在ASR1000上出现这样的drop cause,有如下几种原因:
1. firewall session setup rate太快了,内存来不及分配
2. 在这个chassis上,已经达到了firewall最大支持的session数量,无法承载更加多的firewall session
这两种情况下,第一种情况只是瞬时的、暂时的状态,而第二种状态是永久的,一直存在的。
解决方法:
第一种问题无法解决,物理内存分配速度就只能那么快,无法改变,只能期望硬件更新
第二种问题就需要提升硬件了,比如,从ESP5提升到ESP10等
shmcp-ovld-1#show platform hardware qfp active datapath utilization
CPP 0: Subdev 0 5 secs 1 min 5 min 60 min
Input: Priority (pps) 0 0 0 0
(bps) 0 0 0 0
Non-Priority (pps) 300005 300007 300012 136007
(bps) 163203552 163204896 163207480 73989280
Total (pps) 300005 300007 300012 136007
(bps) 163203552 163204896 163207480 73989280
Output: Priority (pps) 0 0 0 0
(bps) 0 0 0 0
Non-Priority (pps) 118181 157293 157298 71530
(bps) 60513328 80545224 80547664 36634744
Total (pps) 118181 157293 157298 71530
(bps) 60513328 80545224 80547664 36634744
Processing: Load (pct) 31 29 29 14
shmcp-ovld-1#
shmcp-ovld-1#show policy-map type inspect zone-pair
Zone-pair: lan2wan
Service-policy inspect : policy_lan_wan
Class-map: lan_wan_inspect_icmp (match-any)
Match: protocol icmp
0 packets, 0 bytes
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: lan_wan_inspect_udp (match-any)
Match: protocol udp
140587881 packets, 8997624384 bytes
Inspect
Packet inspection statistics [process switch:fast switch]
udp packets: [0:1656845050]
Session creations since subsystem startup or last reset 649288
Current session counts (estab/half-open/terminating) [524288:0:0]
Maxever session counts (estab/half-open/terminating) [524288:59184:0]
Last session created 00:18:15
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: lan_wan_inspect_tcp (match-any)
Match: protocol tcp
0 packets, 0 bytes
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Zone-pair: wan2lan
Service-policy inspect : policy_wan_lan
Class-map: wan_lan_inspect_icmp (match-any)
Match: protocol icmp
0 packets, 0 bytes
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: wan_lan_inspect_udp (match-any)
Match: protocol udp
93589894 packets, 5989753152 bytes
Inspect
Packet inspection statistics [process switch:fast switch]
udp packets: [0:93589851]
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: wan_lan_inspect_tcp (match-any)
Match: protocol tcp
0 packets, 0 bytes
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
shmcp-ovld-1#shdrop ?
all show all stats
clear Clear stats after reading
detail show drop cause IDs
qfp Global Drop statistics for specific qfp
| Output modifiers
<cr>
shmcp-ovld-1#sh platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
FirewallNonsession 98028133 6273800448
shmcp-ovld-1#
shmcp-ovld-1#
shmcp-ovld-1#show platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
FirewallNonsession 99760013 6384640768
shmcp-ovld-1#show platform hardware qfp active fe
shmcp-ovld-1#show platform hardware qfp active feature fire
shmcp-ovld-1#show platform hardware qfp active feature firewall ?
client QFP Firewall Client
datapath QFP Firewall Datapath Information
drop QFP Firewall Drop count
memory QFP Firewall Datapath Memory Information
runtime QFP Firewall Datapath Runtime Information
sess-query-context QFP Firewall Session Query Context
session QFP Firewall session information
zonepair QFP Firewall zonepair information
shmcp-ovld-1#show platform hardware qfp active feature firewall dr
shmcp-ovld-1#show platform hardware qfp active feature firewall drop ?
all Display all Drop counts
clear Clear all Drop counts
verbose Display Drop counts index
| Output modifiers
<cr>
shmcp-ovld-1#show platform hardware qfp active feature firewall drop all
shmcp-ovld-1#show platform hardware qfp active feature firewall drop all
-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
Invalid L4 header 0
Invalid ACK flag 0
Invalid ACK number 0
Invalid TCP initiator 0
SYN with data 0
Invalid window scale option 0
Invalid Segment in SYNSENT 0
Invalid Segment in SYNRCVD 0
TCP out of window 0
TCP extra payload after FIN 0
Invalid TCP flags 0
Invalid sequence number 0
Retrans with invalid flags 0
TCP out-of-order segment 0
SYN flood drop 0
INT ERR:synflood h-tdl alloc fail 0
Synflood blackout drop 0
Half-open session limit exceed 0
Too many packet per flow 0
ICMP ERR PKT per flow exceeds 0
Unexpect TCP pyld in handshake 0
INT ERR:Undefined direction 0
SYN inside current window 0
RST inside current window 0
Stray Segment 0
RST sent to responder 0
ICMP INT ERR:Missing NAT info 0
ICMP INT ERR:Fail to get ErrPkt 0
ICMP INT ERR:Fail to get Statbk 0
ICMP INT ERR:direction undefined 0
ICMP PKT rcvd in SCB close st 0
Missed IP hdr in ICMP packet 0
ICMP ERR PKT:no IP or ICMP 0
ICMP ERR Pkt:exceed burst lmt 0
ICMP Unreach pkt exceeds lmt 0
ICMP Error Pkt invalid sequence 0
ICMP Error Pkt invalid ACK 0
ICMP Error Pkt too short 0
Exceed session limit 0
Packet rcvd in SCB close state 0
Pkt rcvd after CX req teardown 0
CXSC not running 0
Zone-pair without policy 0
Same zone without Policy 0
ICMP ERR:Policy not present 0
Classification Failed 0
Policy drop:non tcp/udp/icmp 0
PAM lookup action drop 0
ICMP Error Packet TCAM missed 0
Security policy misconfigure 0
INT ERR:Get stat blk failed 0
IPv6 dest addr lookup failed 0
SYN cookie max dst reached 0
INT ERR:syncook d-tbl alloc failed 0
SYN cookie being triggered 0
Fragment drop 0
Policy drop:classify result 0
ICMP policy drop:classify result 0
L7 segmented packet not allow 0
L7 fragmented packet not allow 0
L7 unknown proto type 0
L7 inspection returns drop 0
Promote fail due to no zone pair 0
Promote fail due to no policy 0
Firewall Create Session fail 239398995
Firewall No new session allow 0
Not a session initiator 0
Firewall invalid zone 0
Firewall AR standby 0
Firewall no forwarding allow 0
Firewall back pressure 0
Firewall LISP hdr restore fail 0
Firewall LISP inner pkt insane 0
Firewall LISP inner ipv4 insane 0
Firewall LISP inner ipv6 insane 0
Firewall zone check failed 0
Invalid drop event 0
shmcp-ovld-1#shdrop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
FirewallNonsession 109920933 7034939648
shmcp-ovld-1#
扫一扫
3604
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
