CGN运维综述_VSUF-培训文档之三

©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.CGN运维综述Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page1目录1.CGN故障处理•故障处理流程•典型故障场景•常用维护手段2.CGN常见问题FAQCopyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.CGN业务采用多核业务板VSUF实现，该单板为无出接口的单板。业务流程：接口板把流量引入到业务板，业务板负责CGN的处理，完成后再交给接口板发出。Page2SFULPU1LPU2VSUF(CGN)123567用户侧网络侧CGN业务流程简介Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page3NAT故障处理流程定位思路正向：报文在接口板通过ACL(分布式为UCL)引流，根据匹配的规则将流量引入到业务板；首包在业务板上建立会话表，然后与后续包一样，匹配会话表，做NAT转换，然后根据目的IP查fib发送到下行接口板；下行接口板根据转发帧头直接将报文转发。反向：报文到达接口板后，在接口板根据目的IP查询fib将报文转发到业务板；在业务板上匹配会话表，并作NAT转换，然后根据私网IP查fib转发到出接口板；接口板根据转发帧头将报文转发出去。当出现问题时，可以根据转发流程逐步缩小定位范围，确认问题出在业务板或者接口板，在根据各个单板的查询命令来确认故障。Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page4NAT故障处理流程Page4Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page5NAT故障处理流程Page5步骤一：报文是否到达业务板TM，并且从TM发送出去报文从接口板进入业务板，首先到达TM。如果TM没有进入的报文计数，说明报文没有进入业务板。查询命令，进入诊断试图：displaytm70received-packetsTM收到的报文计数//7号单板为业务板displaytm70transmitted-packetsTM发送报文计数步骤二：报文是否到达CPU报文从TM进入CPU，如果是首包，会先建立会话表，然后根据会话表做NAT转换，然后根据目的IP查询FIB进行报转发。后续报文直接查询会话表，如果匹配会话表的话进行NAT转换，然后根据目的IP查询FIB进行转发。确认报文是否到达CPU，查询命令：displaynatstatisticsreceivedslot7engine0步骤三：在CPU上是否建立用户表分布式场景用户上线的时候就会创建用户表。查询CPU上是否创建用户表，查询命令：displaynatuser-informationCopyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page6NAT故障处理流程Page6步骤四：在CPU上是否建立会话表首包创建会话表，后续包直接查询会话表，然后进行nat转换。三元组模式会话表的目的IP和端口无法看到，五元组模式可以查看到目的IP和端口。会话表查询命令：displaynatsessiontableslot7engine0查询cpu上的所有会话信息displaynatsessiontableslot7engine0verberse查询会话表向信息步骤五：报文是否从CPU发送出去查询命令：displaynatstatisticstransmittedslot7engine0如果报文没有从CPU发送出去，可能是因为某种原因丢包：查询命令：displaynatstatisticsdiscardslot7engine0步骤六：报文是否到TM并且从TM发送出去报文做完nat转换之后，根据目的IP查询FIB，根据路由信息将报文转发到接口板。从CPU出来，首先进入TM，然后经过交换网板，进入接口板。确认报文进入TM和从TM转发出去的查询命令：displaytm70received-packetsTM收到的报文计数displaytm70transmitted-packetsTM发送报文计数Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page7NAT故障处理流程Page71.从交换网板出来，首先到达业务板的TM。查看报文是否到达TM下行，通过命令行查看计数，多次查询看是否计数有增长[R15-diagnose]displaytm70received-packetsTMIRxReceivedTotal0x00000000028bpackets(0x000000080ca4bytes)(UC)收到的单播报文TMIRxReceivedTotal0x000000000516packets(MC)TMIRxSP:0COS:7Received0x00000516packets(0x00102374bytes)TMIRxSP:63COS:7Received0x0000028bpackets(0x0000a2c0bytes)TMERxSB(6)Received0x00000002packets(0x00000458bytes)TMERxSB(7)Received0x00000003packets(0x00000684bytes)查看报文是否从TM发送出去[R15-diagnose]displaytm70transmitted-packetsTMITxTB:24COS:0Transmit0x000000000001packets(0x0000000005ddbytes)TMITxMulticastCOS:0Transmit0x000000000002packets(0x000000000621bytes)TMETxTP:0COS:7Transmit0x00000005c924packets(0x000006dedac0bytes)发送报文计数TMETxTP:1COS:0Transmit0x000000000008packets(0x000000000d3abytes)TMETxTP:65COS:0Transmit0x000000000006packets(0x000000000174bytes)Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page8NAT故障处理流程Page82.查看报文是否到达CPU[cgn-diagnose]displaynatstatisticsreceivedslot7engine0Thisoperationwilltakeafewminutes.Press'Ctrl+C'tobreak...Slot:7Engine:0---------------------------------------------------------------------------Packetsreceivedfrominterface:390243177CPU收到从TM过来的报文计数Packetsreceivedfrommainboard:4040Packetsreceivedbynatentry:390242120送到NAT模块处理的报文计数---------------------------------------------------------------------------3.查看是否在业务板上建立用户表先查到用户的Id[cgn]displayaccess-useruser-id1-------------------------------------------------------------------Useraccessindex:1State:UsedUsername:user#Domainname:yxmaUserbackupstate:NoUseraccessinterface:GigabitEthernet2/1/0UseraccessPeVlan/CeVlan:-/-Useraccessslot:2UserMAC:0030-0101-0101UserIPaddress:10.64.0.253Usergatewayaddress:10.64.0.1Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page9NAT故障处理流程Page9业务板上的用户表信息[cgn-diagnose]displayNATuser-informationuser-id1slot7engine0Thisoperationwilltakeafewminutes.Press'Ctrl+C'tobreak...Slot:7Engine:0Totalnumber:1.---------------------------------------------------------------------------CPEIP:10.64.0.252VPNInstance:-PublicIP:13.13.13.109StartPort:1024PortRange:4096ExtendPortAllocTimes:0ExtendPortAllocNumber:0First/Second/ThirdExtendPortStart:0/0/0Total/TCP/UDP/ICMPSessionLimit:8192/10240/10240/512Total/TCP/UDP/ICMPSessionCurrent:1/0/1/0Total/TCP/UDP/ICMPPortLimit:0/0/0/0Total/TCP/UDP/ICMPPortCurrent:1/0/1/0NatALGEnable:NULL---------------------------------------------------------------------------Copyright©2009HuaweiTechnologiesCo.,Ltd.Allrightsreserved.Page10NAT故障处理流程Page104.查看业务板上的是否有会话表[cgn]displaynatsessiontableslot7engine0Thisoperationwilltakeafewminutes.Press'Ctrl+C'tobreak...Slot:7Engine:0Currenttotalsessions:1.udp:10.64.0.253:234[13.13.13.163:1037]--*:*实例下配置了三元组会话表中目的地址和端口显示成*.*[cgn]displaynatsessiontableslot7engine0verboseThisoperationwilltakeafewminutes.Press'Ctrl+C'tobreak...Slot:7Engine:0Currenttotalsessions:1.udp:10.64.0.253:234[13.13.13.163:1037]--*:**:*--13.13.13.163:1037[10.64.0.253:234]NATInstance:yxmaUser-id:1VPN:----Tag:0x2,FixedTag:0x1,Status:hit,Create:2010-1-1608:10:26,TTL:00:04:00,Left:00:04:00,MasterAppProID:0x0,C