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme acct
[~HUAWEI-aaa-authen-auth] authentication-mode hwtacacs
[~HUAWEI-aaa-authen-auth] commit
[~HUAWEI-aaa-authen-auth] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configuration template template-name command to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49
Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.
[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.2.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8
1.3 User Fails to do Authorization through HWTACACS
Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do authorization through HWTACACS server.
1.3.1 Common Causes
The user fails to do authorization through HWTACACS server is commonly caused by one of
the following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l HWTACACS services are not enabled.
l HWTACACS is not configured as authorization-mode under AAA authorization scheme.
l IP address and port configured for HWTACACS authorization server in the NAS is not
correct.
1.3.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
9
Figure 1-2 Troubleshooting flowchart for the fault that the user fails to do authorization through
HWTACACS server
End
Yes
Is HWTACACS
Configured as
authorization-mode under AAA
authorization scheme?
Configure the
authorization-mode
under AAA
authorization
scheme
Is IP address and
port configured
for HWTACACS server in the
NAS?
Configure IP
address and
interface for
HWTACACS server
in the NAS
Is HWTACACS client enabled?
Whether the client can
successfully ping the server?
User fails to
Authenticate through
HWTACACS Server
Checktheping
operation failsand
rectifythefault
Enable the
HWTACACS client
Yes
Yes
Yes
Is the fault
rectified?
No
No
No
No
Yes
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Yes
Yes
Yes
Yes
Contact Huawei technical
support personnel for results,
configuration files, log files,
and alarm files of the devices
No
No
No
No

1.3.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
10
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the ping command to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client service is enabled.
Run the display hwtacacs current-status command to view the current status of HWTACACS
client service.
<HUAWEI> display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client service is enabled, go to Step 3.
The command output shows that the HWTACACS client service is not enabled. User can
authorize through HWTACACS server only after HWTACACS client service is enabled in the
system. Run the hwtacacs enable command to enable the HWTACACS client service.
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[~HUAWEI] commit
Step 3 Check HWTACACS is configured as authorization-mode under AAA authorization scheme.
Run the display authorization-scheme command to view the configuration of the AAA
authorization-scheme.
[~HUAWEI] display authorization-scheme
---------------------------------------------------------------------------
Vr-id Authorization-scheme-name Authorization-method
---------------------------------------------------------------------------
0 default local
0 author hwtacacs
---------------------------------------------------------------------------
Total 2, 2 printed
If authorization-mode under AAA authorization scheme is not configured then go to Step 4, else
go to Step 5.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
11
Step 4 Configure the authorization-mode under AAA authorization scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme author
[~HUAWEI-aaa-author-author] authorization-mode hwtacacs
[~HUAWEI-aaa-author-author] commit
[~HUAWEI-aaa-author-author] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configuration template template-name command to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49
Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.
[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.3.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
12
1.4 User Fails to do Accounting through HWTACACS
Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through HWTACACS server.
1.4.1 Common Causes
The user fails to do accounting through HWTACACS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l HWTACACS services are not enabled.
l HWTACACS is not configured as accounting-mode under AAA accounting scheme.
l IP address and port configured for HWTACACS accounting server in the NAS is not
correct.
1.4.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
13
Figure 1-3 Troubleshooting flowchart for the fault that the user fails to do accounting through
HWTACACS server
End
Yes
Is HWTACACS
Configured as
accounting-mode under AAA
accounting scheme?
Configure the
accounting-mode
under AAA
accounting scheme
Is IP address and
port Configured for
HWTACACS server in
the NAS?
Configure IP
address and
interface for
HWTACACS server
in the NAS
Is HWTACACS client enabled?
Whether the client can
successfully ping the server?
User fails to
Authenticate through
HWTACACS Server
Checktheping
operation failsand
rectifythefault
Enable the
HWTACACS client
Yes
Yes
Yes
Is the fault rectified?
No
No
No
No
Yes
Is the fault rectified?
Is the fault rectified?
Is the fault rectified?
Yes
Yes
Yes
Yes
Contact Huawei technical
support personnel for results,
configuration files, log files,
and alarm files of the devices
No
No
No
No

1.4.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the ping command to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client service is enabled.
Run the display hwtacacs current-status command to view the current status of HWTACACS
client service.
<HUAWEI> display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client service is enabled, go to Step 3.
The command output shows that the HWTACACS client service is disabled. User can authorize
through HWTACACS server only after HWTACACS client service is enabled in the system.
Run the hwtacacs enable command to enable the HWTACACS client service.
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable
[~HUAWEI] commit
Step 3 Check HWTACACS is configured as accounting-mode under AAA accounting scheme.
Run the display accounting-scheme command to view the configuration of the AAA
accounting-scheme.
[~HUAWEI] display accounting-scheme
---------------------------------------------------------------------------
Vr-id Accounting-scheme-name Accounting-method
---------------------------------------------------------------------------
0 default none accounting
0 acct hwtacacs accounting
---------------------------------------------------------------------------
Total 2, 2 printed
If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else go
to Step 5.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
15
Step 4 Configure the accounting-mode under AAA accounting scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] accounting-scheme acct
[~HUAWEI-aaa-acount-acct] accounting-mode hwtacacs
[~HUAWEI-aaa-acount-acct] commit
[~HUAWEI-aaa-acount-acct] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configuration template template-name command to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49
Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.
[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.4.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
16
1.5 User Fails to Authenticate through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through RADIUS server.
1.5.1 Common Causes
The user fails to authenticate through RADIUS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l RADIUS services are not enabled.
l RADIUS is not configured as authentication-mode under AAA authentication scheme.
l IP address and port configured for RADIUS authentication server in the NAS is not correct.
l Shared key mismatch between RADIUS server and NAS.
1.5.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
17
Figure 1-4 Troubleshooting flowchart for the fault that the user fails to authenticate through
RADIUS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is RADIUS client
enabled?
User fails to
Authenticate through
RADIUS Server
Is RADIUS
configured
as authentication-mode
under AAA
authentication
scheme?
Is IP address
and port configured
for RADIUS server in
the NAS?
Configure IP address
and interface for
RADIUS server in
the NAS
Configure the
authentication-mode
under AAA
authentication
scheme
Enable the RADIUS
client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
End

HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
18
1.5.3 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the ping command to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the RADIUS client is enabled.
Run the display radius current-status command to view the current status of RADIUS client.
<HUAWEI> display radius current-status
-----------------------------------------------------------------------------
RADIUS-Client : Disabled
Client-Identifier : HUAWEI0
Total-auth-pending-request : 0
Total-acct-pending-request : 0
-----------------------------------------------------------------------------
NOTE
If RADIUS client is enabled, go to Step 3.
The command output shows that the RADIUS client is disabled. User can authenticate through
RADIUS server only after RADIUS client is enabled in the system. Run the radius enable
command to enable the RADIUS client.
<HUAWEI> system-view
[~HUAWEI] radius enable
[~HUAWEI] commit
Step 3 Check RADIUS is configured as authentication-mode under AAA authentication scheme.
Run the display authentication-scheme command to view the configuration of the AAA
authentication-scheme.
[~HUAWEI] display authentication-scheme
---------------------------------------------------------------------------
Vr-id Authentication-scheme-name Authentication-method
---------------------------------------------------------------------------
0 default local
0 radtest radius
---------------------------------------------------------------------------
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
19
If authentication-mode under AAA authentication scheme is not configured then go to Step 4,
else go to Step 5.
Step 4 Configure the authentication-mode under AAA authentication scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme acct
[~HUAWEI-aaa-authen-auth] authentication-mode radius
[~HUAWEI-aaa-authen-auth] commit
[~HUAWEI-aaa-authen-auth] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for RADIUS server in the NAS.
Run the display radius-server configuration template template-name command to view the
IP address and port details.
[~HUAWEI] display radius-server configuration template huawei
-----------------------------------------------------------------------------
Server-template-name : huawei
Protocol-version : standard
Shared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 192.0.0.2-1812
Primary-accounting-server : 192.0.0.2-1813
Retransmission : 3
Domain-included : NO
Mode : Pri-secondary
Probe-interval(in minute) : 5
Test-username : huawei
-----------------------------------------------------------------------------
If the IP address and port configured for RADIUS server in the NAS is not correct then go to
Step 6, else go to Step 8.
Step 6 Configure IP address and interface for RADIUS server in the NAS.
[~HUAWEI] radius-server template huawei
[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.66 1813
[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.67 1813 secondary
[~HUAWEI-radius-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.5.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
20
1.6 User Fails to do Accounting through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through RADIUS server.
1.6.1 Common Causes
The user fails to do accounting through RADIUS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l RADIUS services are not enabled.
l RADIUS is not configured as accounting-mode under AAA accounting scheme.
l IP address and port configured for RADIUS accounting server in the NAS is not correct.
l Shared key mismatch between RADIUS server and NAS.
1.6.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
21
Figure 1-5 Troubleshooting flowchart for the fault that the user fails to do accounting through
RADIUS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is RADIUS
client enabled?
User fails to
authenticate through
RADIUS Server
Is RADIUS
configured as
accounting-mode
under AAA accounting
scheme?
Is IP address
and port configured
for RADIUS server
in the NAS
Configure IP address
and interface for
RADIUS server in
the NAS
Configure the
accounting-mode
under AAA
accounting scheme
Enable the RADIUS
client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
End

HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
22
1.6.3 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the ping command to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the RADIUS client is enabled.
Run the display radius current-status command to view the current status of RADIUS client.
<HUAWEI> display radius current-status
RADIUS-Client : Disabled
Client-Identifier : HUAWEI0
Total-auth-pending-request : 0
Total-acct-pending-request : 0
NOTE
If RADIUS client is enabled, go to Step 3.
The command output shows that the RADIUS client is disabled. User can authenticate through
RADIUS server only after RADIUS client is enabled in the system. Run the radius enable
command to enable the RADIUS client.
<HUAWEI> system-view
[~HUAWEI] radius enable
[~HUAWEI] commit
Step 3 Check RADIUS is configured as accounting-mode under AAA accounting scheme.
Run the display accounting-scheme command to view the configuration of the AAA
accounting-scheme.
[~HUAWEI] display accounting-scheme
---------------------------------------------------------------------------
Vr-id Accounting-scheme-name Accounting-method
---------------------------------------------------------------------------
0 default none accounting
0 acct hwtacacs accounting
0 radacct radius accounting
---------------------------------------------------------------------------
Total 3, 3 printed
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
23
If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else go
to Step 5.
Step 4 Configure the AAA accounting-mode under AAA accounting scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] accounting-scheme acct
[~HUAWEI-aaa-accounting-acct] accounting-mode radius
[~HUAWEI-aaa-accounting-acct] commit
[~HUAWEI-aaa-accounting-acct] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for RADIUS server in the NAS.
Run the display radius-server configuration template template-name command to view the
IP address and port details.
[~HUAWEI] display radius-server configuration template huawei
-----------------------------------------------------------------------------
Server-template-name : huawei
Protocol-version : standard
Shared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 192.0.0.2-1812
Primary-accounting-server : 192.0.0.2-1813
Retransmission : 3
Domain-included : NO
Mode : Pri-secondary
Probe-interval(in minute) : 5
Test-username : huawei
-----------------------------------------------------------------------------
If the IP address and port configured for RADIUS server in the NAS is not correct then go to
Step 6, else go to Step 8.
Step 6 Configure IP address and interface for RADIUS server in the NAS.
[~HUAWEI] radius-server template huawei
[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.66 1813
[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.67 1813 secondary
[~HUAWEI-radius-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.6.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
24
2 Local Attack Defense Troubleshooting
About This Chapter
2.1 Management Plane Protection Malfunctions
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
25
2.1 Management Plane Protection Malfunctions
2.1.1 Common Causes
This fault is commonly caused by an incorrect protection policy for the management plane.
2.1.2 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that no protocol packets are discarded.
Run the display cpu-defend ma-defend statistics [ slot slot-id ] command to view the statistics
about the management plane and check whether packets of certain protocols are discarded.
l If some packets are discarded, go to Step 2.
l If no protocol packets are discarded, the security module of the device functions properly.
In this situation, contact Huawei technical support personnel.
Step 2 Check that the interface-level policy for management plane protection is applied on the
management interface.
Run the display this command in the management interface view to check whether the interface-
level policy for management plane protection is applied on the management interface.
l If the interface-level policy is applied, run the display ma-defend interface-policy interface-
policy-id command according to the ID of the interface-level policy to check whether the
protocol command is configured with deny, which causes the failure in sending protocol
packets to the CPU.
If deny is configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet |
tftp | isis | pimsm } { permit | deny } command in the view of interface-level management
plane protection to change deny to permit.
If permit is configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the interface-level policy for management plane protection is not applied on the
management interface, perform Step 2 to check whether the slot-level policy for management
plane protection is applied.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
26
Step 3 Check that the slot-level policy for management plane protection is applied on the LPU where
the management interface resides.
Run the display this command in the slot view to check whether the slot-level policy for
management plane protection is applied on the management interface.
l If the slot-level policy is applied, run the display ma-defend slot-policy slot-policy-id
command according to the ID of the slot-level policy to check whether check whether the
protocol command is configured with deny, which causes the failure in sending protocol
packets to the CPU.
If deny is configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet |
tftp | isis | pimsm } permit command in the view of slot-level management plane
protection to change deny to permit.
If permit is configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the slot-level policy for management plane protection is not applied on the management
interface, perform Step 2 to check whether the global policy for management plane protection
is applied.
Step 4 Check that the global policy for management plane protection is applied on the management
interface.
Run the display ma-defend global-policy command to check whether the global policy for
management plane protection is applied on the management interface.
l If the global policy for management plane protection is applied, run the display ma-
defend global-policy command to check whether the protocol command is configured with
deny, which causes the failure in sending protocol packets to the CPU.
If deny is configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol { bgp | ftp | ldp | ospf | rip | rsvp | snmp | ssh | telnet |
tftp | isis | pimsm } permit command in the view of global management plane protection
to change deny to permit.
If permit is configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the global policy for management plane protection is not applied, it indicates that
management plane protection is not configured. In this situation, management packets are
still intercepted. It indicates that the system is faulty. To rectify the fault, contact Huawei
technical personnel.
After the preceding operations, if management packets still cannot be sent to the CPU, contact
Huawei technical personnel.
----End
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
27
3 URPF Troubleshooting
About This Chapter
3.1 URPF Check Fails
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the URPF-enabled device does not discard packets as expected.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
28
3.1 URPF Check Fails
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the URPF-enabled device does not discard packets as expected.
3.1.1 Common Causes
This fault is commonly caused by one of the following:
l There are source addresses of the packets that should be discarded in the routing entries.
l There are default routes in the routing table.
l The matching rules configured on the device are incorrect.
3.1.2 Troubleshooting Flowchart
A URPF-enabled device receives certain packets that should be discarded by itself, but the
statistics show that no packets are discarded by URPF. In this case, follow the troubleshooting
procedure shown in Figure 3-1 to isolate the problem.
The troubleshooting roadmap is as follows:
l Check whether there are default routes and routes with the sources addresses of the packets
that should be discarded in the routing table.
l Check whether the matching rules are correct.
Figure 3-1 Troubleshooting flowchart for URPF
Delete the route
entry.
End Seek technical
support
Fault rectified?
Fault rectified?
Configure correct
rules.
Device configured with URPF loose
check does not discard packets.
No
Route with the
source address of the packet
that should be discarded in the
routing table?
Incorrect matching rules
configured?
No
No
Yes
Yes
Yes
Yes
No
No

HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
29
3.1.3 Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commit command needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that there are no default routes and routes with the source addresses of the packets that
should be discarded in the routing table.
Run the display ip routing-table command in the user view to check the Destination/Mask field
in the routing table.
l If the routing table contains routes with the source addresses of packets that should be
discarded, configure certain rules and import the rules into the filter to deny the packets sent
along these routes. For detailed configuration, see "Routing Policy Configuration" in the
HUAWEI NetEngine5000E Core Router Configuration Guide - IP Routing.
l If the routing table does not contain such routes, go to Step 2.
Step 2 Check that the configured matching rules are correct.
Run the display traffic classifier classifier-name command in the user view to check the Rule
(s) field.
l If packets are incorrectly filtered based on the configured rules, correct the rules.
l If packets are correctly filtered based on the configured rules, go to Step 4.
Step 3 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedures
l Configuration files, log files, and alarm files of the devices
----End
3.1.4 Relevant Alarms and Logs
Relevant Alarms
None
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
30
Relevant Logs
None
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
31

Вам также может понравиться