Configuring the Diagnosis Center Using the CLI
When faults occur on the network, you can use the ping and tracert commands to diagnose the faults.
Using Ping to Test Network Connectivity
Context
You can use the ping command to check whether a device is reachable.
The ping command output can be either of the following:
- If no reply packet is received within the timeout period, the system displays both a message and packet statistics.
- If a reply packet is received within the timeout period, the system displays the number of received bytes, the sequence number and TTL of each received byte, the round-trip time, and the number of sent and received packets.
Statistics on ping packets include the number of sent packets, the number of received response packets, the number and percentage of lost packets, and the minimum, maximum, and average round-trip times.
- Run the ping command in any view to test network connectivity.
To ping an IPv4 address, use the following command:
ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interface-type interface-number } | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host
To ping an IPv6 address, use the following command:
ping ipv6 [ -a ipv6-address | -c count | -m time | -s packetsize | -t timeout ] * host
Task Example
The previous ping command lists only some parameters. For all parameters and their descriptions, refer to the Command Reference.
If the reply packet is received within the timeout period, the number of received bytes, the sequence number and TTL of each received byte, the round-trip time, and the number of sent and received packets are displayed.
<sysname> ping 10.1.1.2 ping 10.1.1.2 : 56 data bytes , press CTRL_C to break Reply from 10.1.1.2 : bytes=56 sequence=1 ttl=255 time = 1ms Reply from 10.1.1.2 : bytes=56 sequence=2 ttl=255 time = 2ms Reply from 10.1.1.2 : bytes=56 sequence=3 ttl=255 time = 1ms Reply from 10.1.1.2 : bytes=56 sequence=4 ttl=255 time = 3ms Reply from 10.1.1.2 : bytes=56 sequence=5 ttl=255 time = 2ms --10.1.1.2 ping statistics-- 5 packets transmitted 5 packets received 0% packet loss round-trip min/avg/max = 1/2/3 ms
If no reply packet is received within the timeout period, the "Request time out" message and statistics on the sent and received packets are displayed.
<sysname> ping 10.10.160.244 ping 10.10.160.244 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.10.160.244 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Using Tracert to Locate Network Faults
Context
You can use the tracert command on the client to locate network faults.
- The intermediate devices (devices between the source and destination) can forward ICMP timeout packets. If the FW serves as the intermediate device, run the icmp ttl-exceeded send command on the FW to enable it to forward ICMP timeout packets.
- The destination device can transmit ICMP unreachable packets. If the FW serves as the destination device, run the icmp host-unreachable send command to enable it to send ICMP unreachable packets.
- You can use the tracert command in any view to locate network faults.
To tracert an IPv4 address, use the following command:
tracert [ -a source-ip-address | -f first-TTL | -m max-ttl | -p port | -q nqueries | -vpn-instance vpn-instance-name | -w timeout ] * host
To tracert an IPv6 address, use the following command:
tracert ipv6 [ -f first-ttl | -m | max-ttl | -p port | -q nqueries | -w timeout ] * host
The previous tracert command lists only some parameters. For all parameters and their descriptions, refer to the Command Reference.
Task Example
In the following example, the tracert command is used to analyze network faults.
<sysname> tracert 10.26.0.115 traceroute to 10.26.0.115 (10.26.0.115), 30 hops max 1 172.16.112.1 0 ms 0 ms 0 ms 2 172.17.216.1 19 ms 19 ms 19 ms 3 172.17.216.1 39 ms 19 ms 19 ms 4 172.17.136.23 19 ms 39 ms 39 ms 5 172.17.168.22 20 ms 39 ms 39 ms 6 172.17.197.4 59 ms 119 ms 39 ms 7 192.168.2.5 59 ms 59 ms 39 ms 8 192.168.70.13 80 ms 79 ms 99 ms 9 192.168.71.6 139 ms 139 ms 159 ms 10 192.168.81.7 199 ms 180 ms 300 ms 11 192.168.72.17 300 ms 239 ms 239 ms 12 * * * 13 172.20.54.72 59 ms 499 ms 279 ms 14 * * * 15 * * * 16 * * * 17 * * * 18 10.26.0.115 (10.26.0.115) 339 ms 279 ms 279 ms
The command output shows the IP addresses of the gateways between the source and the destination at 10.26.0.115. If the packet to a gateway times out, the system displays the *** information. Then, you can identify the faulty device.
Using Packet Tracing to Query the Key Path Information of Packets
Context
With the packet tracing function, you can query the key path information of packets.
Run the debugging dataplane trace [ discard [ type ] ] acl { acl-number | ipv6 acl-number } [ all-systems ] [ number number ] [ slot slot-id cpu cpu-id ] command on the client.
In V600R007C20SPC601 and later versions, the debugging dataplane constructed-packet tracecommand is used to construct IP packets and display packet loss tracing information. For details about the commands, see the Debugging Reference.
Function |
Supported or Not |
|
|---|---|---|
System |
Across-layer-3 MAC identification |
Not supported |
Information center |
Not supported |
|
NetStream |
Not supported |
|
Session log sending |
Not supported |
|
High availability |
HRP |
Not supported |
Link-group |
Not supported |
|
BFD |
Supported |
|
Network |
DNS |
Not supported |
DHCP |
Supported |
|
Intelligent uplink selection |
Smart DNS |
Supported |
Policy-based routing |
Not supported |
|
IP routing |
IPv4 static route |
Supported |
IPv6 static route |
Supported |
|
Object |
Address and address group |
Not supported |
Domain group |
Not supported |
|
Region and region group |
Not supported |
|
Service and service group |
Not supported |
|
Application and application group |
Not supported |
|
Health check |
Supported |
|
VPN |
IPSec |
Supported |
L2TP |
Supported |
|
GRE |
Supported |
|
SSL VPN |
Not supported |
|
NAT |
3-Tuple NAT |
Supported |
NoPAT |
Supported |
|
NAPT |
Supported |
|
Destination NAT |
Supported |
|
CGN |
IPv6 tunnel |
Not supported |
PCP |
Supported |
|
Static mapping |
Supported |
|
Port pre-allocation and incremental allocation |
Supported |
|
Security protection |
IPv4 ASPF |
Supported |
IPv6 ASPF |
Supported |
|
IDS interworking |
Not supported |
|
HiSec Insight interworking |
Supported |
|
Mail proxy |
Not supported |
|
SSL proxy |
Not supported |
|
The packet tracing command is used together with specific services. The command output varies according to the service flow. The following part provides the basic command output and parameter description.
Example
<sysname>debugging dataplane trace acl 2000 number 1 # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0 Layer 3 dispatch PASS: New packet arrived. # <11:0> 132601239 interface:GigabitEthernet0/0/0 zone:trust VRF:public -> publi c TCP flag:SYN 192.168.1.11:1000 -> 192.168.1.225:2003 pkt-id:0 Hook station process PASS: Flow match pre-hook hook station done
The following table shows the field description of debugging information.
Field |
Description |
|---|---|
interface |
Inbound interface of packets. |
zone |
Source security zone of packets. |
VRF |
Source and destination root systems, virtual systems, or VPN instances of packets. |
TCP flag |
Flag bit of TCP packets. |
pkt-id |
Packet ID. |
PASS/DROP |
Whether a packet is passed or discarded. |
reason |
Why a packet is discarded. This field is displayed only when a packet is discarded. |
<sysname>debugging dataplane trace acl 3000 number 100
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Layer 3 dispatch
PASS: New packet arrived.
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Hook station process
PASS: Flow match pre-hook hook station done
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Interface access control process
Service manage of ipv4 packet process:next-hop=10.2.0.1, value=0
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Layer 3 process
packet filter recv packet
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Layer 3 process
PASS: packet filter process done, rule name:default
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
ipsec get forward info
ipsec_get_forward_info, send to ipsec.
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Flow create
Create session process
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
ipsec output
Send packet to IPSec tunnel.
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
ipsec output
Check flow result 3 said 0x000fffff cpuid 0xb hashindex 0x0003.
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
ipsec output
send acquire message to ike on local cpu.
# <11:0> 191893167 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39722
Layer 3 process
PASS: Layer 3 Flow process done
Request time out
# <11:0> 191895178 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
Layer 3 dispatch
PASS: New packet arrived.
# <11:0> 191895178 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
Hook station process
PASS: Flow match pre-hook hook station done
# <11:0> 191895179 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
process ipv4 flow match
Flow match: flow hitted. vrf ID:0, protocol type:1
# <11:0> 191895179 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
ipsec output
Send packet to IPSec tunnel.
# <11:0> 191895179 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
ipsec output
Check flow result 3 said 0x000fffff cpuid 0xb hashindex 0x0003.
# <11:0> 191895179 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
ipsec output
send acquire message to ike on local cpu.
# <11:0> 191895179 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39723
Layer 3 process
PASS: Layer 3 Flow process done
Request time out
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
Layer 3 dispatch
PASS: New packet arrived.
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
Hook station process
PASS: Flow match pre-hook hook station done
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
process ipv4 flow match
Flow match: flow hitted. vrf ID:0, protocol type:1
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
ipsec output
Send packet to IPSec tunnel.
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
ipsec output
Check flow result 3 said 0x000fffff cpuid 0xb hashindex 0x0003.
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
ipsec output
send acquire message to ike on local cpu.
# <11:0> 191897189 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39726
Layer 3 process
PASS: Layer 3 Flow process done
Request time out
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
Layer 3 dispatch
PASS: New packet arrived.
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
Hook station process
PASS: Flow match pre-hook hook station done
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
process ipv4 flow match
Flow match: flow hitted. vrf ID:0, protocol type:1
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
ipsec output
Send packet to IPSec tunnel.
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
ipsec output
Check flow result 3 said 0x000fffff cpuid 0xb hashindex 0x0003.
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
ipsec output
send acquire message to ike on local cpu.
# <11:0> 191899200 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39728
Layer 3 process
PASS: Layer 3 Flow process done
Request time out
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
Layer 3 dispatch
PASS: New packet arrived.
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
Hook station process
PASS: Flow match pre-hook hook station done
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
process ipv4 flow match
Flow match: flow hitted. vrf ID:0, protocol type:1
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
ipsec output
Send packet to IPSec tunnel.
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
ipsec output
Check flow result 3 said 0x000fffff cpuid 0xb hashindex 0x0003.
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
ipsec output
send acquire message to ike on local cpu.
# <11:0> 191901210 interface:InLoopBack0 zone:local VRF:public -> public ICMP 192.168.1.1:43993 -> 172.16.1.1:2048 pkt-id:39729
Layer 3 process
PASS: Layer 3 Flow process done
Request time out
--- 172.16.1.1 ping statistics ---
5 packet(s) transmitted
Using Traffic Source Tracing to Trace the Traffic That Causes the CPU Usage to Increase
CPU overload affects normal service processing. Traffic of various types increases the CPU usage abnormally. It is critical to trace such traffic for device maintenance and diagnosis.
The traffic source tracing function is used to trace the subsequent packets of heavy traffic and microburst traffic that cause high CPU usage. When the CPU usage reaches the specified threshold (min-value specified in the firewall session create-rate-control cpu-usage max-value min-value command) or microburst traffic occurs, traffic detection and source traffic tracing are triggered.
- Run the system-view command to enter the system view.
- Run the firewall traffic-trace-source enable command to enable traffic source tracing.
By default, traffic source tracing is enabled.
- Optional: Run the firewall traffic-trace-source micro-burst sample-span time command to set the interval at which microburst traffic is sampled for traffic source tracing.
If the collected traffic data is inaccurate, you can adjust the sampling time based on the duration of microburst traffic generation.
- Optional: Run the firewall traffic-trace-source micro-burst enhance enable command to enable enhanced traffic source tracing for microburst traffic.
By default, enhanced traffic source tracing is disabled for microburst traffic.
- Run the display firewall traffic-trace-source { cpu-overload | micro-burst | manual } [ ipv4 | ipv6 ] [ verbose ] [ slot slot-id cpu cpu-id ] command to check the traffic source tracing statistics result.