Professional Documents
Culture Documents
Hillstone All Series Device Troubleshooting and Debug Guide
Hillstone All Series Device Troubleshooting and Debug Guide
Guide
Chapter 1 Interface
Aggregate Interface
M platform and X platform support the same speed of optical port aggregation and
electrical port aggregation
M platform and X platform support the crossing board card interface aggregation
The maximum number of each agg inter face is 16 interfaces
Static binding support Gigabit and 10 Gigabit binding, as following
SG-6000(config-if-xe3/1)# show interface aggregate1
--------------------------------------------------------------------------------------------------------
Interface aggregate1
downstream bandwidth is 11000000000
upstream bandwidth is 11000000000
Mode 1:
400-GuanWu(config)# flow
400-GuanWu(config-flow)# aggregate-distribute-mode session-based
After configured with session-based, the system will select the remainder in
termsof the current session ID to select the member interface
SG-6000-B(config-flow)# flow aggregate-distribute-mode flow-based
Select the member interface in terms of quintuple of flow, this is the system default
way
Mode 2:
400-GuanWu(config-if-agg1)# load-balance mode
flow Flow-based load balance
Default Configuration. If configured this one, then it works as global configuration
of “flow aggregate-distribute-mode”.
tuple Custom load balance
The highest priority. If configured this one, then it does not work as global
configuration of “flow aggregate-distribute-mode”.
400-GuanWu(config-if-agg1)# load-balance mode tuple
<cr>
dest-ip Destination ip address
dest-mac Destination mac address
dest-port Destination port
protocol Transfor protocol
src-ip Source ip address
src-mac Source mac address
src-port Source port
Troubleshooting and Debug Guide |TAC
Troubleshooting
Case one, the flow of device decreased after the aggregate interface
In some cases, some of interface in the device (usually connect with other
manufacturer’s device by optical port or electrical port) are frequently DOWN/UP,
the time interval of DOWNUP is around 1S, actually R&D had troubleshooting this
problem before, but they never confirm that the reason was cause by Hillstone
device, below are the suggested troubleshooting steps for this problem:
1. Confirm the configuration of speed and duplex for each end interfaces are exactly
same.
2. If both end are auto mode, suggest both of end change to manual mode.
3. If the customer want to find the root cause, we suggest to add one switch(Better
be gateway) between the two device if the condition allowed, and then check the
interface status of both end of device to locate the problem device.
4. If the customer does not care the issue, then he can avoid it by using hold up
Troubleshooting and Debug Guide |TAC
Case Three, the optical port light of firewall does not turn on when the
1. Check if the Cisco switch using the original optical module, suggest to use remote
module.
2. Check the negotiation mode of both end, suggest to set the duplex and speed of
interface as duplex or half duplex mode.
3. If the problem still existed, delete all the configuration and configure both
interface again.
Case four, after configured the port trunk with opposite device, the
Appearance : After the port trucking of hillstone device with H3C device, the
hillstone device report a loop log every twenty minutes after that.
Reason:The ARP digestion time of Hillstone device is 20 minutes, the firewall will
send ARP request again when the current ARP time out, but if the opposite device
send the ARP request back to firewall will cause the event.
Solution:
1. Check if H3C switch has configured “port bridge enable” this command, if it does,
please delete it.
Troubleshooting and Debug Guide |TAC
2. If the opposite device did not configure the corresponding command, please set
static ARP binding in hillstone device.。
Chapter 2 NAT
Configuration Examples
Configuration:address “src”
ip 10.1.1.0/24
exit
address “srcpool”
ip 1.1.1.0/24
exit
Troubleshooting and Debug Guide |TAC
interface ethernet0/5
zone “l2-untrust”
exit
interface ethernet0/6
zone “l2-trust”
exit
interface vswitchif1
zone “trust”
exit
vswitchif vswitchif1
nat-enable
exit
ip vrouter “trust-vr”
snatrule id 1 from “src”to “2.1.1.2”trans-to address-book“srcpool”mode
dynamicport
dnatrule id 1 from “src”to “2.1.1.2”trans-to “20.1.1.2”
exit
policy-global
rule from src to 2.1.1.2/32 service any permit
exit
Notes:
1. Does not support WebUI、HSM etc management way,only support CLI。
2. Does not support cone NAT function。
3. Does not support to monitor if DNAT server reachable by configuring track-tcp or
track-ping.
4. If you configured the rule that the next hop of flow is the address after
translation of VRouter and NAT as egress interface IP address, this rule does not
work in the transparent application mode.
5. If you configured the rule for NAT444 dynamicport fixedblock mode,it does not
work in the transparent application mode。
6. Does not support the root VSYS share the VSwitch to non-root VSYS, it cannot
share with the non-root VSYS after transparent NAT enabled.
7. The StoneOS version since after 5.0R3 supports this configuration.
Troubleshooting and Debug Guide |TAC
Troubleshooting
Case One、It does not work to do the SNAT and DNAT at the same time
Analysis : The reason is different packet handling procedure between StoneOS 5.0
version with 4.0 or 4.5version. The SNAT of 5.0 version is going to match with the
destination IP address before SNAT, but the SNAT of 4.0 and 4.5version was matching
the destination IP address after DNAT.。
WAN:192.168.1.1 LAN:10.88.16.157
Client:192.168.1.100 Server:10.88.16.181
As the below figure shown, it required to make client visiting server by through
WAN interface IP address, also translate the source address of client to LAN
interface IP address.
For the non-5.0 version, we need to add following dnat : from 192.168.1.100
to 192.168.1.1 translate to 10.88.16.181,also add snat : from 192.168.1.100 to
10.88.16.181 translate to 10.88.16.157,the source ip of policy is 192.168.100,the
dst ip is 192.168.1.1;
For the advancer version of 5.0, the dnat and policy keep the same,snat policy
from 192.168.1.100 to 192.168.1.1 translate to 10.88.16.157。
3. If the internal server did not return the packet, try to add SNAT policy and
translate the source address to internal network interface IP address.
4. Use”show dnat server” to check the current status of server
5. Use “show session src-ip x.x.x.x” or “show session dst-ip x.x.x.x” to check if the
NAT translation is correct
6. Use “debug dp filter src-ip x.x.x.x” or “debug dp filter dst-ip x.x.x.x , debug dp
basic”(Confirm if the cpu utilization is overload before debug
Chapter 3 Policy
Troubleshooting
Case one 、 Policy refered the address book with domain name but
does match
1. Confirm the device configured with DNS server, and make sure the device can
Troubleshooting and Debug Guide |TAC
Chapter 4 ALG
mapping
Solution one:
1.Self-define service FTP_2121 ,destination port is 2121, application is FTP,enable
the ALG of FTP.
2. Add destination NAT policy, mapping the 2121 port to 21 port.
3. Add policy from external security zone to internal security zone, with service
FTP_2121.
Solution two:
1. Self-define service FTP_2121,destination port is 2121, application is FTP,enable
the ALG of FTP.
2. Add destination NAT policy, mapping the 2121 port to 21 port.
3. Add policy from external security zone to internal security zone, with any to any
service.
4. Enable the application recognization function of internal security zone.
Troubleshooting and Debug Guide |TAC
Troubleshooting
Case two、PC dial PPTP by firewall does not work,error code is 806
Analysis :Capturing the packet on the both side of firewall and client at the same
time, comparing the success packet and the failure packet.
Success capturing packet:
We found the first packet is abnormal after consulting with passive mode. We can get
the syn ack from opposite end after we send out the syn packet when the
connection is successful. But we cannot get the syn ack when the connection failed.
User command “debug dp snoop,debug dp alg,debug dp basic” to analyze the
debug information of firewall, according to the seq of abnormal packet to find the
debug packet of firewall, comparing the handling process of these two packets(the
below left figure is the normal packet, the right figure is the failure packet):
Troubleshooting and Debug Guide |TAC
We found that ALG changed the mac address when it was handling the cache_mac
of packet, but when the connection is normal, the man address is the real mac
address, and the mac address turn to a wrong mac address when the connection
failed. This is the reason why the ack from server send to the wrong mac address
after we send the packet to the server. At the same time, the reverse routing of
firewall internal interface has been shut down, so the firewall did not check the
route information again after received ACK, but directly capture the packet in terms
of the wrong mac address, therefore, the client-end did not receive the SYN ack.。
Solution : Enable the reverse routing of internal network interface, also add the
route of aheading corresponding network segment.。
Troubleshooting and Debug Guide |TAC
Chapter 5 Route
FAQ
1. Does PBR drainage function works for the message drainage of self?
A:YES。
2. What Multicase Routing Protocol we supported?
A:For now, we only support static multicase protocol, and we don’t support mospf,
CBT, PIM-SM, DVMRP.
Troubleshooting
1. Firstly, check if the network flow comes from the device itself. The flow of device
will not match with policy or rule.(Except for drainage function)
2. Check if the binding object binded with the ingress interface or security zone of
data
3. Check the service book was configured by the policy route, and check if the
corresponding security zone has been enabled the application recognization
function.
4. Check if the application feature library has been updated to the latest version,
check the If the real traffic has wrong recognization by statistics.
5. Check if the memory of device is too lack to handle the policy matching
6. Use “show config” to check if the policy route has been disabled, use “route
enable pbr” to enable it if it has been disabled.
multicase data
1. Firstly we need to confirm if this issue was caused by Hillstone firewall, please
suggest customer skip the device test to check the application if it is available.
Troubleshooting and Debug Guide |TAC
3. In this case, the application might has been recognized by wrong, so suggest to
permit any to any in the policy of multicast source to multicast destination
address.;
4. If it is still does working, check if the NAT has been enabled, if it is, please delete
the NAT of multicast source and multicast destination address.
5. If it is still does workin, then we need to enable “igmp-snooping” function, and
selec “igmp-snooping” mode for the interface,usually the side is nearby router
that is host-mode, the other side is router-mode.
6. If it is still does working, use “no l4-vlidity-check” under flow mode, ignore the
forth layer application check.
7. If it is still does working, use virtual wire.
8. If it is still does working, collect debug information, submit case to 2 nd level. Use
command “debug dp basic, debug dp drop, debug dp snoop, debug dp policy
lookup, debug igmp, debug dp app, debug strmengine”。
mode
1. Debug in device, check if received multicast packet. If the packet has been
received, analyze if the session log of packet is normal. If there is no debug
information, please login the router to check the multicast status, if the pc is in
the multicast zone. Or skip to hillstone device check if any other thing good.
2. If confirmed that issue was caused by hillstone device, please confirm if the
configuration of mroute is right, try to enable “igmp-proxy”, appoint the mode.
3. If it is still does working, user “no l4-vlidity-check” to disable it under flow mode.
4. If it is still does working, please capture the packet in PC and device, submite case
to TAC 2nd level.
Troubleshooting and Debug Guide |TAC
3. The RPF of multicast( reverse path forwarding) 。 Did not configure ingress
interface in the multicast route configuration of local FW2, the multicast packet
can be transmit as normal after the configuration done, then debug in the
opposite end of FW1:
SG-6000[DBG](config-vrouter)# show logging debug
2014-07-11 11:41:24, DEBUG@FLOW: core 1 (sys up 0x364066b ms): Finish
decap
Packet: 192.168.3.100 -> 224.20.0.1, id: 44098, ip size 1344, prot: 17(UDP): 1395
-> 1234
dp_prepare_pak_lookup srcip: 192.168.3.100, dstip: 224.20.0.1,prot 17
No session found, try to create session
IP multicast packet from interface tunnel1.
checking weather the packet is going to self...
The to-self service is not registered
MC-Dropped: begin to creating session for MC packet!
No DNAT configured for this VR
begin lookup predefine prot:17 port:1234
Identified as app UDP-ANY (prot=17). timeout 60.
MC-Dropped: Multicast Forwarding Cache not found !!
Droppped: failed to create session, drop the packet (action=0)
4. The multicast communication works fine after the multicast route was
configured in the FW1.
The static multicast route of local FW2:
SG-6000[DBG](config-vrouter)# show ip mroute
U:interface up D:interface down V:valid multicast entry I:invalid multicast entry
===================================================================
source: 192.168.3.100 group : 224.20.0.1 vrouter: trust-vr
status: V update time: -
ingress interface: ethernet0/0(U)
egress interface : tunnel1(U)
===================================================================
Total: 1
Chapter 6 FLOW
working on the Virtual Wire mode, it will compare the destination MAC address of
packet and session record, if the result is different, it will try to search the MAC
address list to find egress interface again according to the packet’s destination MAC,
if the new interface is same as the session’s, the VSwitch will directly forward the
packet, if it is not same, the VSwitch will update the egress interface information of
session and forward the packet if both two are in the same security zone, but if they
are in the different security zone, the VSWitch will delete session, dorp the packet,
and makes the future packet to trigger the session rebuilding.
Flow Chart:
Troubleshooting and Debug Guide |TAC
Chapter 7 VPN
IPSEC VPN
Classic Configuration
Two Hillstone devices build an IPSEC VPN without third party CA server.
Configuration:
Troubleshooting and Debug Guide |TAC
Troubleshooting and Debug Guide |TAC
Use the same way to create trust domain “B device self-signed” , the final
configuration is below:
Troubleshooting and Debug Guide |TAC
VPN configuration:
Troubleshooting and Debug Guide |TAC
peer-id of Device A:
Troubleshooting and Debug Guide |TAC
From the perspective of client, this request can be satisfied (need to add one more
GRE packaging out of ipsec), the device need to be done the following configuration:
1. Configure the GRE tunnel between APN and Firewall
2. Configure L2tp Over Ipsec
But we have meet the below problems:
1. Hillstone received the decryption packet from the GRE tunnel,the source address
of ESP packet is 1.1.1.1—>5.5.5.1 ,in the normal case, the system should keep
decrypting the packet, and then we get the L2TP packet with destination port of
1701. However, the packet has been dropped after the first decryption in the
process of configuration.We suspect the reason is that the security zone of GRE
tunnel interface is different with the internal network interface’s security zone.By
default of hillstone device, the source security zone of VPN data need to be same
as the security zone of dial interface.
2. After we have configured the security zone of GRE tunnel interface and L2TP
tunnel interface as TRUST that same as that of internal network interface, the
data can be decrypt again, but it was still dropped after decryption done(Please
take the below figure as reference), according to the hint of Drop, we suspect the
reason is that the flow0’scorresponding tunnel interface is the tunnel2 of l2tp
when the session was created, but when we created flow1, the existing GRE VPN
route ofip route 1.1.1.1/24 tunnel4(the tunnel interface of GRE) caused the next
Troubleshooting and Debug Guide |TAC
built two VR, the first VR use to establish GRE with APN device, and configure L2TP
over IPsec function for the second VR. After test, we confirmed this solution is
working.
With CISCO
during the process. But if the propose or proxy ID does not match, then hillstone
device won’t receive the ACK from cisco. Then we need to debug in cisco side,
collect some VPN debug information from cisco router.。
3. The proxy ID of hillstone device must be the same as Cisco’s, for example, if Cisco
side is 1.1.1.0 0.0.0.255 , then hillstone side should be 1.1.1.0/24 , not
1.1.1.1/24.
Case two、Configuration example for L2L VPN between Hillstone and ASA 8.4
1. Basic configuration of ASA
1.1 Clear the configuration of device
ciscoasa#clear config all //Clear all the configuration of device
1.2 Check related content
ciscoasa# dir //check files
Directory of disk0:/
92 -rwx 25214976 17:43:58 Jun 09 2014 asa844-k8.bin
80 -rwx 6889764 18:11:54 Aug 29 2012 asdm-602.bin
2 drwx 2048 18:13:30 Aug 29 2012 log
5 drwx 2048 18:13:46 Aug 29 2012 crypto_archive
82 -rwx 25159680 00:27:48 Nov 19 2012 asa842-k8.bin
83 -rwx 18927088 00:29:26 Nov 19 2012 asdm-649.bin
84 -rwx 0 00:32:20 Nov 19 2012 nat_ident_migrate
85 -rwx 2726 17:07:12 Nov 19 2012 8_0_2_0_startup_cfg.sav
86 drwx 2048 00:32:22 Nov 19 2012 coredumpinfo
2. Upgrade IOS
2.1 Bakcup the current IOS at first:
ciscoasa# copy disk0:/asa802-k8.bin ftp:192.168.100.200
Source filename [asa802-k8.bin]?
Address or name of remote host []? 192.168.100.200
Destination filename [192.168.100.200]? asa802-k8.bin
Writing file ftp://192.168.100.200/asa802-k8.bin...
2.2 Delete the old IOS file after the backup done
ciscoasa# delete ?
/noconfirm Do not prompt for confirmation
/recursive Recursive delete
disk0: File to be deleted
flash: File to be deleted
ciscoasa# delete disk0:asa802-k8.bin
Delete filename [asa802-k8.bin]?
Delete disk0:/asa802-k8.bin? [confirm]
!
interface Ethernet0/1
switchport access vlan 3
!
interface Vlan2
nameif outside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan3
nameif inside
security-level 0
ip address 192.168.50.1 255.255.255.0
!
ftp mode passive
access-list 100 extended permit ip 192.168.50.0 255.255.255.0
192.168.200.0 255.255.255.0
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-group 101 in interface outside
access-group 100 out interface outside
access-group 101 in interface inside
access-group 101 out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.2 1
crypto ipsec ikev1 transform-set 10 esp-des esp-sha-hmac
crypto map to-hill 10 match address 100
crypto map to-hill 10 set peer 192.168.100.2
crypto map to-hill 10 set ikev1 transform-set 10
crypto map to-hill interface outside
crypto isakmp identity address //Use IP address as identity
Troubleshooting and Debug Guide |TAC
4. ASA dynamic address access, Hillstone static address ( using main mode ) ,
others are the same, only need to change the isakmp identity of ASA
crypto isakmp identity hostname
Specify the opposite end type as dynamic in hillstone device, also set peer-id as the
hostname of ASA.
5. ASA static address access, Hillstone dynamic address access ( Hillstone is the
initiator)
Troubleshooting and Debug Guide |TAC
Configuration of ASA:
ASA Version 8.4(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
Troubleshooting and Debug Guide |TAC
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
access-list ipsec extended permit ip 192.168.50.0 255.255.255.0
192.168.200.0 255.255.255.0
access-list 101 extended permit ip any any
access-group 101 out interface outside
access-group 101 out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.2 1
crypto ipsec ikev1 transform-set to-hill esp-des esp-sha-hmac
crypto dynamic-map to-x7180 10 set ikev1 transform-set to-hill
crypto map ipsec1 10 ipsec-isakmp dynamic to-x7180
crypto map ipsec1 interface outside
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
Troubleshooting and Debug Guide |TAC
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
tunnel-group x7180 type ipsec-l2l //x7180 equal to peer-id , and only for
aggressive mode
tunnel-group x7180 ipsec-attributes
ikev1 pre-shared-key ***** // Fill up with share key
Trouble one、Establish IPSEC VPN with Cisco device, isakmp negotiation is fine, but
IPSECnegotiation is abnormal.
Deploy CISCO behind the NAT device,one to one address mapping; Hillstone device
connect with internet via public address. Because Cisco device need to go through
NAT by using aggressive mode, and set FQDN as its identity. 。 Below is the
configuration of CISCO:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key hillstone123 address 10.86.11.2
crypto isakmp nat keepalive 60 // unnecessary configurations, the NAT-t
Troubleshooting and Debug Guide |TAC
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map to-hill
Case one:
IPsec sa negotiation is not successful, using hillstone debug to analyze the first
received packet in the phase two, but we did not get the feedback from the opposite
end, and we keep re-transmiting after that.
According to the complete DEBUG analysis of hillstone:
2014-04-28 20:42:30, DEBUG@VPN: [118.140.3.55]: phase 1 (aggressive mode):
Troubleshooting and Debug Guide |TAC
Case two:
According to the feedback from customer, if we replace the hillstone device to Cisco
device, the negotiation will be fine no matter the IOS is old or new.。
According to the packet capturing of new IOS, the old version also will be send when
the new IOS is sending, then the new IOS and old IOS will be compatible.
With HuaWei
According to capture the isakmp packet from HUAWEI , HUAWEI is using IKE V2.0
version:
IPSEC FAQ
2. Why the forwarding has been dropped after the OSPF established neibour
relation to learn the routing by ipsec vpn?
A:Usually this was caused by the tunnel binded to another tunnel but did not
spefcified GW. The routing of OSPF learned and issued to the route list will include
GW information, so for this application, we need to specify GW address as opposite
end tunnel interface address when we are binding tunnel.
3. Can hillstone device establish redundant VPN with other manufacturer’s device?
A: It cannot be achieved by VPN-track, but we can perform it by the redundancy of
OSPF route protocol.
4. There are two exits in the headquarters, one in branch, can we perform
redundant VPN by VPN-track?
A:Yes, but the branch need to initiate a connection and close the reverse-routing of
two exits in headquarters, and configure the redundant VPN configuration.
5. Why the tunnel is connected, but the status of vpn track is dead?
A: Check if the destination address of VPN is the tunnel’s interface without man
ping enable.
If we don’t configure “vpn track dst-ip” or “dst-ip” is the public address of
opposite end, the local side will encrypt the icmp packet and send to the other side
by tunnel, and if the opposite end find the destination address is the interface of
tunnel egress, they will send back the packet from the tunnel, so whever the
interface enabled “man ping” or not won’t affect the monitoring status.
If we configured “vpn track dst-ip” as the interface of opposite tunnel, the
opposite will excute d-plane process after decrypt icmp packet, but if the tunnel’s
interface did not enable “man ping”, then they won’t answer track packet.。
6. What are the functions of the “accept-all-peer-id” of phase one and the “accept-
all-proxy-id” of phase two
A: The function of “accept-all-peer-id” is to find an rmconf of usergroup which
do not ask verification for AAA, but only works for usergroup.
Troubleshooting and Debug Guide |TAC
7. Is hillstone device support to establish GRE OVER IPSEC with Fortinet or other
manufacturer?
A:Yes,。Type in “ ip ospf network point-to-point” in the tunnel’s interface。
Troubleshooting
and no data
8. The system warning: “tunnel id (0) invalid” when the packet need to send by
encryption, or the system warning:“flow1’s tunnel id find by route is not the same
Troubleshooting and Debug Guide |TAC
9. The system warning: “Dropped: Route to x.x.x.x out interface zone is not the
same with tunnel's.” when the packet need to be send by encryption.
Reason : The security zone of selected egress interface and data packet in isakmp
peer is different.
established
Analysis:In the case of default route, the egress interface of VPN negotiation packet
is according to search result of “show fib kernel”, the source address is the address of
“out-going interface” in the VPN’s configuration; the egress interface of tunnel
session was selected by hash of default route. (The egress interface is same as the
configuration of “out-going interface” since after StoneOS 5.0R3P4 version.
Also, there is no ISP route has been distribute by kernel, the DP included all the
routes. So the IKE negotiation packet won’t match ISP route, but the tunnel
session’s egress interface of DP will match ISP route.
According to the below theory to do the following troubleshooting:
1. Add the static route with 32 bit mask and destination address is opposite end, to
make sure the negotiation packet will be send from the specified port.
2. If the opposite end is dynamic address, then ask the other side initiate the
Troubleshooting and Debug Guide |TAC
1. Client warning: “error 789”. “Attempt to connected failed, because the security
layer is initialized with the remote computer negotiation encountered an error
processing”.
Reason analysis:Did not enable the ipsec vpn of windows.
Solution:Open control pannel->Management tools->Service,Active IPSEC Services
2. win 7 dial in ipsec tunnel establish correct, but the PC did not initiate the
negotiation of L2TP
Open Regiistry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent , click
PolicyAgent, new create“DWORD(32- 位 )value”in the right frame, rename it as
“AssumeUDPEncapsulationContextOnSendRule”, notice the case matters, the fix
value is decimal 2, confirm and reboot PC.
Note:
1. In the "value data" box type in one of the following values:
Windows is configured to cannot be established with the server located behind a
network address translator security association.
)1 Windows is configured to can establish and the safety of the server located
behind a network address translator.
) 2 Windows configuration to the server and client based on Windows XP SP2 are
located behind a network address translator to establish security association.
Troubleshooting and Debug Guide |TAC
Case four、PNP VPN client cannot dial in, Server side Debug hint”but
The debug of client side shown that the first packet has been send out already,
the server side also received the first packet from the opposite end, but the debug
shown below:
2013-10-22 19:10:23, DEBUG@VPN: [192.168.100.1]: phase 1 (aggressive mode):
remote supports DPD
2013-10-22 19:10:23, DEBUG@VPN: [192.168.100.1]: phase 1 (aggressive mode):
remote is a smart vpn client
2013-10-22 19:10:23, DEBUG@VPN: [192.168.100.1]: but user config is null
Check the VPN configuration of server being careful:
Accept-all-peer-id: enabled
The server side has configured “Accept-all-peer-id” , PNP VPN need to check the
user’s ID information( pre-share key was generated by User ID), and the information
shown that do not check user information of AAA is conflicted, delete this setting and
function is working right again.
reconnect once it time out in phase. Double check the log information of
reconnection, if the interval is almost the same as the timeout of two phases, it
should be this problem.。
SCVPN
Configuration
to internal network
The key is that to perform the SCVPN auto connection when the PC start up.
Configuration Steps:
1. Login to PC, install and login SCVPN as the general steps.
2. Active “auto login” of SCVPN client,and record the user ID and password of auto
login
3. In order to perform the auto-login when PC star up, we can do the follow settings
open control pannel>Administrative tools>System Configuration
L2TP
Troubleshooting
cannot login
Trouble:
After dial in L2TP VPN , we can access email server 10.8.0.140 , and we can
receive email as usual, but we cannot send email, the warning remind that
Authentication Request。Internal network is okay to send email.
Troubleshooting and Debug Guide |TAC
Analysis:
After we dial in L2TP VPN,it is all right when we ping the port 110 and port 25
of 10.8.0.140 or telnet 10.8.0.140 , the network connectivity is fine, the problem
should happened in application layer. We have checked device configuration, there is
no configuration of IPS and application behavior control, so the SMTP cannot be
affect. Also, according to the debug analysis of device, the packet is all right without
any problem, so we suspect it is the server or medium device’ problem.
Because of the warning related authentication, so we need customer to confirm
if the server controlled the network segment. Customer confirmed that the address
of L2TP address pool and firewall internal interface are able to access mail server.
According to the capturing packet, because the configuration is L2TP Over
IPSec,the packet is envrypted, tyring to access by mapping. Also we found it is the
same to use mapping and L2TP. Below are the packet from the external network or
internal network access to server:
External network mapping capturing packet:
“Syntax error” when the external network access, but when we access from internal
netowork, it passed the authentication and works fine. The feedback of three-way
handshaking was initiated by the server, it has no relations with firewall, so we
suspect that some other medium device in the line changed SMTP protocol packet,
caused the messy code of feedback.
After the communication with customer, we found there is another PIX deivce in
the network, the pathway of internal network access would not pass the PIX. So we
suggest customer skip the PIX to test. And customer said the feedback is fine once he
skipped PIX, the mail of receving and sending works. So we confirmed that the root
cause is the PIX.
Solution:
The root cause is the PIX device, nothing wrong with Hillstone firewall.。
Analysis:
Customer said only android phone cannot access, after investigation, below is
the situation:
We use iphone to test, it is able to access web page by 3G or WiFi on hillstone
deivce, also we tried to test android phone, but it is unable to access the web page.
According to the above troubleshooting we found only the android user cannot
access, so we suspect that the root cause is between the negotiation of Andriod
phone and customer device.
During the process of debugging to access web server 192.168.0.4, we can see the
reply packet of server, no packet dropped, so we suspect the network between
Troubleshooting and Debug Guide |TAC
android phone and hillstone device is fine, the problem might caused by the
checksum value or or protocol beyond translation layer.
Because mobile phone cannot capture packet, so we used a wireless router to
connect with firewall, and mobile phone connected with the wireless network of the
wireless router, then we used mirroring of interface to capture packet. After that, we
found the checksum value of UDP packet is none before the traffic reached the
mobile phone, and the medium device had never been touched, so we confirmed
that the checksum is not the root cause.。
Finnaly, we changed the TCP MSS VPN value of firewall, reduce it to 1300, and
android phone passed the test, so we confirmed that the root cause is the value of
MSS, problem solved.
Chapter 8 AV
Troubleshooting
Because we cannot edit the malicious website library, so we can only avoid it
bypolicy, below is the solution:
1.Create two av profile, test1 and test2 ,don’t open malicious webstie library
for test1, select http type ,record log only, open malicious website for test, select
http type,reconnect.
2. Create a new policy, the destination address is the domain name of website,
service is any, action permit, select test of profile.
3. Binding test2 to untrust security zone.
Troubleshooting and Debug Guide |TAC
It could match the av policy of policy and security zone at the same time, but the
priority of policy can avoid the problem.
1. For the detection of ftp active mode, it has to bind profile to polcy.
2. For protocols of imap4 and pop3,usually the mail server provider will search and
kill the virus of attachment firstly, so sometime we cannot detect any virus the email
has been send to loca.
1. If it is online updating, which means the device got the feedback from the server,
but the received feature library is not right, usually it is should be the problem of
updating server.
2. If it is offline updating, which means the imported file is not right, please check if
the format of file is correc.
Troubleshooting and Debug Guide |TAC
Chapter 9 IPS
FAQ
1. Configured IPS profile and binded with policy, but did no check the “active” of
intrusions prevention global configuration, will the traffic go through the IPS
module handling process?
A:The device will resolve the protocol traffic of IPS profile that checked, but won’t
match with IPS feature, and control any of IPS. It will consume the performance of
device because it need to resolve the protocol packet.
Test:
Troubleshooting and Debug Guide |TAC
Troubleshooting
Case one、The attack id was shown up on the log, but cannot find in
The feature ID consist two parts, they are protocol ID(the first bit and the
second bit) and attack feature ID( the fifth bit), for examples, in
ID“600120”,“6”measn Telnet protocol,“00120”means attack featureID。If the
attack feature ID is larger than 60000 then it is abnormal, if it is less than 60000 then
it is normal attack feature, please refer to configuration manual for details. There are
some attack ID in the IPS log, but we cannot find it in the feature list, the reason is
that the last 5 bit of this ID is larger than 60000 which was detected by protocol
legality.
Chapter 10 AD
Configuration
4. The function is only working for ARP attack by assistance, need to combine with
other ARP protection function together.
Troubleshooting
1. Problems
Assume the device have two egress interfaces, they belong to security zone
untrust and untrust2, both closed reverse routing, if the device configured default
route for one interface, then the data won’t be received if it comes from interface 2.
2. Solution
In the attack defense function, close the IP snoop detection of untrust2 security
zone.
Troubleshooting and Debug Guide |TAC
Troubleshooting
Case one、Enabled IPMAC binding but the unbinded PC still can access
to network
Chapter 12 QOS
Troubleshooting
Check if the configuration of interface bandwidth is same as the real bandwidth that
the provider provides
1. Check the time that the IP exceed the speed limitation, if it only happens in a
moment that would be fine.
2. Check if enabled flexible QoS.
3. Check if the IP in the QoS white list.
4. Excute “show qos interface ethXX | in x.x.x.x” to check if there is a line of this IP,
usually it should have one line on the upper line or bottom line(Or “show qos-
statistic”,the output will display by line ID, we can check the QoS line binded with
zone),for example:
SG-6000# show qos interface ethernet0/0 | include 192.168.1.218
Match IP: 192.168.1.218, IPqueue id 843
Match IP: 192.168.1.218, IPqueue id 830
Two lines,one is input, another one is output.
5. If the policy binded with zone, check if the IP has any QoS policy binded with
interface, in the same situation, the QoS policy binded with interface has a higher
priority.
6. Check if the device have multiple publick network egress interface, but the IP has
Troubleshooting and Debug Guide |TAC
If the egress interface bind with QoS profile, then its performance will lower than
that of ingress interface. Which means the QoS of input interface will consume more
CPU than that of output interface.
For instances, if cpu5 bind with input qos profile , cpu6 bind with Qos profile of
output interface,CPU5 consumed more utilization than that of CPU6.
We can manually adjust the QoS profile of interface and output interface to two CPU
in balance, then the performance will be balance.
Configuration Example:
SG-6000(config)# interface ethernet1/11
SG-6000(config-if-eth1/11)# qos-card-binding input qcpu
qcpu5/0 Name of qos card
qcpu6/0 Name of qos card
SG-6000# show qos-card-binding
interface type qos card status flag
ethernet1/1 ingress qcpu5/0 active A
ethernet1/1 egress qcpu6/0 active A
Troubleshooting and Debug Guide |TAC
FAQ
1. Does the session limitation policy should select source security zone or destination
zone?
A : If the setting of IP limitation is “per-srcip” , then we need to select source
security zone; if the setting is “per-dstip” , then we need to select destination
security zone; as to other situations, it is okay to select source security zone or
destination zone.
Troubleshooting and Debug Guide |TAC
Configuration
Case one 、 The number of session is still large even configured with
session limit
The new session would match with the policy after configured with session
limit,we can clear session before test.
Chapter 14 AAA
scenarios
Scenario 1:
Troubleshooting and Debug Guide |TAC
Admin is “administrator”, and all users in the root directory need to be synced:
Base dn:dc=hstest,dc=net
Login dn:cn=administrator,cn=users,dc=hstest,dc=net
Scenario 2:
Admin is “William”,the position of the admin is showing abouve, and all users in the root
directory need to be synced:
Base dn:dc=hstest,dc=net
Login dn:cn=William,ou=tac,dc=hstest,dc=net
Scenario 3:
Troubleshooting and Debug Guide |TAC
The structure is showing above, and only users in the OU “tac” need to be synced:
Base dn:ou=tac,dc=hstest,dc=net
Login dn:cn=administrator,cn=users,dc=hstest,dc=net
agent
Solution: Creat three AD server instances in the firewall for each AD server, and
install the AD agent on each AD server.
1. For SonteOS 5.0, it’s OK to import user-password list from a backup file, or export
the list to a backup file.
2. There is an import/export button in the WebUI for StoneOS 5.0, but for the
importing job, you also need to create the users before the importing.
3. But in CLI, there is conmand could make you to import the user binding list
Troubleshooting and Debug Guide |TAC
2008
Check the role Active Directory Domain Services and click next and install:
After the installation, run the dcpromo.exe to deploy the new domain controller,
Troubleshooting and Debug Guide |TAC
After deployed the DC, open the Server Manager again to add role “Networ Policy
and Access Services”:
Troubleshooting and Debug Guide |TAC
Troubleshooting and Debug Guide |TAC
B. NPS configuration
Open NPS console:
Troubleshooting and Debug Guide |TAC
C. Configuration on StoneOS
Add a Radius server is AAA server configuration page:
Troubleshooting and Debug Guide |TAC
After this configuration, you could be able to use this user database in the
Windows 2008 Server for authentication in SCVPN and Webauth.
Troubleshooting and Debug Guide |TAC
Troubleshooting
3. Check the configuration of the login-dn. You could get an error when debug
the AAA module with this mistake:
4. Chech the password of the login-dn. You could get an error when debug the
AAA module with this mistake:
DEBUG@AAA: searcher of ad bind failed
The reason for this issue is that there usually a query limitation in the AD server.
The default number of returned user is for one query is 1000. To fix this issue, you
need to modify the value on the AD server. Follow these steps:
1) “Start” “Run” input command “ntdsutil” and press enter
2) Input “ldap policies” and press enter
3) Input “connections” and press enter
4) Input “connect to domain domain_name” and press enter
5) After connect to the domain successfully, input “quit” and press enter
6) Input “show value” to get current limitation value
7) Input “set maxpagesize to 5000” to set the value to 5000(this value should be set
according to actual case)
8) Input “commit changes” to save the modification
9) Imput “quit” to quit
Troubleshooting and Debug Guide |TAC
Each entry of the directory has the same structure: attribute-value pair. “objectClass”
is the most important attribute, it’s used to define the basic category. Once the
category is confirmed, the necessary other attributes could be confirmed too. In the
image showing above, the entry has a objectClass named “person”. According to the
protocol LDAP v3, an entry with objectClass “person” require attribute “cn” and
“userPassword”, and you could use these two value for authentication. And if you
Troubleshooting and Debug Guide |TAC
need to use the LDAP server with the firewall, you could use the attribute “cn” as the
Naming Attrbute on the firewall.
And for group information syncing, in this case you could use the Member Attribute
as “member” and the Group Class as “groupOfNames” according to the image
showing above.
When deploying the SCVPN, L2TP VPN or Webauth, you would need an
authentication server, and local AAA server is the most used one. But when run
“show auth-user” command in the CLI, sometimes the group information is missed.
Troubleshooting and Debug Guide |TAC
The reason is that the system would ignored this information by default to save
hardware resources. You could enable displaying this information by createing a
policy invoke the local AAA server.
Case 5. The system ptompt that failed to connect to the VPN server
By checking the debug log, we can ensure that the configuration is OK and the user
has been synced.
2013-12-10 17:06:18, DEBUG@AAA: response for auth_req (ID:77057, User 9102) fail
After confirming with the customer, it seens like the server had been upgraded from
Windows 2003 to Windows 2008, and the users were created on the Windows 2003.
There may be some difference with the storage method between Windows 2003 and
Windows 2008. After reconfiguring the passwords of the users, the issue had been
fixed.
Chapter 15 HA
FAQ
SSM/IOM.
Troubleshooting
type=2, seqno=5196
There are two HA license stream showing with Hexadecimal in the debug info.
Translate them to binary first, which turn to be 1101011110 and 1111011110, so
we can tell that the third bit is different. According to the offset table showing
below, we can confirm that this case is caused by the different configuration at
Policy_mode Enable.
Troubleshooting and Debug Guide |TAC
Case 2. The switch over doesn’t happen after unplug the tracking cable
The devices would take a long time to perform the cold synchronization, there would
be no switch over happen during this precess.
Case 5. Some of the ALG traffic which has been blocked by the policy
1. Run “show session” to verify the ALG traffic had been identified correctly
2. Run “show ha cluster” to verify both devices are working in asymmetric routing
mode
Troubleshooting and Debug Guide |TAC
3. Run “show ha traffic” to verify the ha traffic function has been enabled on both
device
mode
This issue is a flaw of the asymmetric routing mode. After the device reloaded, even
the device’s status is master, the device may have not finished learning the routing
information (routing mode) of ARP information (switch mode), so that all the packets
would be dropped during this time. For routing mode, running command “direct-
send default-nexthop x.x.x.x” could fix this issue.
Case 9. When using LACP with HA, the slave device canb’t be managed
When using the aggregate interface with LACP in a HA cluster, it turns out that we
can’t login to or ping the manage IP of the salve interface, also we can’t get the ARP
information for the interface in ther master device.
The reason for this issue is that after enable the LACP, there would be LCAP PDU
negotiation between interfaces, but the salve device will not send out any LACP PDU,
so that the negotiation would failed.
Troubleshooting and Debug Guide |TAC
Due to this reason, it’s impossible to manage the device via the IP address of the
aggregate interface.
Chapter 16 SNMP
Troubleshooting
Case 1. Actually there are lots of users online, but the SNMP tool get a
(.1.3.6.1.4.1.28557.2.3.1.1)
Case 2. The traffic showing in the SNMP tools have a great difference
For the SNMP tools there are two nodes of public MIB for reading the traffic:
mgmt : mib-2: ifMIB :ifMIBObjects: ifXTable: ifXEntry: ifHCOutOctets ; OID:
1.3.6.1.2.1.31.1.1.1.10.X
These two values are corresponded to the “OutGoodOctets” value of the command
“show controller slot x port x statistics”
Troubleshooting and Debug Guide |TAC
It would provide the same vale of OID: 1.3.6.1.2.1.31.1.1.1.10.X, but only for
100Mbps interface and 1Gbps interface.
function
Chapter 17 LLB
1. The maximum number of routing enties created in outbound is 4096, and the reat
is 256/s.
2. The maximum number of inbound rule table is 64 for each domain name.
3. The maximum number of inboud rule talbe is 16 for each ISP addressbook entry or
each inbound interface.
4. If the inbound traffic can not match any rule table entry, only 16 address would
return.
Troubleshooting and Debug Guide |TAC
Chapter 18 WEBAUTH
Troubleshooting
There are two modes of IE in windows, the normal mode and the metro mode. In
metro mode, when you minimize the IE window, the heart beat packet couldn’t sent
out, which caused the drop out. Use the normal mode of IE to avoid this issue.
Chaper 19 License
FAQ
The system has been used for 329220 minutes (about 228 days) by trial license
Q: Hwo does the license affect the session for the firewall?
Troubleshooting and Debug Guide |TAC
A:
1).For platform, platform trial license, no effect.
2).For session license, it could expand the maximum concurrent session for the
firewall.
3).For AV,IPS,URLDB, they would make the firewall to cut off half of the maximum
sessions.
Q: What would happen if install a formal in a device with a trial license installed?
A: The formal would replace the trial license to take effect, and the time of the trial
would not be count again.
Q: A device with a formal license installed and a device with a trial license installed,
could them perform a HA cluster?
A:Yes.
Q: A device with a feature trial license installed and a device without a feature trial
license installed, could them perform a HA cluster?
A:YES, but there would be a alarm generated:
Troubleshooting and Debug Guide |TAC
Alarm CRIT@FLOW: The licenses of the two HA devices are different in NBC license, NBC enable
Q: Could the use only brought the IPS and AV license when the formal platform
license expired?
A:YES. But the platform license also control the upgtade of the AV/IPS engine, we
suggest the customer to update the platform license also.
Chapter 20 Log
If the attack lasts more than 30 seconds, the log would be generated every 30
seconds.
4. UDP flood:entry is not available:DROP!
The table used for handling the UPD flooe is overflow, this conditinon usually happen
when the UDP flood is very serious.
For StoneOS 5.0R2, 5.0R3 and above, HAS 1.0 R2 and above, the NAT, IM, URL log
support binary format.
CLI:
SG-6000(config)# logging traffic to syslog
<cr>
A(config-url-profile)# web-surfing-record
http://pos.baidu.com/ecom?di=u7920
Troubleshooting and Debug Guide |TAC
78&tm=BAIDU_CPRO_SETJSONADSLOT&fn=BAIDU_CPRO_SETJSONADSLOT&baidu_id=, url-
Method 2(cli)
A(config)# url-profile url-f1
A(config-url-profile)# web-surfing-record
A(config-url-profile)# exit
A(config)# rule id 1
Verifycation
A(config)# show log nbc
192.168.50.200:4000(10.88.16.163:4000)->119.147.45.109:8000(119.147.45.10
Then configure a syslog and send the logs to it. And don’t forget to keep the format
of the log binary.
In StoneOS 5.0 and above, we add the reason for end of session.
Log explaination comment
Ageout timeout
Clear Clear session
Block Blocked Blocked by application identification
Redirect redirected
TCP-FIN TCP-FINpacket
TCP-RST TCP Reset packet
Troubleshooting and Debug Guide |TAC
Chapter 21 IPv6
1. Snat configuration:
id5 IPv6-any IPv6-any vswitchif1 10.88.16.163 Dyn-Pt
2. Dnat:
400-GuanWu(config)# show dnat
-----------------------------------------------------------------------------------------------------------------
-------
vr name:trust-vr
=====================================================================
===================================
id from to service translate to port slb
--------------------------------------------------------------------------------------------------------
1 Any 10.88.16.163 HTTP 192.168.188.2
2 s-v61 d-v6 v4-mapped enabled
log enabled
Member count: 1
Members:
2005::/64
Total IPv6 count: more than 2^32
IPv6 subnet in this entry: 1
2005::/64
The address book used in the dns64 configuration is the IPv6 head used in the
fowrding.
3. DNS-4 configuration
ip dns-proxy domain any name-server 10.88.7.10 vrouter trust-vr
ipv6 dns64-proxy id 1 prefix 2005::/64 source IPv6-any trans-mapped-ip Any
4. Policy
E 10 IPv6-any IPv6-any Any PERMIT
A. WebUI:
Refer to the image below, click tab “System” menu “Configuration File
Management”, check the box before the “Startup” configuration file, and then click
button “Export”. The web browser would popup a download dialog box to let you
download the configuration file, just save the file to your local disk.
B. CLI:
To save the configuration files to your computer via CLI, you need to set up a FTP or a
TFTP first. Then use the command “export configuration startup to tftp/ftp server
server_address” in the execution mode.
Troubleshooting and Debug Guide |TAC
If you plan to perform the upgrading via WebUI, or using a USB drive via CLI, there is
no need to setup an upgrading server. But if you plan to perform the upgrading via
sysloader, or using ftp/tftp server via CLI, then you need to setup a ftp/tftp server
Troubleshooting and Debug Guide |TAC
before the upgrading. There are lots of server software you could use, choose one of
your favorite and install them follow the instructions provided by the developer.
A. WebUI
Refer to the image below, click tab “System” menu “Upgrade Management”
tab “Upgrade Firmware”, then click the button “Browse” and locate the firmware file
you’ve downloaded to upload it to the device. Check the box “Reboot to make the
new firmware take effect” and click button “Apply”, then just wait the system to
upload the new firmware file and reboot. After the reboot complete, the system
would run with the new firmware. You could go to the same place showing below to
check the “current Version” to verify the upgrading.
mode to start the upgrading. Sometimes after plugging the USB driver, the system
would not identify the driver, because the system doesn’t have the hardware for this
particular USB driver. In this case you need to change to another USB driver or try to
perform the upgrading with another method. After the system finishing uploading
the firmware file, reboot the device to finish the upgrading. You could use command
“show version” to verify the upgrading.
Troubleshooting and Debug Guide |TAC
D. Sysloader
In some extreme cases, maybe you cannot login to the device via the address of the
device’s interface, then you need to perform the upgrading using sysloader. You need
to prepare a RS232 console cable to connect to the console port of the device to use
sysloader. Power off the device first, connect the device with a console cable and
open the terminal client, then power on the device, you may see the following
outputs.
Troubleshooting and Debug Guide |TAC
When you can see the output stream “Press ESC to stop autoboot:
countdown_time”, press the ESC key in 5 seconds. Then you could launch the
sysloader. As you can find in the picture above, you could upload firmware to the
device via several methods: TFTP/FTP/USB driver.
Option 3 for using USB driver is similar with the method we mentioned before as
using USB driver in CLI, type number 3 and choose the filename.
But using the first two method is little different with using TFTP/FTP in CLI. Because in
sysloader, the device has not load the configuration file from the flash, there is no IP
address configured for the interfaces, you need to configure the temporary IP
address for the interface e0/0 so that the device could communicate with the server,
and certainly the server need to be configured with an IP address in the same subnet
with the device’s interface e0/0.
Troubleshooting and Debug Guide |TAC
After the uploading, type “6” to reboot the device, and after that, the upgrading is
finished.
CLI
Use command “no preempt” in HA configuration mode.
2. Shut down the HA interface and service interfaces in the slave device, and then
perform the normal firmware upgrading on it.
WEBUI
Click tab “Network” menu “Interface”, choose the HA interface and edit it, check
the “shutdown” box in the tab “Advanced”. Then do the same with the services
interfaces. Then do the firmware upgrading procedures in WebUI mentioned before.
Troubleshooting and Debug Guide |TAC
CLI
Use command “shutdown” in interface configuration mode. Then do the firmware
upgrading procedures in CLI mentioned before.
3. After successfully upgrading the slave device, shut down the HA interface and
service interfaces on the master device. There would be a traffic interruption
after this action. And then enable the HA interface and service interfaces on the
slave device, so that the slave device will take over to continue the traffic
forwarding. After that, it’s time to perform a normal firmware upgrading on the
master device.
4. After successfully upgrading the master device, enable the HA interface and
service interfaces on the master device. Now everything should be OK. Enable
the preempt configuration as needed.
Troubleshooting and Debug Guide |TAC
Packet loss
1. extend interface
Troubleshooting and Debug Guide |TAC
In some case, the firewall is working as a gateway, suddenly the network is down,
and the device is not able to be managed. And this condition happened over and
over again.
Some point of the failure:
1) Then network is down
2) The device can not be managed. Even using a cable to connect the device with
an admin host directly, they could not learn the ARP information from each other.
3) The access to the mgt interface is very slow too.
Diagnosis
1) Check the CPU, memory, packet-buffer, all OK.
Troubleshooting and Debug Guide |TAC
2) No ARP learned from the direct connected pot, but the ARP Table is OK. When
run “debug arp”, it turns out that there is no ARP respond sent from the device.
show controller slot 0 port 2 statistic
ethernet0/2, physical port 4:
InGoodOctets: 309385 InBadOctets: 0
InGoodPkts: 3451 InBadPkts: 0
InUnicastPkts: 0 InBroadcastPkts: 3451
InMulticastPkts: 0 InControlPkts: 0
InUndersizePkts: 0 InOversizePkts: 0
InFragments: 0 InJabbers: 0
InMACRcvErrors: 0 InCRCAlignErrors: 0
DropEvents: 3451
OutGoodOctets: 0 OutGoodPkts: 0
OutUnicastPkts: 0 OutBroadcastPkts: 0
OutMulticastPkts: 0 OutControlPkts: 0
Collisions: 0 OutDropDeferrals: 0
SingleCollisions: 0 MultipleCollisions: 0
ExcessiveCollisions: 0 LateCollisions: 0
Pkts64Octets: 1435 Pkts65to127Octets: 1957
Pkts128to255Octets: 2 Pkts256to511Octets: 2
Pkts512to1023Octets: 55 Pkts1024toMaxOctets: 0
We can find that there is only packets in the IN direction, no packets in OUT
direction.So we can tell that is something wrong with the communication between
the CPU and the SWITCH, it’s a hareware issue.
Troubleshooting and Debug Guide |TAC
Case 1. Some of the website is opened very slow, and lots of images
Usually this issue is cused by the network problem between the PC and Server. For
this case we are trying to analyze it from Hillstone view.
Possible reasons:
1. Affected by PBR
Some applications based on http are easily affected by the PBR in multiple SP
environment.
2. Affected by QOS
3. Affected by Session-limit
4. Exhaustion of SNAT resource
Analyzition of PC
1. DNS issue
2. Transmission of TCP segments
For this case, we can eliminate the issues on the network. Check the logs of AV, IPS,
NBC. Modify the MSS value to avoid that big packets dropped druing the
transmission.
Troubleshooting and Debug Guide |TAC
The action for file uploading in HTTP is post. Check the configurations in NBC.
Case 4. The accessing to the internal servei from Internet via DNAT is
Some ISP would block the TCP 80 port for the unregsiterd public IP address.
Chapter 24 Hareware
Show tranceiver
Troubleshooting
Case 1. The module can’t take effect after plugged to the device (for
non-SX platform)
1. Unplug and plug the module after powering off the device.
Troubleshooting and Debug Guide |TAC
5. Run “show module” to check the information and status of the module.
STA
Green keeps on Stand by
Green blink Being accessed
Orange keeps on Stand by with fault
Lights out Uplugged
DSK(FEC-HD-
160)
Green keeps on working
Lights out No link or failed
LNK
ACT Yellow blink Transmit data
Light out No Transmitting
1. Platform requirement
The hard disk card could only be used on G2110, G2120, G3150, G5150, and
Troubleshooting and Debug Guide |TAC
Chapter 25 X- series
FAQ
The high tempreture would cause CPLD lockdown in the switch board. Method of
recovery:
A: exec reset slotx
Troubleshooting
1. These four interfaces can not communicate with other IOM port.
2. These four interfaces can not communicate with each other either.
3. These interfaces are used for HA or management.
1. One SCM, one SSM, one IOM. And one QSM if QoS is required.
2. You can’t power on the device if you didn’t install the SCM.
Chapter 26 Wireless
FAQ
1, Which devices support WIFI and 3G?
A: E1100W,E1100WG3,E1100G3.
2, Which firmwares support WIF and 3G?
SG6000-M-3-5.0R4P2.8.bin and above.
3, Which 3G modules does the device support?
A:There are internal and external 3G mudules that StoneOS supported.
3.1Internal 3G module
So far there are CDMA2000 and WCDMA module installed with Hillstone device.
You could find the instruction in the device lable.
3.2External 3G module
Troubleshooting and Debug Guide |TAC