troubleshooting - security(v800r002c01_01)
Post on 02-Jun-2018
226 Views
Preview:
TRANSCRIPT
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
1/37
HUAWEI NetEngine5000E Core Router
V800R002C01
Troubleshooting - Security
Issue 01
Date 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
2/37
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
http://www.huawei.com/ -
8/11/2019 Troubleshooting - Security(V800R002C01_01)
3/37
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
4/37
Symbol Description
Alerts you to a potentially hazardous situation that could,
if not avoided, result in equipment damage, data loss,
performance deterioration, or unanticipated results.
Provides a tip that may help you solve a problem or save
time.
Provides additional information to emphasize or
supplement important points in the main text.
Command Conventions (Optional)
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
& The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)
The initial commercial release.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security About This Document
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iii
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
5/37
Contents
About This Document.....................................................................................................................ii
1 AAA and User Management Troubleshooting........................................................................1
1.1 Users Cannot Get Online....................................................................................................................................2
1.1.1 Common Causes........................................................................................................................................21.1.2 Troubleshooting Procedure........................................................................................................................2
1.1.3 Relevant Alarms and Logs........................................................................................................................5
1.2 User Failsto Authenticate through HWTACACS Server..................................................................................5
1.2.1 Common Causes........................................................................................................................................5
1.2.2 Troubleshooting Flowchart........................................................................................................................5
1.2.3 Troubleshooting Procedure........................................................................................................................6
1.2.4 Relevant Alarms and Logs........................................................................................................................8
1.3 User Failsto do Authorization through HWTACACS Server...........................................................................9
1.3.1 Common Causes........................................................................................................................................9
1.3.2 Troubleshooting Flowchart........................................................................................................................9
1.3.3 Troubleshooting Procedure......................................................................................................................10
1.3.4 Relevant Alarms and Logs......................................................................................................................12
1.4 User Failsto do Accounting through HWTACACS Server.............................................................................13
1.4.1 Common Causes......................................................................................................................................13
1.4.2 Troubleshooting Flowchart......................................................................................................................13
1.4.3 Troubleshooting Procedure......................................................................................................................14
1.4.4 Relevant Alarms and Logs......................................................................................................................16
1.5 User Failsto Authenticate through RADIUS Server........................................................................................17
1.5.1 Common Causes......................................................................................................................................17
1.5.2 Troubleshooting Flowchart......................................................................................................................17
1.5.3 Troubleshooting Procedure......................................................................................................................19
1.5.4 Relevant Alarms and Logs......................................................................................................................20
1.6 User Fails to do Accounting through RADIUS Server....................................................................................21
1.6.1 Common Causes......................................................................................................................................21
1.6.2 Troubleshooting Flowchart......................................................................................................................21
1.6.3 Troubleshooting Procedure......................................................................................................................23
1.6.4 Relevant Alarms and Logs......................................................................................................................24
2 Local Attack Defense Troubleshooting...................................................................................25
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security Contents
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iv
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
6/37
2.1 Management Plane Protection Malfunctions....................................................................................................26
2.1.1 Common Causes......................................................................................................................................26
2.1.2 Troubleshooting Procedure......................................................................................................................26
3 URPF Troubleshooting...............................................................................................................283.1 URPF Check Fails............................................................................................................................................29
3.1.1 Common Causes......................................................................................................................................29
3.1.2 Troubleshooting Flowchart......................................................................................................................29
3.1.3 Troubleshooting Procedure......................................................................................................................30
3.1.4 Relevant Alarms and Logs......................................................................................................................30
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security Contents
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
v
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
7/37
1AAA and User ManagementTroubleshooting
About This Chapter
This chapter describes common causes of AAA faults, and provides the corresponding
troubleshooting flowchart, troubleshooting procedure, alarms, and logs.
1.1 Users Cannot Get Online
This section describes the causes of users' failures to get online, and provides detailed
troubleshooting procedures.
1.2 User Fails to Authenticate through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through HWTACACS server.
1.3 User Fails to do Authorization through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do authorization through HWTACACS server.
1.4 User Fails to do Accounting through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through HWTACACS server.
1.5 User Fails to Authenticate through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through RADIUS server.
1.6 User Fails to do Accounting through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through RADIUS server.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
8/37
1.1 Users Cannot Get Online
This section describes the causes of users' failures to get online, and provides detailed
troubleshooting procedures.
1.1.1 Common Causes
If users cannot get online, run the display aaa online-fail-recordcommand in any view to see
the information displayed in the User online fail reasonfield.
To rectify the fault, see the trouble shooting procedure in 1.1.2 Troubleshooting Procedure.
Error Prompt
Server return fail
Username or password wrong
Max users (Pending Requests) Reached
Server no response
User access type not match service type
Domain was blocked
Protocol authorize fail
User was blocked
1.1.2 Troubleshooting Procedure
Collect log messages and contact Huawei technical personnel.
Error PromptCommon Causes Troubleshooting
Procedure
Server return fail
The RADIUS or
HWTACACS serverreturns an authentication
failure message.
For details, see RADIUS or
HWTACACS servertroubleshooting.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
2
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
9/37
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
10/37
Error PromptCommon Causes Troubleshooting
Procedure
Domain was blocked
The domain is blocked. 1. Run the display domain
command to see whether the
domain to which the user
belongs is in the Block state.
2. If the domain is in the Block
state, contact the device
administrator to change the
state to Active.
3. If the domain is not in the
Block state, contact Huawei
technical personnel.
Protocol authorize fail
Protocol authorization
fails.
For details, see RADIUS or
HWTACACS servertroubleshooting.
User was blocked
The user is blocked. 1. Run the display local-use
command to see whether the
user is in the Block state.
2. If the user is in the Block
state, contact the device
administrator to change the
state to Active.
3. If the user is not in the Block
state, contact Huaweitechnical personnel.
Domain not exist
The domain does not exist. 1. If the user name contains @,
the part before @ is a user
name and the part after @ is
a domain name. If the user
name does not contain @,
the entire string is a user
name. The domain is the
default one, with the
domain name of default.
2. Run the display domaincommand to see whether the
domain to which the user
belongs exists.
3. If the domain does not exist,
contact the device
administrator to add a new
domain.
4. If the domain exists, contact
Huawei technical
personnel.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
11/37
1.1.3 Relevant Alarms and Logs
Relevant Alarms
None
Relevant Logs
None
1.2 User Fails to Authenticate through HWTACACS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through HWTACACS server.
1.2.1 Common Causes
The user fails to authenticate through HWTACACS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l HWTACACS services are not enabled.
l HWTACACS is not configured as authentication-mode under AAA authentication scheme.
l IP address and port configured for HWTACACS authentication server in the NAS is not
correct.
l Shared key mismatch between HWTACACS server and NAS.
1.2.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
12/37
Figure 1-1Troubleshooting flowchart for the fault that the user fails to authenticate through
HWTACACS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is HWTACACS
client enabled?
User fails to
Authenticate through
HWTACACS Server
Is IP
address and
port configured for
HWTACACS server
in the NAS?
Configure IP address
and interface for
HWTACACS server
in the NAS
Configure the
authentication-mode
under AAA
authenticationscheme
Enable the
HWTACACS client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the faultrectified?
Is the fault
rectified?
End
Is
HWTACACS
configured as
authentication-mode under
AAA authenticationscheme?
1.2.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
13/37
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
lIn immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the pingcommand to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client is enabled.
Run the display hwtacacs current-statuscommand to view the current status of HWTACACS
client.
display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client is enabled, go to Step 3.
The command output shows that the HWTACACS client is not enabled. User can authenticate
through HWTACACS server only after HWTACACS client is enabled in the system. Run the
hwtacacs enablecommand to enable the HWTACACS client.
system-view
[~HUAWEI]hwtacacs enable
[~HUAWEI]commit
Step 3 Check HWTACACS is configured as authentication-mode under AAA authentication scheme.
Run the display authentication-schemecommand to view the configuration of the AAA
authentication-scheme.
[~HUAWEI] display authentication-scheme
---------------------------------------------------------------------------
Vr-id Authentication-scheme-name Authentication-method
---------------------------------------------------------------------------
0 default local
0 auth hwtacacs
---------------------------------------------------------------------------
If authentication-mode under AAA authentication scheme is not configured then go to Step 4,
else go to Step 5.
Step 4 Configure the authentication-mode under AAA authentication scheme.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
14/37
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme acct
[~HUAWEI-aaa-authen-auth] authentication-mode hwtacacs
[~HUAWEI-aaa-authen-auth] commit
[~HUAWEI-aaa-authen-auth] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configurationtemplatetemplate-namecommand to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49
Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.2.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
15/37
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
16/37
Figure 1-2Troubleshooting flowchart for the fault that the user fails to do authorization through
HWTACACS server
End
Yes
Is HWTACACSConfigured as
authorization-mode under AAA
authorization scheme?
Configure the
authorization-modeunder AAA
authorizationscheme
Is IP address and
port configured
for HWTACACS server in the
NAS?
Configure IP
address and
interface for
HWTACACS server
in the NAS
Is HWTACACS client enabled?
Whether the client can
successfully ping the server?
User fails to
Authenticate through
HWTACACS Server
Checkthepingoperation failsand
rectifythefault
Enable the
HWTACACS client
Yes
Yes
Yes
Is the fault
rectified?
No
No
No
No
Yes
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Yes
Yes
Yes
Yes
Contact Huawei technical
support personnel for results,
configuration files, log files,
and alarm files of the devices
No
No
No
No
1.3.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
10
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
17/37
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.
l In two-phasevalidation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the pingcommand to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client service is enabled.
Run the display hwtacacs current-statuscommand to view the current status of HWTACACS
client service.
display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client service is enabled, go to Step 3.
The command output shows that the HWTACACS client service is not enabled. User can
authorize through HWTACACS server only after HWTACACS client service is enabled in the
system. Run the hwtacacs enablecommand to enable the HWTACACS client service.
system-view
[~HUAWEI]hwtacacs enable
[~HUAWEI]commit
Step 3 Check HWTACACS is configured as authorization-mode under AAA authorization scheme.
Run the display authorization-schemecommand to view the configuration of the AAA
authorization-scheme.
[~HUAWEI] display authorization-scheme
---------------------------------------------------------------------------
Vr-id Authorization-scheme-name Authorization-method
---------------------------------------------------------------------------
0 default local
0 author hwtacacs
---------------------------------------------------------------------------
Total 2, 2 printed
If authorization-mode under AAA authorization scheme is not configured then go to Step 4, elsego to Step 5.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
11
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
18/37
Step 4 Configure the authorization-mode under AAA authorization scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme author
[~HUAWEI-aaa-author-author] authorization-mode hwtacacs
[~HUAWEI-aaa-author-author] commit
[~HUAWEI-aaa-author-author] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configurationtemplatetemplate-namecommand to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.
[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.3.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
12
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
19/37
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
20/37
Figure 1-3Troubleshooting flowchart for the fault that the user fails to do accounting through
HWTACACS server
End
Yes
Is HWTACACSConfigured as
accounting-mode under AAA
accounting scheme?
Configure theaccounting-mode
under AAA
accounting scheme
Is IP address andport Configured for
HWTACACS server in
the NAS?
Configure IP
address and
interface for
HWTACACS server
in the NAS
Is HWTACACS client enabled?
Whether the client can
successfully ping the server?
User fails to
Authenticate through
HWTACACS Server
Checkthepingoperation failsand
rectifythefault
Enable the
HWTACACS client
Yes
Yes
Yes
Is the fault rectified?No
No
No
No
Yes
Is the fault rectified?
Is the fault rectified?
Is the fault rectified?
Yes
Yes
Yes
Yes
Contact Huawei technical
support personnel for results,
configuration files, log files,
and alarm files of the devices
No
No
No
No
1.4.3 Troubleshooting Procedure
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
21/37
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the pingcommand to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the HWTACACS client service is enabled.
Run the display hwtacacs current-statuscommand to view the current status of HWTACACS
client service.
display hwtacacs current-status
-------------------------------------------------
HWTACACS service status : Disabled
Total templates configured : 0
Total servers configured : 0
-------------------------------------------------
NOTE
If HWTACACS client service is enabled, go to Step 3.
The command output shows that the HWTACACS client service is disabled. User can authorize
through HWTACACS server only after HWTACACS client service is enabled in the system.
Run the hwtacacs enablecommand to enable the HWTACACS client service.
system-view
[~HUAWEI]hwtacacs enable
[~HUAWEI]commit
Step 3 Check HWTACACS is configured as accounting-mode under AAA accounting scheme.
Run the display accounting-schemecommand to view the configuration of the AAA
accounting-scheme.
[~HUAWEI] display accounting-scheme
---------------------------------------------------------------------------
Vr-id Accounting-scheme-name Accounting-method
---------------------------------------------------------------------------
0 default none accounting
0 acct hwtacacs accounting
---------------------------------------------------------------------------
Total 2, 2 printed
If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else goto Step 5.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
15
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
22/37
Step 4 Configure the accounting-mode under AAA accounting scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] accounting-scheme acct
[~HUAWEI-aaa-acount-acct] accounting-mode hwtacacs
[~HUAWEI-aaa-acount-acct] commit
[~HUAWEI-aaa-acount-acct] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for HWTACACS server in the NAS.
Run the display hwtacacs-server configurationtemplatetemplate-namecommand to view
the IP address and port details.
[~HUAWEI] display hwtacacs-server configuration template huawei
-------------------------------------------------
Template Name : huawei
Template ID : 0
Primary Authentication Server : 192.0.0.6:49
Primary Authorization Server : 192.0.0.6:49
Primary Accounting Server : 192.0.0.6:49
Current Authentication Server : 192.0.0.6:49Current Authorization Server : 192.0.0.6:49
Current Accounting Server : 192.0.0.6:49
Source IP Address : 0.0.0.0
Shared Key : huawei
Quiet-interval (min) : 1
Response-timeout-Interval (sec): 5
Domain-included : Yes
Secondary Authen Server Count : 0
Secondary Author Server Count : 0
Secondary Account Server Count : 0
-------------------------------------------------
If the IP address and port configured for HWTACACS server in the NAS is not correct then go
to Step 6, else go to Step 8.
Step 6 Configure IP address and interface for HWTACACS server in the NAS.
[~HUAWEI] hwtacacs-server template huawei
[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.66 1813
[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.67 1813 secondary
[~HUAWEI-hwtacacs-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.4.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
16
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
23/37
1.5 User Fails to Authenticate through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to authenticate through RADIUS server.
1.5.1 Common Causes
The user fails to authenticate through RADIUS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l RADIUS services are not enabled.
l RADIUS is not configured as authentication-mode under AAA authentication scheme.
l IP address and port configured for RADIUS authentication server in the NAS is not correct.
l Shared key mismatch between RADIUS server and NAS.
1.5.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
17
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
24/37
Figure 1-4Troubleshooting flowchart for the fault that the user fails to authenticate through
RADIUS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is RADIUS client
enabled?
User fails to
Authenticate through
RADIUS Server
Is RADIUS
configured
as authentication-mode
under AAAauthentication
scheme?
Is IP address
and port configured
for RADIUS server in
the NAS?
Configure IP address
and interface for
RADIUS server in
the NAS
Configure the
authentication-mode
under AAA
authentication
scheme
Enable the RADIUS
client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
Is the fault
rectified?
End
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
18
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
25/37
1.5.3 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation modeto ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the pingcommand to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the RADIUS client is enabled.
Run the display radius current-statuscommand to view the current status of RADIUS client.
display radius current-status
-----------------------------------------------------------------------------
RADIUS-Client : Disabled
Client-Identifier : HUAWEI0
Total-auth-pending-request : 0
Total-acct-pending-request : 0
-----------------------------------------------------------------------------
NOTE
If RADIUS client is enabled, go to Step 3.
The command output shows that the RADIUS client is disabled. User can authenticate through
RADIUS server only after RADIUS client is enabled in the system. Run the radius enable
command to enable the RADIUS client.
system-view
[~HUAWEI]radius enable
[~HUAWEI]commit
Step 3 Check RADIUS is configured as authentication-mode under AAA authentication scheme.
Run the display authentication-schemecommand to view the configuration of the AAA
authentication-scheme.
[~HUAWEI] display authentication-scheme
---------------------------------------------------------------------------
Vr-id Authentication-scheme-name Authentication-method
---------------------------------------------------------------------------
0 default local
0 radtest radius---------------------------------------------------------------------------
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
19
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
26/37
If authentication-mode under AAA authentication scheme is not configured then go to Step 4,
else go to Step 5.
Step 4 Configure the authentication-mode under AAA authentication scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme acct
[~HUAWEI-aaa-authen-auth] authentication-mode radius
[~HUAWEI-aaa-authen-auth] commit
[~HUAWEI-aaa-authen-auth] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for RADIUS server in the NAS.
Run the display radius-server configurationtemplatetemplate-namecommand to view the
IP address and port details.
[~HUAWEI] display radius-server configuration template huawei
-----------------------------------------------------------------------------
Server-template-name : huawei
Protocol-version : standardShared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 192.0.0.2-1812
Primary-accounting-server : 192.0.0.2-1813
Retransmission : 3
Domain-included : NO
Mode : Pri-secondary
Probe-interval(in minute) : 5
Test-username : huawei
-----------------------------------------------------------------------------
If the IP address and port configured for RADIUS server in the NAS is not correct then go to
Step 6, else go to Step 8.
Step 6 Configure IP address and interface for RADIUS server in the NAS.[~HUAWEI] radius-server template huawei
[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.66 1813
[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.67 1813 secondary
[~HUAWEI-radius-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.5.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
20
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
27/37
1.6 User Fails to do Accounting through RADIUS Server
This section describes the step-by-step troubleshooting procedure for the fault when the user
fails to do accounting through RADIUS server.
1.6.1 Common Causes
The user fails to do accounting through RADIUS server is commonly caused by one of the
following:
l The route is unreachable and the user cannot set up an UDP connection with the server.
l RADIUS services are not enabled.
l RADIUS is not configured as accounting-mode under AAA accounting scheme.
l IP address and port configured for RADIUS accounting server in the NAS is not correct.
l Shared key mismatch between RADIUS server and NAS.
1.6.2 Troubleshooting Flowchart
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
21
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
28/37
Figure 1-5Troubleshooting flowchart for the fault that the user fails to do accounting through
RADIUS server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Contact Huawei
technical support
personnel for results,
configuration files, log
files, and alarm files of
the devices
No
No
No
No
Whether the
client can successfully
ping the server?
Is RADIUS
client enabled?
User fails to
authenticate through
RADIUS Server
Is RADIUS
configured as
accounting-modeunder AAA accounting
scheme?
Is IP address
and port configured
for RADIUS server
in the NAS
Configure IP address
and interface for
RADIUS server in
the NAS
Configure the
accounting-mode
under AAAaccounting scheme
Enable the RADIUS
client
Check the ping
operation fails and
rectify the fault
Is the fault
rectified?
Is the fault
rectified?
Is the faultrectified?
Is the fault
rectified?
End
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
22
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
29/37
1.6.3 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation modeto ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check the network connectivity.
Run the pingcommand to check the network connectivity.
l If the ping fails, the network connection cannot be established. To locate and rectify the fault,
see The Ping Operation Fails.
l If the ping succeeds, go to Step 2.
Step 2 Check that the RADIUS client is enabled.
Run the display radius current-statuscommand to view the current status of RADIUS client.
display radius current-status
RADIUS-Client : Disabled
Client-Identifier : HUAWEI0
Total-auth-pending-request : 0
Total-acct-pending-request : 0
NOTE
If RADIUS client is enabled, go to Step 3.
The command output shows that the RADIUS client is disabled. User can authenticate through
RADIUS server only after RADIUS client is enabled in the system. Run the radius enable
command to enable the RADIUS client.
system-view
[~HUAWEI]radius enable
[~HUAWEI]commit
Step 3 Check RADIUS is configured as accounting-mode under AAA accounting scheme.
Run the display accounting-schemecommand to view the configuration of the AAA
accounting-scheme.
[~HUAWEI] display accounting-scheme
---------------------------------------------------------------------------
Vr-id Accounting-scheme-name Accounting-method
---------------------------------------------------------------------------
0 default none accounting
0 acct hwtacacs accounting
0 radacct radius accounting
---------------------------------------------------------------------------Total 3, 3 printed
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
23
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
30/37
If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else go
to Step 5.
Step 4 Configure the AAA accounting-mode under AAA accounting scheme.
[~HUAWEI] aaa
[~HUAWEI-aaa] accounting-scheme acct
[~HUAWEI-aaa-accounting-acct] accounting-mode radius
[~HUAWEI-aaa-accounting-acct] commit
[~HUAWEI-aaa-accounting-acct] quit
[~HUAWEI-aaa] quit
Step 5 Check the IP address and port configured for RADIUS server in the NAS.
Run the display radius-server configurationtemplatetemplate-namecommand to view the
IP address and port details.
[~HUAWEI] display radius-server configuration template huawei
-----------------------------------------------------------------------------
Server-template-name : huawei
Protocol-version : standardShared-secret-key : huawei
Timeout-interval(in second) : 5
Primary-authentication-server : 192.0.0.2-1812
Primary-accounting-server : 192.0.0.2-1813
Retransmission : 3
Domain-included : NO
Mode : Pri-secondary
Probe-interval(in minute) : 5
Test-username : huawei
-----------------------------------------------------------------------------
If the IP address and port configured for RADIUS server in the NAS is not correct then go to
Step 6, else go to Step 8.
Step 6 Configure IP address and interface for RADIUS server in the NAS.[~HUAWEI] radius-server template huawei
[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.66 1813
[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.67 1813 secondary
[~HUAWEI-radius-huawei] commit
Step 7 Contact Huawei technical support personnel for
l Results of the preceding troubleshooting procedures.
l Configuration files, log files, and alarm files of the devices.
Step 8 End.
----End
1.6.4 Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 1 AAA and User Management Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
24
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
31/37
2Local Attack Defense TroubleshootingAbout This Chapter
2.1 Management Plane Protection Malfunctions
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
25
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
32/37
2.1 Management Plane Protection Malfunctions
2.1.1 Common Causes
This fault is commonly caused by an incorrect protection policy for the management plane.
2.1.2 Troubleshooting Procedure
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that no protocol packets are discarded.
Run the display cpu-defendma-defend statistics[ slotslot-id] command to view the statistics
about the management plane and check whether packets of certain protocols are discarded.
l If some packets are discarded, go to Step 2.
l If no protocol packets are discarded, the security module of the device functions properly.
In this situation, contact Huawei technical support personnel.
Step 2 Check that the interface-level policy for management plane protection is applied on themanagement interface.
Run the display thiscommand in the management interface view to check whether the interface-
level policy for management plane protection is applied on the management interface.
l If the interface-level policy is applied, run the display ma-defendinterface-policyinterface-
policy-idcommand according to the ID of the interface-level policy to check whether the
protocolcommand is configured with deny, which causes the failure in sending protocol
packets to the CPU.
If denyis configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol{ bgp| ftp| ldp| ospf| rip| rsvp| snmp| ssh| telnet|
tftp| isis| pimsm} { permit| deny} command in the view of interface-level management
plane protection to change denyto permit.
If permitis configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the interface-level policy for management plane protection is not applied on the
management interface, perform Step 2 to check whether the slot-level policy for managementplane protection is applied.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
26
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
33/37
Step 3 Check that the slot-level policy for management plane protection is applied on the LPU wherethe management interface resides.
Run the display thiscommand in the slot view to check whether the slot-level policy for
management plane protection is applied on the management interface.
l If the slot-level policy is applied, run the display ma-defendslot-policyslot-policy-id
command according to the ID of the slot-level policy to check whether check whether the
protocolcommand is configured with deny, which causes the failure in sending protocol
packets to the CPU.
If denyis configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol{ bgp| ftp| ldp| ospf| rip| rsvp| snmp| ssh| telnet|
tftp| isis| pimsm} permitcommand in the view of slot-level management plane
protection to change denyto permit.
If permitis configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the slot-level policy for management plane protection is not applied on the managementinterface, perform Step 2 to check whether the global policy for management plane protection
is applied.
Step 4 Check that the global policy for management plane protection is applied on the managementinterface.
Run the display ma-defendglobal-policycommand to check whether the global policy for
management plane protection is applied on the management interface.
l If the global policy for management plane protection is applied, run the display ma-
defendglobal-policycommand to check whether the protocolcommand is configured with
deny, which causes the failure in sending protocol packets to the CPU.
If denyis configured, packets cannot be sent to the CPU. If it is required to send packets
to the CPU, run the protocol{ bgp| ftp| ldp| ospf| rip| rsvp| snmp| ssh| telnet|
tftp| isis| pimsm} permitcommand in the view of global management plane protection
to change denyto permit.
If permitis configured, but the protocol packets still cannot be sent to the CPU, contact
Huawei technical personnel.
l If the global policy for management plane protection is not applied, it indicates that
management plane protection is not configured. In this situation, management packets are
still intercepted. It indicates that the system is faulty. To rectify the fault, contact Huawei
technical personnel.
After the preceding operations, if management packets still cannot be sent to the CPU, contactHuawei technical personnel.
----End
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 2 Local Attack Defense Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
27
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
34/37
3URPF TroubleshootingAbout This Chapter
3.1 URPF Check Fails
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the URPF-enabled device does not discard packets as expected.
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
28
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
35/37
3.1 URPF Check Fails
This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting
procedure for the fault that the URPF-enabled device does not discard packets as expected.
3.1.1 Common Causes
This fault is commonly caused by one of the following:
l There are source addresses of the packets that should be discarded in the routing entries.
l There are default routes in the routing table.
l The matching rules configured on the device are incorrect.
3.1.2 Troubleshooting Flowchart
A URPF-enabled device receives certain packets that should be discarded by itself, but the
statistics show that no packets are discarded by URPF. In this case, follow the troubleshooting
procedure shown in Figure 3-1to isolate the problem.
The troubleshooting roadmap is as follows:
l Check whether there are default routes and routes with the sources addresses of the packets
that should be discarded in the routing table.
l Check whether the matching rules are correct.
Figure 3-1Troubleshooting flowchart for URPF
Delete the route
entry.
EndSeek technical
support
Fault rectified?
Fault rectified?Configure correct
rules.
Device configured with URPF loose
check does not discard packets.
No
Route with the
source address of the packet
that should be discarded in the
routing table?
Incorrect matching rules
configured?
No
No
Yes
Yes
Yes
Yes
No
No
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
29
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
36/37
3.1.3 Troubleshooting Procedure
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correctthe fault, you will have a record of your actions to provide Huawei technical support personnel.
NOTE
After commands are configured to troubleshoot faults, pay attention to the configuration validation mode
to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the
immediate validation mode.
l In immediate validation mode, configurations take effect after commands are input and the Enter key
is pressed.
l In two-phase validation mode, after commands are configured, the commitcommand needs to be run
to commit the configurations.
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that there are no default routes and routes with the source addresses of the packets thatshould be discarded in the routing table.
Run the display ip routing-tablecommand in the user view to check the Destination/Mask field
in the routing table.
l If the routing table contains routes with the source addresses of packets that should be
discarded, configure certain rules and import the rules into the filter to deny the packets sent
along these routes. For detailed configuration, see "Routing Policy Configuration" in theHUAWEI NetEngine5000E Core Router Configuration Guide - IP Routing.
l If the routing table does not contain such routes, go to Step 2.
Step 2 Check that the configured matching rules are correct.
Run the display traffic classifierclassifier-namecommand in the user view to check the Rule
(s) field.
l If packets are incorrectly filtered based on the configured rules, correct the rules.
l If packets are correctly filtered based on the configured rules, go to Step 4.
Step 3 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedures
l Configuration files, log files, and alarm files of the devices
----End
3.1.4 Relevant Alarms and Logs
Relevant Alarms
None
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
30
-
8/11/2019 Troubleshooting - Security(V800R002C01_01)
37/37
Relevant Logs
None
HUAWEI NetEngine5000E Core Router
Troubleshooting - Security 3 URPF Troubleshooting
top related